Tomáš Soukal

Security Consultant @ Talsec

Talk Title

How to Steal a JWT and How to Protect From It






14:15 > 40 min


on Twitter

I will show you how a JWT can be stolen from within your app and used for user impersonation, billing fraud, fake registrations, and other API attacks. You will learn that TOFU is not only food and that there are various ways to establish secure E2E communication, like WAAP and certification pinning. Device & App Integrity Proof for backends is the name of the game.

You should attend this talk if you want to know how to hack the Android app and its API and how to protect it from the modern reverse engineering technics and malware hackers use.

You will learn the following:
- How to clone the app and inject malicious code
- How to prepare the app's clone for JWT harvesting
- How to check the integrity of a device and app dynamically with RASP
- How to defend the app's API by certification pinning and WAAP

Speaker Bio

I am Tomáš Soukal and my daily bread and butter is explaining the mobile security concepts related to RASP technology.