It's easy: local attacks on mobile applications

RU / Day 1 / 17:30 / Track 2

Let's consider the situation when an intruder stole a smartphone with an installed mobile bank and there is no lock code, or an intruder pre-spied this code over the victim's shoulder. The only thing that can prevent him from stealing all money from the user's accounts is an application authorization and additional checks that have been implemented.

This talk will tell about holes in Android and iOS applications which allows to bypass authorization and, later, perform any actions on behalf of the bank's client. Dmitry will tell about attacks on incorrect biometric authentication implementations and on primitive methods for detecting root and jailbreak, integrity checks, etc. Also, he will give examples of correct authentication implementation and will tell how to complicate the task to such intruder.