Rahul Kankrale

Rahul Kankrale
Rahul Kankrale is a security engineer at CRED and a passionate security professional with experience in mobile penetration testing. He has presented talks at Nullcon Berlin 2022, Typhooncon 2022, and was the winner of the "Unique Bug of the Year Award" by Bug Bounty Village (OWASP Seasides 2020) and top scorer at BountyCon2019 CTF organised by Facebook and Google.He has published write ups at https://servicenger.com/

Talk / Workshop
Bounty Track

Discovering the hidden treasures in Mobile Apps

Oftentimes as a bug bounty hunter we get a variety of scope when we look at a bug bounty program, since in recent years most bug bounty programs include mobile assets as part of their scope the attack surface on mobile apps have significantly increased but very few people explore the security of the mobile app which is going above and beyond low level issues such as reporting API keys, leakage of information, misconfiguration or unprotected components in the APK.
In this talk we will focus on showcasing some of the most impactful scenarios and bug classes which can be found by focusing on core app issues which can help people to discover better bounties and help one grow as a hacker. We will focus on code analysis and how using it can be to find deeper issues which underlie the app. We will showcase how small issues can be chained to form a larger impact issue and using simple misconfigurations in android components such as Deep-links, Content-providers, Webviews , File-Providers etc. Come join us in the journey of exploring the hidden treasures of Mobile apps

Presentation Outline

  1. Introduction to key terms
    • Deeplinks, Content-providers, Webviews, File-providers
    • Attack scenarios (Privacy breaches, Arbitrary code execution, Theft/Manipulate of sensitive files, Universal XSS, Javascript Injection, Access cookies etc).
  2. Hunting vulnerabilities and chaining to maximize impact.
    • Static analysis, system API/IPC(inter process communications) monitor.
    • It will elaborate detailed code review to maximize impact with real scenario based examples.
  3. Demo
    • CVE-2022-30717/CVE-2022-23998 - Take a picture, record video, get location even in screen lock status without permission and user interaction.
    • CVE-2022-28789: Record voice without user interaction and permission.

Subscribe and get our news and updates.