Episode 38: Mobile Hacking Maestro: Sergey Toshin

Joel Margolis (teknogeek) (00:01.65)
Awesome. Hey, Sergey, how's it going?

Sergey Toshin (00:03.51)
Hello, very good.

Joel Margolis (teknogeek) (00:05.79)
Awesome. Well, for those of you who don't know, this is Sergey Toshin, AKA Baggy Pro. He's one of the big mobile hackers in the scene, and today we're gonna be sitting down, just me and him, to have a little discussion about mobile hacking and what led you on your path and all sorts of things. So why don't you go ahead and give a little introduction?

Sergey Toshin (00:30.315)
I'm Baggy Pro. Like some time ago, I was number one hacker in Google Play security rewards program. In the past year, I'm number one hacker in Samsung Backboundary program. And I'm also the founder of Oversecured. It's mobile scanners for Android and for iOS applications.

Joel Margolis (teknogeek) (00:50.582)
Awesome. Yeah, yeah. Well, we're going to talk about all those different things. I have some notes written here, so I'm excited to pick each of those apart. But why don't we why don't we just get started with sort of like how you even got into mobile hacking? Because I'm a mobile hacker myself and there's really not a ton of us. Or if there are, we're very quiet in the shadows, sort of types of things. So what was sort of your introduction into mobile hacking? How did you how did you get started?

Sergey Toshin (01:19.118)
That's actually weird and I didn't plan this and I had no any experience with mobile hacking but when I was 18 I was a student in a university. I was studying maths and like low level programming, like assembler programming and so on. And when I was...

in school, I was working for American company as a QA engineer and I wanted to find a job, not for money, not because of money, but to get some experience, like real practice. And I was looking for a job. I was coming to QA engineer interviews, I was coming to C++ programming interviews.

And my actual resume was about junior C++ developer.

Sergey Toshin (02:12.983)
Yes, and I was clicking like everywhere, like come to interview, come to interview, and companies were replying to me, and some company, they had like three jobs, it's a Unix security guy, mobile security guy, and like web security guy, and I clicked, I want to be a Unix security guy because it looks, it looked like more hard, and that's why I picked this.

And they called me, they told they liked my resume and they want me to come to their office and they asked I believe like what do you want to do? I told Unix security. They told no but they want to pick me for mobile security and that's how I started working in mobile security.

Joel Margolis (teknogeek) (03:00.782)
Wow. Okay. So like a totally completely literally like almost by chance. Wow. Okay. And so you did that for I assume a number of years and then when did you find bug bounty.

Sergey Toshin (03:06.636)
Yes.

Sergey Toshin (03:16.175)
So actually this company was doing like consulting and selling the security products and like all of

my friends in the company, like colleagues, they were doing Bug Bounty, and like their salary was like $1,000 or $2,000 per month, but they were getting like $10,000 per month for Bug Bounties, and they worked in the office just because of community, and I said, oh, I want this, but I was like 18 years old, and I had no idea how to get money from Bug Bounties, and that's why I was trying like 10 times, 20 times until it succeeded.

Joel Margolis (teknogeek) (03:55.958)
Oh wow, okay, that's crazy. So do any of those people still hack and were they also mobile hackers or did they do different types of hacking?

Sergey Toshin (04:02.79)
I know they like web hackers. So actually I believe most of people, they hunt for like specific vulnerability category. For example, XSS or browsers or mobile browsers and so on. I know people that hunt for XSE only. So I was hunted for mobile bugs.

Joel Margolis (teknogeek) (04:22.034)
Mm. Okay.

Joel Margolis (teknogeek) (04:26.378)
Wow, that's really interesting. Okay. So you, you know, you knew these coworkers, they were doing bug bounty. They encouraged you. I had a very similar experience as well, where one of my coworkers was somebody who did bug bounty and they were like, Hey, you should, you should try this bug bounty thing out. And I was like, Oh, okay. That looks interesting.

Sergey Toshin (04:42.474)
Yeah, but it doesn't work immediately because I was coming to different bug bounties. First of all, I had no any experience. Second of all, in 2015 companies didn't believe that my bell bugs exist. And that's why I'm submitting a vulnerability and they say it's not a vulnerability.

