mobius Mobius 2019 Msc (07.12.2019 — 08.12.2019)

It's easy: Local attacks on mobile applications


What happens after the smartphone with mobile bank has been stolen by intruders who at the earliest opportunity will try to steal the money from the user’s account. Dmitry will show in detail the whole procedure for hacking the system and tell you how to make the authentication more difficult for intruders to hack.

Let’s consider the situation when an intruder stole a smartphone with an installed mobile bank and there is no lock code, or an intruder pre-spied this code over the victim’s shoulder. The only thing that can prevent him from stealing all money from the user’s accounts is an application authorization and additional checks that have been implemented.

This talk will tell about holes in Android and iOS applications which allows to bypass authorization and, later, perform any actions on behalf of the bank’s client. Dmitry will tell about attacks on incorrect biometric authentication implementations and on primitive methods for detecting root and jailbreak, integrity checks, etc. Also, he will give examples of correct authentication implementation and will tell how to complicate the task to such intruder.