Our Blog

using a cloud mac with a local ios device

Reading time: ~17 min
Doing iOS mobile assessments without macOS around is not exactly fun. This can be for many reasons that include code...

Android Application Testing Using Windows 11 and Windows Subsystem for Android

Reading time: ~18 min
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release,...

on ios binary protections

Reading time: ~11 min
I just got off a call with a client, and realised we need to think about how we report binary...

Android Application Specific Proxies, Easy Mode

Reading time: ~7 min
In this post I want to share two things. First, a quick primer on how you would you go about...

Multiple Android User Profiles

Reading time: ~6 min
I was recently on a mobile assessment where you could only register one profile on the app, per device. To...

objection – mobile runtime exploration

Reading time: ~4 min
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection....

PwnBank en route to Vegas

Reading time: ~3 min
Everyone has a mobile phone (ok some have two) and the wealth of information people put into them is staggering....

Not-quite-triangulation using the who’s near me feature in location-aware web apps

Reading time: ~3 min
When assessing web applications, we typically look for vulnerabilities such as SQLi and XSS, which are generally a result of...

Too Easy – Adding Root CA’s to iOS Devices

Reading time: ~8 min
With the recent buzz around the iMessage crypto bug from the John’s Hopkins team, several people pointed out that you...

Advanced Cycript and Substrate

Reading time: ~9 min
Mobile assessments are always fun as the environment is constantly evolving. A recent trend has been the use of custom...

Android hooking with Introspy

Reading time: ~8 min
Here’s my first blog where I’ll try to write up how I’ve managed to set up the Introspy framework for...

Channel 4 – Mobile Phone Experiment

Reading time: ~2 min
This evening we were featured on Channel 4’s DataBaby segment (link to follow). Channel 4 bought several second hand mobile...

Hacking by Numbers – The mobile edition

Reading time: ~3 min
West Coast in the house, well actually more like an African visiting Seattle for Blackhat’s West Coast Trainings. We’ve had...

A software level analysis of TrustZone OS and Trustlets in Samsung Galaxy Phone

Reading time: ~15 min
Introduction: New types of mobile applications based on Trusted Execution Environments (TEE) and most notably ARM TrustZone micro-kernels are emerging which...

Your first mobile assessment

Reading time: ~3 min
Monday morning, raring for a week of pwnage and you see you’ve just been handed a new assessment, awesome. The...

Poking Around in Android Memory

Reading time: ~5 min
Taking inspiration from Vlad’s post I’ve been playing around with alternate means of viewing traffic/data generated by Android apps. The...

ITWeb Security Summit 2012

Reading time: ~3 min
This year, for the fourth time, myself and some others here at SensePost have worked together with the team from...

Mobile Security – Observations from the developing world

Reading time: ~6 min
By the year 2015 sub-Saharan Africa will have more people with mobile network access than with access to electricity at...

Mobile Security Summit 2011

Reading time: ~1 min
This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389). Charl was...

Runtime analysis of Windows Phone 7 Applications

Reading time: ~2 min
Runtime analysis is an integral part of most application security assessment processes. Many powerful tools have been developed to perform...