Joel Margolis (teknogeek) (05:03.306)
So true, man, this is like I thought I'd talk about this a little bit But yeah, this is this is something that honestly only over the last couple years like maybe the last five years has it really started to change a lot where the like risk assessment for mobile bugs has gotten a lot better because For the longest time they were just like oh you can't exploit this because you have to be on the device or you'd have To have physical proximity to the device or stuff like that and it was like, you know, yes but there that is a non like

Sergey Toshin (05:16.163)
Yeah.

Sergey Toshin (05:26.42)
Yes.

Joel Margolis (teknogeek) (05:31.574)
that happens now, like malware is a real thing. People install random apps from the internet all the time, so it's not like a non-zero scenario where it can't happen.

Sergey Toshin (05:42.05)
Yeah, because there are a number of attack vectors, for example, completely remote, like from local network, from physical closeness, from physical access to the device, and from local access. Yes, it's not an AP1, but it's a vulnerability anyway.

Joel Margolis (teknogeek) (05:59.978)
Yeah, yeah, absolutely. So you then started doing bug bounty and were you always doing the Google VRP or what, what ended up getting you to the number one spot there?

Sergey Toshin (06:09.738)
I know. So there are like three years gap between when I started Bug Bounty and when I started getting money from Bug Bounties.

Joel Margolis (teknogeek) (06:19.766)
Ha ha!

Sergey Toshin (06:21.162)
Yes, in summertime I got a visit to the US and that's why I wanted to rent a Mustang, Mustang Convertible, GT Mustang Convertible. And it was like pretty expensive. And as a student I didn't have enough money to like afford it. And that's why I thought like, bug bounty, let's try again. And before that I submitted like 20 vulnerabilities that got rated as not a security vulnerability. And I really tried like I was submitting like a lot of...

Joel Margolis (teknogeek) (06:30.094)
Nice.

Sergey Toshin (06:51.016)
vulnerabilities, I was describing them carefully. I remember a vulnerability in Jira, it was using an SDK that was vulnerable to the theft of arbitrary files.

I submitted it to Quora, it's disclosed in my HackerOne profile, I submitted it to Jira, they fixed it, and from only one V specific vulnerability I got like $10,000 and it was yeah, I have enough money from vulnerability to afford my trip and everything else. Yeah.

Joel Margolis (teknogeek) (07:20.898)
Wow. Ha.

Joel Margolis (teknogeek) (07:27.254)
Now you can rent the Mustang. That's awesome. It's all about setting goals. You know, I love that. I love just like having a specific goal in mind. And then you just like focus on that and just like hone in your energy all towards that one thing.

Sergey Toshin (07:43.946)
Yeah, because if it didn't work I had to rent, I don't know, Hyundai. And that's not that cool.

Joel Margolis (teknogeek) (07:48.854)
Oh, no, yeah, we can't be doing that. That's awesome. So you mentioned that you're the number one hacker on Samsung right now, is that right? Yeah, yeah. So tell me a little bit about that, because Samsung is... I don't think I've actually ever hacked on Samsung and they run an independent program, right? It's like totally operated by them. So what is the... What was that process like? What led you to start hacking so much on Samsung and...

Sergey Toshin (07:59.599)
Yep.

Sergey Toshin (08:11.458)
Yeah.

Joel Margolis (teknogeek) (08:18.435)
What are sort of the pros and cons of working directly with a company like that?

Sergey Toshin (08:23.01)
Actually, it was like super random because I had my... I have like...

In my life I'm using iPhones, but I also have Android devices to test vulnerabilities and so on. And I'm using Samsung for this purpose. And I thought like, yes, I'm not using it every day, but I still use Samsung, and that's why it's a good target. First of all, and second of all, I had no idea about fragmentation in Android vendors, but it appeared that Android devices are completely different.

If you take a Pixel device, if you take a Samsung device, if you take a Xiaomi device, they are completely different from vulnerabilities perspective. And that's why I was curious, are there any vulnerabilities? But it appears there are a lot of them, like device specific vulnerabilities or vendor specific vulnerabilities.

