AES decode with Cyberchef - 2018-03-20 23:50:00

Presented by Tim Follow me on Twitter Introduction This is a follow up article to Paul W’s write-up about m1con’s mobile ctf. In the article, Paul mentioned Cyberchef, and it was a quick way of solving the challenge. Since Cyberchef wasn’t covered, and may provide a quicker solution for future ctf challenges, I decided to describe it here. What is CyberChef? CyberChef was developed by GCHQ to quickly perform certain operations on inputs.

M1Con CTF Write up - 2018-03-20 23:50:00

Presented by Paul w Follow me on Twitter Introduction Last night I went to the meetup group “M1 Con” hosted by Digital Interruption and Outsource UK Ltd. Jay Harris gave a talk about mobile security - it wasn’t super technical, but it highlighted the fact that clearly security is still a bit of an after thought especially when it comes to mobile development - he cited examples of issues that crop up in mobile devices that were fixed in web apps (XSS vulnerabilities for example) long ago.

Eavesdropping on WiFi Baby Monitor - 2018-02-25 00:00:00

Written by Rob Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function. Monitoring the traffic using Wireshark during the pairing process revealed:

Man in the Middle attacks on mobile apps - 2018-02-01 17:17:29

Written by Jay During most mobile application or IoT pen test, it’s often a requirement to perform a man in the middle attack to view network traffic. Below are some approaches which work when the it’s not possible to set a system proxy (or when a mobile application does not honour it). ARP Poisioning Pros/Cons Pro cons Easy |Active attack; can be detected Redirects all traffic |Can be risky |Device and laptop need to be on the same network.