Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America’s major cities. But thanks to Frida – a well-known but not very popular dynamic instrumentation framework – you can easily reverse engineer mobile e-ticketing applications. In this talk, we’ll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We’ll use Frida’s code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket “stealing.” (And your commute just became that much less of a pain). Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.
Senior Security Analyst Priyank Nigam will present What the Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing at THOTCON in Chicago this May 2019.