Joel Margolis (teknogeek) (09:14.83)
Hmm.

Joel Margolis (teknogeek) (09:17.99)
Do you find it difficult to sort of work with that attack service or did you originally find it difficult? because I imagine as you're trying to hack something like pixel or Samsung like the scope changes quite a bit and Also, there's attack vectors change quite a bit where you have to start thinking about the threat model differently sort of from like more of a consumer perspective right where Where the vulnerabilities within the system as a whole that you can exploit versus just like specific applications or specific scenarios?

Can you talk a little bit about that?

Sergey Toshin (09:51.143)
You have a long question, but the answer is no. Everything is simpler because the applications are written in Java, not in Kotlin, and there are no any obfuscations, and that's why it's much easier to hunt for vulnerabilities.

Joel Margolis (teknogeek) (10:03.158)
Nice.

Joel Margolis (teknogeek) (10:06.638)
Okay, wow, that is not what I was expecting actually. So for some context for like people who are listening, I think a lot of people may be unfamiliar with this, but most apps nowadays, I'd say probably, I don't know, at least 30% are written in Kotlin, right?

Sergey Toshin (10:27.055)
So I believe like 80% of applications, they are mixed, they are Java and Kotlin based.

Joel Margolis (teknogeek) (10:36.558)
Mm-hmm.

Sergey Toshin (10:40.834)
I'm talking about like big modern rich applications, for example, Airbnb, Tinder, Google and all like popular applications. And they rewrite their applications in Kotlin and use Kotlin features. And then they have a skate Kotlin. It's like a complete mess.

Joel Margolis (teknogeek) (10:44.045)
Yeah.

Joel Margolis (teknogeek) (11:02.728)
Yeah, I've noticed that you're quite active on the JADX project. I don't know if other people have noticed that, but is that something that you use pretty frequently?

Sergey Toshin (11:13.45)
Yeah, and actually this tool is used by the scanner and it's like super important if everything is correctly compiled. Like if the code is obfuscated it's okay but it should be like compilable, there should be like correct references and because finding the vulnerability it's like a number of actions of events.

And like the code flow should be like super correct. And if it's not correct, like one of a hundred of like important code lines is corrupted, the vulnerability will be missed. And that's why I'm pinging like a Jadex developer, like, hey guy, please fix this specific, this specific error because of this, I cannot detect the vulnerability.

Joel Margolis (teknogeek) (12:08.37)
Yeah, yeah, that's awesome. I, that's exactly what I've noticed is like, I'll be hacking on something and I'll have some like weird behavior in JADX and I also use JADX as my main decompiler, but I don't do the same automated level of scanning that you do. However, when something fails to decompile, oftentimes I'll go and I'll look and I'll see either you have a ticket open for it, for him to fix, or it's just been fixed and I need to update my version of JADX so it's really, it's really an awesome thing to see where someone

Sergey Toshin (12:28.645)
Yeah.

Joel Margolis (teknogeek) (12:37.218)
from the community is interacting back and forth with the tool creator to actually improve the tool in real time.

Sergey Toshin (12:43.262)
Yeah, I'm actually feel always like, I don't know the correct word, not angry, but no. When some guys report vulnerabilities about UI issues, like the menu is not correct, and I'm thinking it's like open source project and the guy could be working on the compilation vulnerabilities, but he's working on UI issues. Why you care about this?

Joel Margolis (teknogeek) (13:04.718)
Ha!

Joel Margolis (teknogeek) (13:10.298)
So speaking of the UI, do you use, like, when you use JADX, I guess maybe, let me split this into two questions. So let's say for your personal hacking, not over-secured, like, automatic flow, are you using JADX when you decompile apps just generally across the board? Okay.

Sergey Toshin (13:28.674)
Of course, only GDX and I never tried any other of the compilers.

Joel Margolis (teknogeek) (13:33.806)
Cool. And then are you using the GUI much or do you open it in like a separate editor? Maybe maybe we can you could walk me through sort of what your hacking flow looks like if you're approaching like just a one off mobile app.

