Every once in awhile, I’ll come across an app that implements some hardening techniques that make reversing a little more interesting. This was the case when I recently tried proxying the API requests for Yik Yak, a popular social media application exclusively available for mobile platforms that allows semi-anonymous user communication across a 5-mile radius (typically …
On my way home one night, I noticed a highway billboard sign whose lights had switched on as I drove past. It caught my attention and I wondered how those lighting systems were controlled (I mostly assumed either timers or daylight sensors). I researched it a bit and wasn’t surprised to find SmartLink which, as their website says, is …
About six months ago, United Airlines announced their Bug Bounty program and, almost immediately, it received a ton of press. Though I initially wasn’t interested in pursuing the program (mainly due to its popularity), I decided to take a look a week or two after its launch despite being late to the party. Shortly after, …
My wife and I were selling our home last year and we ended up being pretty satisfied with our Realtor team, partially due to their adoption of technology. One example was their use of ShowingTime, which is a Real Estate Showing Management System that, among other things, allows sellers to easily confirm or reschedule showing requests from an app or …
It’s great to see the increasing adoption of certificate pinning in Android apps. When I run into an app that throws connection errors while attempting to proxy requests, I tend to become more interested in diving deeper. Such was the case when I recently used the Subway app. Reversing the APK revealed cert pinning among some other interesting findings. Starting the app …
After my previous post regarding security concerns with the Z-Way home automation controller, John Matherly (founder of Shodan) messaged me that he was launching a scan of port 8083. I was interested to see if any of these devices had been put online publicly, so he sent me the results after the scan completed (thanks, John!). …
After recently finding a critical vulnerability in Verizon’s My FiOS app, I thought it would be worth looking into their other apps available to customers. The FiOS Mobile app allows users to watch subscribed TV channel offerings on their mobile devices, as well as control their DVR, view On Demand histories, etc. Shortly after loading the app …
I recently purchased a RaZberry board for one of my Raspberry Pis in order to begin my path towards home automation. I chose the RaZberry board, rather than a traditional Z-Wave controller, mainly due to its integration with the Raspberry Pi. This allowed me programmatic access to both the Z-Wave protocol as well as GPIO devices, which was important …
In the spirit of tax day, I wanted to write about my experience in reporting a privacy vulnerability in the most popular tax preparation software on the market: Intuit’s TurboTax. I have been using TurboTax for quite a few years for my taxes and this year I found they offered an Android app. At first, I wondered …
Wawa stores are a favorite among customers in Pennsylvania, New Jersey, Delaware, and beyond. When the company recently announced a new Android app to launch with their rewards program, I was interested in installing it and researching how it worked. Soon after registering and associating a gift card to my account, I discovered a serious vulnerability that would allow an …
