Watch me go out of my comfort zone approaching strangers and interviewing them. The answers were very interesting and as a security consultant their point of view is important to me.

I love how that one app dev said repackaging an app to remove monetization is an improvement

I can tell you something about security measures in banking apps I used. They have no problem with running on an old android version with known vulnerabilities. But they can detect rooted androids or even androids with unlocked bootloader and lock the user out. At the same time there is no problem with using their banking website.

Honestly, the mobile apps ecosystem has become quite a nightmare nowadays. It wasn't surprising to me that most devs consider reverse engineering their greatest enemy. But it is a problem and I just cannot complain about it enough. In Asia especially, it's not uncommon to see apps packed with commercial "protectors" that literally behave like advanced malware packers. Such things are just horrible to end users in terms of security. They are so ubiquitous that it's not ideal to ban them on the app store, while no effective method is available to determine whether an app packed with such a "protector" is benign or not. And I do feel the devs' frustration, too. You can not just blame users for being muggles who cannot distinguish the original app from all those cash-grabbing copycats. After all, they are just users, and users bare absolutely no responsibility to serve the devs. As for the copycats, there is no way to detect them, either. The whole situation is just awful, with no obvious solution in sight. Sigh...

not loving where their heads are at re: blocking access to codebasses, obfuscating, this is how you get closed source security theatre

I think those developers dont really know that much about security based on the interviews. They worry about reverse engeneering because of someone stealing their assets. Thats not really application security. Its more like business security in case any competitor gets a benefit. The backend is what gets hacked and where the data is leaked in most cases. Saying that a registration of a username called "root" is forbidden shows me that their backend is most likely not really that robust if it cannot handle that.

Hi @LiveOverflow. Love the vids. Just had one small comment. I noticed you put notes in your videos in different parts of the screen, including the bottom part. Since my native language is not english, some times I use subtitles to understand better. Unfortunately the subtitles cover your notes if they are at the bottom, so I'm left to either pause the video continuously, or watch without subtitles. if you could leave a little space for the subtitles at the bottom, or use other parts of the screen, it would help people that need subtitles. Thanks for the content!

The anti-reversing protections, at least to me, seem to be very similar to web application firewalls and their bot JS challenges. Many people are discouraged by it, but somebody with motivation and resources will not be stopped by it.

I really like this type of content! It's a pity that you got those camera issues but thank you for sharing that. The fact that you shared that and told us about it made you even more wholesome and relatable :) One thing that triggered me a bit was that you didn't resolve what movie played at day 2 but maybe you dont know about it either. All in all a great video with nice insights!:)

As someone working for one of the App Security companies at that conference (not shown in the video); it's not so much that these companies care so much about obfuscation, but many of our customers think obfuscation is the important part. I get what you mean when you call it snakeoil, and I agree to an extent, but it is usually just a smaller part of the bigger picture. Unfortunately many developers and especially regulators think obfuscation is very important.

Obfuscation is just another way of saying security through obscurity

Still gutted we didn't cross paths - thanks so much for all you have done to promote security! You were one of my many inspirations to speak and discuss mobilesec. Hope to thank you in person next year 😅

Hey! Your videos have taught me so much. Thank you!

At one point I become so frustrated that "everything is app" in my smartphone that I just switched to web where I could and other junk just dumped and started using my laptop more. I hope that one day smartphones will stop being frontshop for corporates to sell their products and start being what they really are - computers in our pockets.

It's obvously nice to have a good camera for an interview but you really shouldn't be ashamed to just record it with a phone. That isn't nearly as unprofessional nowadays as you might think. Especially on an android developer conference! It's too late now, but maybe for next time. Just using your phone as a backup is acceptable.

congratz for new format. I like this a lot

lmao the day 2 and day 3 camera issues had me actually laughing out loud. Great video edit: I dont know how feasible it is, but a liveoverflow font that supports nerdfont style icons that I could use as a terminal font would be awesome.

lol you rock with the camera stuff indeed!