Sergey Toshin (13:46.446)
So actually, first of all, I'm scanning the application using the over security, and then I'm looking for vulnerabilities that it found. And I didn't do like manual review. So I'm going to go ahead and do a little bit of a demo.

Like sometimes I need to cover like all the vulnerabilities. Like it's our customer and we need to verify, like manually verify if everything is correct, no vulnerabilities are missed. And that's why I'm coming, like checking if everything is correct. No like corrupted code flows, no decompilation issues. And yeah, I'm like checking all exported components. I'm checking like clipboard,

Sergey Toshin (14:30.37)
Like everything, like local web servers and so on. But like if I'm manually hacking just for fun or just because I didn't hack for a long time and I want to come back to my roots, I'm like checking it using over security and then I'm opening it in Jadex UI. And...

Joel Margolis (teknogeek) (14:49.262)
Mm-hmm.

Joel Margolis (teknogeek) (15:01.718)
Yeah, okay, cool. Yeah, so it's.

Sergey Toshin (15:02.339)
Yeah. It could be like a simple vulnerability and I don't open JDX at all. But sometimes if it's a tricky vulnerability, there are like tricky conditions. So I'm opening it and JDX, yes.

Joel Margolis (teknogeek) (15:15.938)
Got it. Okay. So why don't you tell me, we've talked about over-secured. We mentioned it a couple of times, but why don't you talk a little bit about that? Because it sounds like generally as you were doing hacking, it was sort of a natural progression to create the product and company that over-secured is, right?

Sergey Toshin (15:31.894)
Yeah, so I was doing bug bounty hacking and I was looking for vulnerabilities in many applications and I was like lazy to do everything once again manually because there are like thousands of files and I need to like again and again go through like all the sources, grab the same stuff.

and it was super boring to do that manually. And that's why I created a tool and it was getting better and better. And in 2019, Google launched its bug bounty programs that called Google Play Security Rewards Program.

I became like number one hiker in this program because they started paying like $3,000 for every vulnerability found in a super popular application. And like Google guys was asking me like what do you think about this? Like before that. Because before that introduction they had like...

15 applications in scope and they asked me like, how do you think we should extend our program? And I told, maybe we need to add the vendors like Google apps, all Google apps or someone else like some soon apps. And they told me, I didn't like all applications that have a hundred million of its installations and the increasing rewards three times. I told, guys, you're going to bankrupt.

Sergey Toshin (17:09.61)
But they didn't believe me. Yup. And... I started reporting a lot of vulnerabilities. And they started paying a lot. And... ..saying privately, they told... ..it was our mistake that we... ..started paying like $3,000. And right now they're paying $1,000 for such vulnerabilities.

Joel Margolis (teknogeek) (17:09.962)
That's crazy.

Joel Margolis (teknogeek) (17:25.454)
Hahaha

Joel Margolis (teknogeek) (17:37.554)
Yeah, it's true. I noticed that they had that they dropped it down after they, uh, after a little while after you, after you had farmed them like crazy. That that's really, really crazy. So for those who don't know, uh, you know, VRP basically said any application that was, what was it over 1 million installs or something like that? 10 million installs

Sergey Toshin (17:40.983)
Yeah.

Sergey Toshin (17:56.846)
of 100 million and there are like 500 of such applications.

Joel Margolis (teknogeek) (18:00.718)
100 billion.

Joel Margolis (teknogeek) (18:05.522)
Right. So basically any vulnerability that affects any of those applications, Google Vulnerability Rewards Program would pay you an additional bounty. Even if you reported it to the original app, right?

Sergey Toshin (18:12.075)
Yeah.

Sergey Toshin (18:17.13)
Yeah, so actually I didn't like reporting it to the developer because there were a policy that

was saying like if a company has a back bounty or vulnerability disclosure program, you need to report it to them first, wait until it's fixed, and it was taking like months until you get a reward, and that's why reporting it directly to Google is more profitable because you're getting a reward within, I don't know, like two weeks, and you're not waiting, you're not having like a backlog of vulnerabilities, you're not tracking, because...

