ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS

This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. Building on that, we'll show code building on the existing testing framework of Burp suite and its Ruby interface Buby to make requests to APIs using the functionality we've exposed through the scripting to find differing responses to similar requests, and identifying potential weak points. We'll conclude with several case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.

Presented by