NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING

NowSecure MARI is the industry’s first simple risk score based on millions of assessments that identifies third-party apps vulnerable to PII and IP exfiltration, supply-chain and MiTM attacks and sensitive data theft.

MARI Datasheet featured image 768X480
NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy Show More
magnifying glass icon

Security Researcher Breaks Mobile Apps to Fix Bugs

Jake Van Dyke is a Security Researcher for NowSecure and has been with the company since 2013.

How would you explain to your grandmother what you do at NowSecure?

If I had to tell my grandma what I do at NowSecure, I would say I get paid to break things: break apps, break phones, break computers.

What kind of tools do you use?

I use Frida. We have our own internal tools, some APK Parsers. I use JEB and IDA Pro. Okteta, that’s a hex editor. NANO.

What do you do as a Security Researcher?

We’re helping our customers find and fix their mistakes, before an external attacker exploits them and steals something from the customer.

What is the hardest part of reverse engineering?

It depends on what you’re looking for, because an app can be really huge. Some apps, like Facebook and Uber, have millions and millions of lines of code in them. Knowing what to look for and where to get started is hard. We’re looking for known vulnerabilities, which is where we start.

What are some bad vulns we found?

NowSecure published a couple of remote executions. The Samsung keyboard app where basically every Samsung phone on the planet and any remotely new app, you could gain code execution. As the phone auto-downloaded apps, you could swap those out and install your own app on somebody else’s phone. So we did Vitamio. It was a multimedia library that somebody in China wrote. It was embedded into thousands of apps, and you could use that one for privileged escalations and stealing permissions and information.

We did KeyMe. That’s the app that lets you take a picture of your house key. As they sent the picture of your key off to their server, somebody could steal that and print a version of your house key, and then they would know where your house is so they could get all your stuff.

Mostly stealing logins. And so we found a couple of ad libraries where just the fact that you included this ad library in your app, somebody could use that as a way to get remote code execution.

Check out our Q+A with Jake Van Dyke, on how to secure Android apps.