Client side obfuscation seems insane to me

I did find it funny, but props on you for owning it in camera and then asking for help on the twitterverse. Thanks for making the video and bringing forward the insights from your perspective.

can u plz do more such videos as they really feel refreshing

is smali reveresing, frida still possible? if no then what developers security developers use to prevent those?

I had a very similar fackup with my rocket computer recently, when I firstly forgotten to change the batteries and the forgotten the SD and then batteries again

superb! hope, I'll be there with you one day

There are typical mobile security topics (beside insecure backends M1,M2), especially unsafe credential storage (M5 not using proper Api, M9 not proteting local data), exposing insecure interfaces (share handlers, url handlers), app secrets and a lot of Trojan/malicious dependencies (M3)

Which movie was in the end? Hackers? The Net?

I hate security by obsecurity bullshit. That makes so much harder for new hackers to enter the field. I understand it when you make something like malware that is supposed to harm and be secret about its functionality. But banks/productivity apps? Most of their functionality is based on server side! Also game anti cheats are now obsolete. Nowadays everything goes into server side!

its okk we dont want anything just the content that you create that enough for making our day wonderfull :))

Not an android developer, but im pretty sure the disproportional concern about reverse engineering is due to java and other languages with runtime such as C# It is quite trivial to de-compile a java app, and i suspect its much easier to get insights into the architecture compared to revere engineering a c++ program. Obfuscating is a pain in my ass in my experience, especially if the system surrounding the software wasn't built for it. Kinda makes you wonder why projects like GCJ aren't more used, especially considering that (no matter what oracle says) you can never assume that your target machine has the JRE you need.

Great video as always, it was funny how unlucky you were haha there is always next con

So what was the movie?

Friendly reminder to double check ai generated captions. I assume you wouldn’t have transcribed “root” as “roots”. Thanks for the fantastic video as always :)

So? Which movie was it?

what was the movie though?

So...was the movie Hackers?

Lmao, that video was comedy gold, exactly my kind of humor! :D

you're a professional youtuber in my heart ❤❤

Can you create a short video on Active Directory?

Conference Day 3's audio is so messed up, surely a camera man would've been helpful 😅

Why didn't you use yout phone to record it? Mic doesn't work on phone? Also I'm pretty sure when they were saying obfuscation, they were thinking security for them as the developer, not for the users. The intent thing is just dangerous for the user, cause it can potentially access user data and things its not supposed to.

I hear a lot of examples of security through obscurity here

🤣 good to know that there is next to no effort put into protecting users 😡

Lol we can see these guys never tried to reverse engineer their own app, probably easier to just re-code their empty frontend app in most cases.. Maybe they're just super proud of their responsive design and think it's something others could want to steal😂?

12:20 From behind you look basically identical to Tomary...

i like this guy man

So do you or do you not want to be approached ? oh and what movie was it ?

Isn't hiding the source code pretty infective in trying to get better security?

Though it may look like it is just the front end of the app, as the app will be installed on the user's phone, it really concerns us if the code gets stolen, modified, or monetization gets removed. We really do small things in the backend or use Firebase as a backend service.

Setting the username to a root or to a dot can give high privileges, never thought about that 🤔

