M 211: Find a New App Vulnerability and Report it (Up to 50 pts extra)
What You Need for This Project
- For Android: the auditing environment you prepared in previous projects,
including an emulator such as Genymotion, Burp, adb, and the
Google Play Store
- For iOS: a jailbroken iPhone and a Mac
- Critical thinking skills to judge the importance
of flaws you find
- Technical skills to exploit those flaws
- Communications skills to create a clear
Perform a Security Audit
Choose any App you like. Check for any or
all of these problems, or any other
security problems you can think of:
- Failure to validate the integrity of the app's signature
(vulnerability to added Trojan code) (Android only)
- Insecure network communications
- Insecure file storage
- Insecure logging
Find a Serious Problem
If the app doesn't have any big problems,
it's not eligible for this project.
You can still report your security audit
as a Project M 210, however.
Create a Proof-of-Concept (PoC) and Vulnerabilty Report
Demonstrate the problem so that a busy,
non-technical executive can easily understand it.
Here are recommended ways to do that:
- Make a Web page or PDF file showing
how you exploited the vuln, with screen
captures of something impressive,
like stealing a credit card number
from a test account.
- Make a short video showing how you
can steal a password or other private
data from a test account.
Don't publish your vuln on Facebook or
Twitter or anywhere public yet!
In order to be polite, you must notify
the company privately first. You will lose
points if you don't give the company
at least 30 days to fix it before
In practice, there is very little
chance that the company will pay
any attention, but this step is
important to protect the reputation
of CCSF and our security program.
If we are perceived as irresponsible,
our program will suffer.
30 Pts: Turn in your PoC and Vulnerability Report
Send your PoC and Vulnerability Report by email
with the subject line
Project 3x from YOUR NAME
information in your email:
After your instructor verifies that you
have found a real problem,
and made a clear PoC, you get 30 pts.
- Do you want to notify the company yourself,
or should your instructor do it?
- Do you want public acknowledgement
for this, and if so, under what name?
You may stop at this point, or
proceed to the next steps.
10 Pts: Demonstrate the PoC to the Class
Prepare and deliver a brief demonstration
of the vulnerability you found to
Plan for 5-10 min.
10 Pts: Report the Vuln to the Company
In Google Play, the app should have an
email address to report the vulnerability
to. If it doesn't,
research the company that made the
vulnerable app and try to find someone
who might care. In many cases there
will be no official way to contact
the security team at all, and all you
can do is email firstname.lastname@example.org,
or fill out a generic comment form,
or something like that.
You can call the company on the phone
and ask where to send the report,
but a verbal vuln report on the phone
doesn't count. You need to make
a written report that can be verified,
so if the company complains later that
they were not notified we have a good
Send your report to someone at the
company, and keep screen captures of
your reporting including the date.
If you send an email and it is returned
undelivered, you must try again. You
haven't really reported it until you
send something that seems to have arrived.
Send Proof of Report
Send one or more screen captures to email@example.com
showing how you reported the vulnerability.
If you send proof of a satisfactory report, you get
10 more points.