I cannot say I had a good experience with developers because they don't care. And Google is pushing on developers and forcing them to fix the vulnerability. But when you as a researcher report it to a developer, they don't care and say, okay, we're fixing it. But actually, they're not fixing it or they will be fixing it after a year. So it's very annoying and I like reporting vulnerabilities to Google.

Joel Margolis (teknogeek) (19:22.454)
So when you find bugs in apps that are in that 500 plus cohort now, do you report it directly to the company or do you still report it directly to Google or what does the process look like now?

Sergey Toshin (19:36.482)
So you have to Google if the company has a bounty or VDP program. And if it has, you report it directly to them. If they don't, you report it to Google. And they start their own process of validation and rewarding you for this.

Joel Margolis (teknogeek) (19:56.662)
Got it, got it. Okay, so would you say that like a lot of the companies and apps that you were finding a lot of bugs on that you've now signed them as clients onto over secured?

Sergey Toshin (20:09.654)
Actually not all of them because this program was only a push to start the company because

I had friends that started their own companies in cyber security and they were pinging me saying like you have good scanner, you have good business idea, so start your company. And I was like, start your company? Like where? Like paying taxes? Like how does it work with corporate taxes?

Joel Margolis (teknogeek) (20:39.473)
Yeah.

Sergey Toshin (20:40.886)
When Google rewarded me, within, I believe, four or five months of work, within almost a million of dollars, I thought, wow, yeah, everyone is vulnerable. I got the confirmation, even super popular apps are vulnerable. And right now I have money to start my company, fund everything by myself, bootstrap it, and I did it.

I came to America, opened a bank account, registered the company, and right now we're with a lever-based company.

Joel Margolis (teknogeek) (21:14.478)
Wow.

Joel Margolis (teknogeek) (21:17.73)
That's amazing. It's awesome to see. I love seeing when bug bounty hunters, especially, but generally just security researchers are able to turn one of their personal toolings into a company like this because there's so many smart people who are building so many awesome security related products. And a lot of the time it's just for personal use, just like what you were doing. This was just to save time and effort by making your scanning a lot easier so that you could just throw in an app and do all your checks at one time.

And you could just turn that into a product and help other companies, you know, automatically just, they sign up and they pay you and get that coverage.

Sergey Toshin (21:53.782)
Yeah, but actually I had no idea how business works. And it appears that selling to B2B is super hard, because even if you completely disrupt a company, if you give them a good report, they fix the vulnerability, they say thank you, hallelujah, you saved our lives. Anyway, they need budgets for your tool, and you need to talk.

and it doesn't happen immediately. Like if you hacked them this year, maybe in next year they assign budgets to buy you too. So it's like super long process. Yes.

Joel Margolis (teknogeek) (22:33.599)
Oh wow.

Yeah, almost like the triage process where you're waiting for bounties. That's awesome. Um, so you had mentioned that, uh, you disclose the reports and, um, I think one of those that I, I have bookmarked and I go back to all the time is, uh, this, uh, this report that you call, I think it's golden Android techniques for URL, uh, parsing bypasses or something like that. Um, what

Sergey Toshin (22:39.841)
Yeah.

Sergey Toshin (22:59.46)
Yeah.

Joel Margolis (teknogeek) (23:02.762)
made you want to publish that because that is just such an awesome resource. For people who don't know, this is essentially, I think it's four different, three or four different tricks that you published for how Android will be parsing URLs or oftentimes apps will implement parsing URLs that are implicitly vulnerable to parsing problems where you can either pass in a different host or if they do, you know, dot get hosts, then it'll

respond with a different host, but if they were to do a string check, then it's different. And so I think those are really, really awesome checks because I reference them all the time. But what made you want to publish that? Because this was many years ago, right? This was 2018. So I think you were quite ahead of sort of the mobile security publishing curve at that point.

Sergey Toshin (23:52.162)
Yeah, actually this is reposted in our blog, in our secure blog. I believe the article is like attack vectors on the view or something like that. So there are like extended techniques and extended ways of hacking, of securing, but...

I always publish, like, I don't have any, like, hidden knowledge that I use when it's dark. And... Yeah.

Joel Margolis (teknogeek) (24:23.23)
You got your secrets, your secrets script folder.

