Pwning Android Apps at Scale

Abstract

Showcasing the large and rapidly growing dataset that we have created and maintained, and the findings from the in-depth research and analysis conducted on this data.

Highlighting the large-scale data exposure due to the widespread presence of hardcoded API keys and credentials, which put millions of users at risk.

Delving into the 150+ pre-authentication remote code executions we were able to carry out various backend services powering Android apps, by exploiting common vulnerabilities, such as log4j, SSRF, SQLi, path traversal, etc.

Findings based on the analysis of the 50million+ domains that were extracted from the source codes of the 500,000+ apps. The domain URLs, in conjunction with other parameters/ assets exposed in the source codes, can be used to inject various payloads.

Introducing our open-source tool with API access, which can be used for easy automation, research, and analysis.


Speakers Information


Sparsh Kulshrestha

I’m a security researcher at CloudSEK, spending time analyzing threats and developing countermeasures. I study emerging threats with a focus on Web Applications, Mobile, Shadow IT, and Critical Infrastructure (CI). My paper on the Abysmal State of Critical Infrastructure security has been featured in numerous print and online publications including The Hindu, Moneycontrol, ZDnet, The Logical Indian, etc


Shashank Barthwal





View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.