Sergi Àlvarez, aka Pancake, is a Senior Mobile Security Research Engineer for NowSecure and the creator of Radare.
What is the biggest misconception about hackers?
People tend to think that hackers are people who are doing really bad things — trying to enter other people’s mobile phones or hacking the lights in the city and things like that. But the reality is hackers are people who are really curious, people who really want to understand how things work and want to find the maximum information about everything they have in their hands. Usually it’s people who want to take apart things, people who want to understand and modify the programs and hardware in order to get the maximum out of them.
What drives you to do the job?
What drives me to do the job that I am doing is the interest in solving problems that are really important for most other people. Right now, it’s privacy. One of the main problems that are happening in the mobile industry, and not just the mobile industry, but also on the internet. We have all our lives in our pocket, and for any single privacy issue, we will have all our life exposed on the internet or by a government, or a person, a hacker or whatever. That’s dangerous, so we want to build and understand how all these mobile phones work, and how these tools and software and applications are built and trying to make them more secure in order to solve all these privacy issues.
What are the most interesting vulns you found?
Along my journey in the security field, I’ve been able to identify so many vulnerabilities. One of the most shocking ones that I have found in the mobile industry is the use of tracking frameworks. These kinds of frameworks are introduced in most applications because app developers want to understand the market. They want to know which kind of users are using the application. But the thing is, this can be used for big data or understanding of the market, but this can be also used as a vulnerability to get information about you. Also, for example, taking information about: Where do you live? Where do you work? Which kind of places do we see it?
Not just the location, but they are also able to get phone numbers or more information from the user, which is dangerous. It identifies which other applications they use or have installed in the device. For a company with security in mind, they care about these kinds of things because they don’t want information leaking to anyone else outside. It’s important to understand and know which applications are tracking the user, and what information is being tracked.
Read our Q+A with Pancake, creator of Radare, and Ole André Vadla Ravnås, creator of Frida.