,
24 tweets,
7 min read
Read on Twitter
<Thread> My sushi was delivered. I have 3 hours free. It's time for me to live tweet the RE of the RSA conference app play.google.com/store/apps/det…
Last year, the awesome @svblxyz analysed the app and found some stuff
The first step is always to use the app as a standard user. This app is not offering a lot of features. The features are coming soon ^^ 
Next, we have to look at the AndroidManifest.xml, the assets, libs and values folders.
- In the libs folder, we can find libsqlcipher so they are using an encrypted database
- In the libs folder, we can find libsqlcipher so they are using an encrypted database
- In the manifest, we can see the following package names: com.rsa.rsaconference, com.urbanairship, com.xomodigital.azimov, net.hockeyapp, com .google.firebase, com.eventbase. It gives us the list of the 3rd party used in the app
- In the values folder, check the strings.xml and search "secret" for example. We have a lot of results. Let's keep it on a side note for a later use
This app has been obviously made by @EventbaseTech.
A good thing is to check the word exported="true" in the AndroidManifest.xml. For example, if you send adb shell am start -n "com.rsa.rsaconference/com.facebook.CustomTabActivity", the RSA Conference app will open a blank screen 🤔
This CustomTabActivity is taking the data string and forward it to another app. By sending "adb shell am start -n "com.rsa.rsaconference/com.facebook.CustomTabActivity" -d "google.com"" the app is blinking twice
This is a dead end. The CustomTabMainActivity is checking the action and finish the activity if the action is equals to CustomTabActivity.a which is our case here. Next!
I told you https is secure!
All the available endpoints
I wonder what is a debug Google Maps key 🤷♂️
This is the kind of string I like
This key is used to generate the HMAC key. It is used after the download of the attendance db. This is something we should hook this method during the dynamic analysis
-this method
The sharedPreferences files called prefsGlobal.xml contains a lot of juicy info
The rsa2019.sqlite_1 is a sqlite3 database which contains all the useful info regarding the event
The databases folder contains 2 interesting databases: "persistentstorage.db" and "user_data_crypt.db". What do we have in user_data_crypt 🤔?
The password of the user_data_crypt.db is quite long, encoded with Base64. This is the tables available in the database
I created my account today, it seems to be an incremental number 🤔
I am interested to know if this password is the same for everybody 🤔
This is useless but it’s funny. Me, using the RSA conference app to go on Twitter
Their AzimovWebview is able to open a lot of files
