Reversec Guest Talk

Date: 2025-11-26

Difficulty: Beginner

Delivered By: Reversec

Abstract

Android apps are hard to make, and they are much harder to make securely. Because of this there are a lot of people out there making mistakes... but how many? Which mistakes? How can we find out? It's difficult to assess the overall threat landscape of any area of cybersecurity, but with the right tools the right question can be answered. For this we developed Argus, our best attempt at filling this gap. We will walk you through the process of creating and refining a large-scale automation security tool, alongside a number of findings from our assessment of tens of thousands of Android applications.

Description

While the larger platforms and vendors receive plenty of attention from the industry, smaller app developers do not. No security researcher or bug bounty hunter has the time to assess the thousands of applications out there by hand, but there are still plenty of questions we could answer at scale with the right tools. To answer these questions, we need to analyse as many apps as we possibly can - a challenging problem, since none of the large app stores provide an interface for this kind of work.

To solve this we built a powerful engine to process thousands of applications and search for common and easily detected vulnerabilities. Using this tool, we were able to identify thousands of apps containing sensitive data and security misconfigurations.

This talk is beginner-friendly with no prior mobile security knowledge necessary. We will discuss the methodology and techniques involved in solving a problem of this scale, in a way that will hopefully introduce skills and knowledge that would be valuable in any cybersecurity professional's tool-belt. We will also discuss the findings we've discovered through this process, and how common they really are.