Talk Structure

Introduction

• A quick introduction of who we are
• a pair of pentesters with a love of coffee and about two years of experience in web and mobile application testing.
• How we stumbled upon the loyalty app and what made us do a double take
• The value of not needing reverse engineering to suspect trouble

Peeking Under the Hood

• Decompiling the APK and using tools such as Objection to dig deeper.
• The process of us proxying the mobile app's traffic to see what the application actually communicated to the server
• Observing that all validation was done locally with no server-side check.

The Attack Paths

• Replay attacks of a legitimately obtained log request to increase points.
• Manipulating the application's behaviour at runtime to always return a valid response, no matter what object is presented to the application.
• Using log data to potentially create your own physical item
• Depending on how the responsible disclosure pans out: a demo of the real app, or a mock exploitation.

Who Gets Hurt?

This section will cover the business and customer impact something like this could pose. Insecure loyalty apps can lead to:

• Financial loss and fraud for the loyalty application providers' customers
• Reputational loss for the provider
• Create incentives for customers to cheat
• Cause damage to reputation and customer trust

What to Look Out for IRL

• Signs of poorly designed mobile applications
• With a focus on mobile applications, quick ways to asses red flags without rooting a phone or starting to cross ethical or even legal boundaries
• Security as a business risk and why do these flaws matter

What new research, concept, technique or approach is included in your session?

This session will not necessarily highlight targeted research, but will touch on research in a personal capacity that was curiosity-driven.

As for techniques, this session will talk about pentesting mobile applications, and will delve into the techniques and tools that play a vital role in this process, including rooting or jailbreaking, the use of Objection to instrument the application, and how to set up proxying of any local or network traffic.

Furthermore, this session will also touch on the importance of responsible disclosure if the chance ever arises, or what to do in the case where there isn't a company to back you.

Key Takeaways

• Design flaws can be just as dangerous as code-level bugs, and flaws in design may have greater impact than code bugs.
• Having a security-focused mindset doesn't always require specialised tools. Curiosity and critical thinking can play a massive, if not larger role in achieving success.
• Even seemingly harmless loyalty applications can be a realistic vector for fraud, especially since they can have low oversight
• Mobile applications relying on client-side logic for local validation are a huge red flag for abuse.
• Businesses that want to make use of third-party apps have to treat even non-sensitive applications as part of their threat model
• Whether it's just free coffee or stolen data, someone always pays the price for a poorly-designed security model.