Akshansh Jaiswal

Akshansh Jaiswal
Akshansh Jaiswal is a security engineer at CRED who works closely around Web ,Mobile and Cloud Security.He is also an active CTF player where he has won several CTF's such as Hackerone CTF's -h1 100k CTF, Hacky Holidays CTF,h1-2006 CTF, BugPOC CTF's and community CTF's. He also participates actively in Bug Bounties where he is an active hacker on platforms like Hackerone and Synack Red Team where he finds and reports vulnerabilities to various organisations.He has also been part of Hackerone exclusive Live hacking event h1-2103 where selected hackers got a chance to find security issues in Amazon public applications and infrastructure.

Talk / Workshop
Description
Bounty Track

Discovering the hidden treasures in Mobile Apps

Oftentimes as a bug bounty hunter we get a variety of scope when we look at a bug bounty program, since in recent years most bug bounty programs include mobile assets as part of their scope the attack surface on mobile apps have significantly increased but very few people explore the security of the mobile app which is going above and beyond low level issues such as reporting API keys, leakage of information, misconfiguration or unprotected components in the APK.
In this talk we will focus on showcasing some of the most impactful scenarios and bug classes which can be found by focusing on core app issues which can help people to discover better bounties and help one grow as a hacker. We will focus on code analysis and how using it can be to find deeper issues which underlie the app. We will showcase how small issues can be chained to form a larger impact issue and using simple misconfigurations in android components such as Deep-links, Content-providers, Webviews , File-Providers etc. Come join us in the journey of exploring the hidden treasures of Mobile apps

Presentation Outline

  1. Introduction to key terms
    • Deeplinks, Content-providers, Webviews, File-providers
    • Attack scenarios (Privacy breaches, Arbitrary code execution, Theft/Manipulate of sensitive files, Universal XSS, Javascript Injection, Access cookies etc).
  2. Hunting vulnerabilities and chaining to maximize impact.
    • Static analysis, system API/IPC(inter process communications) monitor.
    • It will elaborate detailed code review to maximize impact with real scenario based examples.
  3. Demo
    • CVE-2022-30717/CVE-2022-23998 - Take a picture, record video, get location even in screen lock status without permission and user interaction.
    • CVE-2022-28789: Record voice without user interaction and permission.

Subscribe and get our news and updates.