06-09, 17:35–18:05 (Europe/Berlin), Media Theater
Let's break out of standard testing frameworks. In this talk, you'll learn about mobile app security, and where testing frameworks can help, and where security researchers have to come up with their own threat models and attacks.
As mobile applications handle sensitive data, ensuring their security is crucial. However, simply securing individual apps is not enough to stop real-world attackers who exploit devices through other avenues. This talk will explore unconventional security testing approaches that can help improve app security by addressing vulnerabilities in the operating system, hardware, and third-party libraries. Discover how attackers can exploit wireless interfaces, sandboxing, privilege checking bypasses, and more. Let's explore why these attack vectors are relevant in practice and how to address them beyond standard security testing checklists.
Jiska Classen is a wireless and mobile security researcher. The intersection of these topics means that she digs into iOS internals, reverse engineers wireless firmware, and analyzes proprietary protocols. Her practical work on public Bluetooth security analysis tooling uncovered remote code execution and cryptographic flaws in billions of mobile devices. She also likes to work on obscure and upcoming wireless technologies, for example, she recently uncovered vulnerabilities in Ultra-wideband distance measurement and reverse engineered Apple's AirTag communication protocol.
She has previously spoken at Black Hat USA, DEF CON, RECon, hardwear.io, Chaos Communication Congress, Chaos Communication Camp, Gulasch Programmier Nacht, MRMCDs, Easterhegg, Troopers, Pass the Salt, NotPinkCon, gave various lectures and trainings, and published at prestigious academic venues.