TackyDroid: Pentesting Android in Style


Vulnerability assessment for mobiles applications are boring as hell – since when did we start living in a world where storing credentials inside the sandbox becoming a crime? There’s simply no excitement left within except for the web APIs being called, so it is time to step up and change it.

In this talk we propose the very first interactive proxy that runs inside your Android device. With this novel transparent proxy tool, not only we can test browser contents on the go but also mobile applications that utilize web APIs (which application doesn’t right?). This proxy will give you the ability to modify requests and responses on the fly and act as a fuzzer, either actively or passively.

The main highlight of this proxy is not the proxy itself, but the ability to utilize overlays in Android. This allows a user to have a fully interactive proxy overlaying a web browser or application without the need to constantly switch between activities. The overlay can be called or minimized in a single touch when needed without affecting the already running activity, thus removing the need for a secondary device.

So why waste your time setting up devices to run your proxy tool when you can do your scans while on the bus or as you try to beat your last highscore in flappy bird. Join us, because we will be penetration testing Android in style.

Location: Track 2 Date: October 16, 2014 Time: 1:30 pm - 2:30 pm Chris Liu Matthew Lionetti