I was there for the whole duration, and I cannot believe I missed you. I'd loved to at least say hi :( Anyway, my takes on the topics you mentioned: Repackaging: you already mentioned that you can understand why is it bad for games with in-app purchase, but other apps can also have in-app purchases, or they can even be paid apps, and removing the purchase check and re-uploading the apk is a real issue. Comparing this to being afraid of someone creating a crack for your app/game on desktop is a fair comparison in my opinion. Obfuscation: In my opinion it serves two purposes. The first one is connected to repackaging, the better the obfuscation your app has, the smaller the chance that someone will take the effort to reverse it and repackage it. The other one is security related: we want to authenticate our app towards the backend. A lot of the times we need an API key to access a service, but we have to store it somehow. There are multiple options, but they all have compromises, and we have to find the one that's the best for both security and the user. Let's have an example: you're working on a weather app, and you're using an external API where you have to pay by the number of requests. Naturally, you want to protect the API key (who wants to pay for someone else's requests?), so you have a few options: - get the key after app install and store it somehow - you can try your app's private folder, but that can be accessed by anyone with a rooted phone, so that's not good enough - most phones nowadays have some kind of secure storage. you can store the key there, but it's a lot of work, and it might require the user to authenticate themselves to access it. most users wouldn't understand why would they need to use their fingerprint to see the weather - bundle your key with the app somehow Whichever option you choose, a malicious actor will be able to get the key. The best you can do is making it as hard as possible for them, in the hope that they'll decide it doesn't worth the trouble and give up. This is where obfuscation comes into the picture. On an other topic: the recordings from the conference were released today, and even though most security talks were basically ads for their company, there was one that was really interesting, you can watch it here: www.droidcon.com/2023/07/31/how-to-attack-and-secure-an-android-app-an-introduction/

To the people in the comments saying that the backend devs are the ones that do the heavy lifting for the security - a LOT of Android specific bug classes are front-end based. Here is a full chain, zero click exploit to get RCE based only on front-end bugs: kzfaq.info/get/bejne/Y8txhZmiydu6h40.html

"let me tell you what i fkd up today" :D

what's the deal with reverse engineering the app lol do they keep private keys in the frontend???

Although, It's a good point that we can download mod apps anytime.

First time watching you outside home😆😅

Just like security in layers, and data redundancy, you seem to need recording equipment redundancy. :p Take this as a practice run and learn from it, be glad it wasn't a major security conference you needed to record it or something.

Camera vulnerabilities? 👀👀

Im outside... but not for long. hahah

13:36 - 13:48 was the funniest section 😆 I literally pooped my pants on that one

Security conferences are usually small, you say? Ever been to Blackhat USA? 😅 Defcon? 😂

lol D2 and D3 are soo funny XD

Why not just interview with your, phone..? Bad audio?

Fearing reverse engineering is a learned fear. People are told to fear it and they just start to. Reverse engineering is not a security concern. Simple solution, just Open Source your code. People will have no reason to go to someone else for you program if they can get the best copy from you. If someone improves it, and you use a good license(GPL), then the improvements can be pushed back to your code. Both programs will only get better and not one will need to go to shady sources to get your APP. Problem solved.

I will watch this video when I screw something up!

Also at security conferences filming is sometimes discouraged to protect peoples' identity/privacy

It's ok everybody make mistake, I also forget my sd card from time to time. Video still interesting.

Well this is scary

As a developer, I think you can be a hacker without knowing how to code, but, if you want to be a really badass motherfucker hacker, it's a must!

They are like it's not our job 😅

"Hello im outside" - Local Hacker touches grass

You can never pack enough un... SD-cards.

This video reminds me of my life 🤣

0:02 story of my life.

make more minecraft videos

If a CPU can decode your application, than human can do it too (with sufficient skills & tools)

7:40 you are at an android development conf, usually the real security conserns are in the backend; those people are not at the conf.

Plot twist: he intentionally fucked up to not get out of his comfort zone lol jk

Hi

ha ha funny :D

ahh android the spyware of google.

:)

I really don't see the point of attending these conferences in person. All these talks should be recorded and published to the Internet afterward. If they are not, then the conference sucks. ;) It's never worth it anyway.

First

Pinnnn

Mobile security? You’re joking right? There’s no such thing. Even if you did have it they could just take the phone from you.

this episode was way below your standart

deobfuscation, modifying and then reuploading is a real issue, there are whole platforms for them which ruins a great part of revenue

Meh ...

More Minecraft hacking or riot!

Disliking all videos on multiple accounts until minecraft hacked comes back!!!