NowSecure Connect — THE mobile AppSec + AppDev community online event — returns with new content and the latest training. Join the world’s brightest innovators, practitioners, community leaders, and industry influencers LIVE online for in-depth training, discussions, strategy sessions, CTF and more. Gain access to keynotes, exclusive breakouts, expert panels, on-demand sessions, plus an interactive peer-to-peer community. #NSConnect22 is your source for cutting-edge mobile AppDev, mobile AppSec and mobile DevSecOps insight. Register your crew today!

magnifying glass icon

Security Researcher Breaks Mobile Apps to Fix Bugs

Jake Van Dyke is a Security Researcher for NowSecure and has been with the company since 2013.

How would you explain to your grandmother what you do at NowSecure?

If I had to tell my grandma what I do at NowSecure, I would say I get paid to break things: break apps, break phones, break computers.

What kind of tools do you use?

I use Frida. We have our own internal tools, some APK Parsers. I use JEB and IDA Pro. Okteta, that’s a hex editor. NANO.

What do you do as a Security Researcher?

We’re helping our customers find and fix their mistakes, before an external attacker exploits them and steals something from the customer.

What is the hardest part of reverse engineering?

It depends on what you’re looking for, because an app can be really huge. Some apps, like Facebook and Uber, have millions and millions of lines of code in them. Knowing what to look for and where to get started is hard. We’re looking for known vulnerabilities, which is where we start.

What are some bad vulns we found?

NowSecure published a couple of remote executions. The Samsung keyboard app where basically every Samsung phone on the planet and any remotely new app, you could gain code execution. As the phone auto-downloaded apps, you could swap those out and install your own app on somebody else’s phone. So we did Vitamio. It was a multimedia library that somebody in China wrote. It was embedded into thousands of apps, and you could use that one for privileged escalations and stealing permissions and information.

We did KeyMe. That’s the app that lets you take a picture of your house key. As they sent the picture of your key off to their server, somebody could steal that and print a version of your house key, and then they would know where your house is so they could get all your stuff.

Mostly stealing logins. And so we found a couple of ad libraries where just the fact that you included this ad library in your app, somebody could use that as a way to get remote code execution.

Check out our Q+A with Jake Van Dyke, on how to secure Android apps.