BSides Las Vegas 2019 - Reverse Engineering Mobile Apps: Never Pay for Transit Again

Date & Time: August 6, 2019 at 2:00 - 2:55 PM
Location: Las Vegas, NV
Speaker: Priyank Nigam

What if I told you that there was an alarming number of security flaws in most major cities’ mass transit apps? And what if I told you I could demonstrate the successful exploitation of these apps? In this talk, I will do precisely that. The results of successful exploitation can range from the relatively harmless “”stealing”” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers.

Often, mobile apps are synonymous with thick clients – meaning they run locally and cannot trust their runtime, and come with the same vulnerabilities as their ancestors. As such, I will explore dynamic instrumentation using Frida and demonstrate practical use-cases to bypass security.

During my presentation, you’ll learn about the analysis of client-side obfuscation measures such as encrypted HTTP body and encrypted application storage (flat files/SQliteDb/Custom mobile SDK-based encryption) in mobile applications, which can be instrumental in uncovering security vulnerabilities.

Download the Presentation

To see some examples of Priyank's research, check out his Greyhound and Amtrak advisories. 

Topics:Speaking Engagements


Need a Cybersecurity Expert to Speak at Your Event?

Please get in touch with our Speaker Bureau program manager, Virginie Jenck. Please email her at


Subscribe to Updates