We present details about our Appicaptor service and specific security findings based on corresponding app security research at the IT Security Expo it-sa 2017 (10 to 12 October 2017 in Nuremberg, Germany). Visit our booth in Hall 9 / 9-410 to get a live tour on how Appicaptor provides you with everything you need to make informed decisions in app approval processes and see insightful live demos of attacks on hybrid apps.
In the absence of security quality, attackers can easily modify the functionality of hybrid apps, generated using HTML, JavaScript, CSS and native plugins for access to smartphone resources. Appicaptor already detects related attack entry points such as unprotected communication, insecure SSL certificate validation or vulnerable third party libraries and correlates the inferred app model with the app’s permissions to draw Appicaptor customer’s attention to the resulting risks.
We demonstrate this attack by showing how trustworthy but flawed hybrid apps can be modified on the fly to generate wiretapping devices, just by injecting new functionality that unnoticeable records the smartphone’s ambient audio to an attacker’s cloud storage. According to our published analysis results that will be published for it-sa 2017, hybrid apps for iOS and Android are packed with flaws that allow attackers to do this by using malicious WiFi-hotpots or crafting special user input.
Make an appointment for a live demo and get a free voucher code for it-sa 2017.