Sergey Toshin (24:24.778)
Yeah, I don't actually have any hacking secrets. And I always published everything I know. Like maybe I know a way of hacking something, but it's like super small to publish and it's super small for an article. But I always posted everything I know.

Joel Margolis (teknogeek) (24:28.866)
Ha!

Sergey Toshin (24:44.622)
If I consider it interesting. Because I think it's good for our world. Because there are only a few mobile hackers. And I have like, I don't know, a hundred points in mobile hacking. So I can push someone else to, I don't know, 20 or to 50 or to maybe 150. If they didn't know those techniques.

Joel Margolis (teknogeek) (25:08.429)
That's an awesome way to talk about it.

Sergey Toshin (25:10.978)
Yeah, because companies don't know about mobile vulnerabilities. And when I disclosed reports, I pushed them and I believe they started to know that there are mobile bugs and how they look like.

Joel Margolis (teknogeek) (25:26.782)
Yeah, absolutely. I mean, I think so many people see mobile as sort of just another proxy for API hacking or web hacking where they just use it to get endpoints. And that's kind of it. And that's cool. Like, you know, that is there are certainly vulnerabilities there. But I think there's just so much more depth when you're going to the real like the level that

Sergey Toshin (25:33.218)
Yeah. Yeah, exactly.

Joel Margolis (teknogeek) (25:45.686)
you and I often go to where it's you're looking for activities, you're looking for intense, you're looking for providers and all sorts of different like Android specific components to find those real like Android specific vulnerabilities that provide so much more impact than just you know finding an IDOR or whatever. Well, not always, but oftentimes. That's cool. And so you mentioned your the over secured blog posts. This is another thing I have a bunch of these bookmarked.

Sergey Toshin (26:07.78)
Yep.

Joel Margolis (teknogeek) (26:14.218)
I've actually used over secured a couple times to scan apps. And one of the things I really like is that it will link out to the different blog posts about different findings that it has. So if it finds, you know, access to app protected components, it'll say, hey, here's a link to the blog post where you can read all about in depth. You know, what does this look like? You know, what is an exploit scenario look like? How can you identify these types of things? What's actually going wrong? How can you fix it? Like it's.

a huge, huge resource. Have you found that there are things that you end up referencing in your own blog posts while you're hacking? Or is that sort of just something that you've written down and published and just goes out there?

Sergey Toshin (26:57.962)
Um, so all the blog posts are there like results of hacking and, uh, like, uh, hug, uh, like previously I was hacking like a number of applications and I was looking like common, uh, like, uh, common patterns of vulnerabilities. And, uh, I created like, uh, rules for detection and then I started detecting it. And right now I'm like extending and extending and extending, uh, the rule base and, uh, like right now I'm.

hunting for like a new vulnerability patterns because like don't know any other patterns and that's why like taking the sources, checking it, everything if it was your question.

Joel Margolis (teknogeek) (27:43.714)
Yeah, yeah, no, totally. I was gonna ask something about this as well because I think one of the things that I felt as well is that over time, mobile hacking, there's not many new vulnerabilities that I see coming up. It's a lot of the same types of patterns and the same types of vulnerabilities that are appearing again and again. Have you noticed any new common issues or things that you are seeing a lot more now that you didn't used to see? Or is it kind of,

A lot of the same.

Sergey Toshin (28:18.067)
I think I added the last vulnerability category about two years ago in Android. And for iOS, it's like a big sphere right now researching, and I'm actively adding new categories to iOS because it's an unresearched sphere. But coming back to Android... So...

I think everything is linked because you have URI parsing. And maybe your new research gives you a new way to hack URI parsing or bypass some checks and so on. And that's why there are existing articles, there are existing researchers, and there are existing post-it vulnerabilities about, for example, URI parsing. But you find, I don't know, a backslash attack.

a new research and you're bypassing a lot of new checks and it's like a type of like old attack but it's like a new attack and like the answer because it was a research previously there are like existing categories but it's like anyway it's new

Joel Margolis (teknogeek) (29:22.914)
Yeah

Joel Margolis (teknogeek) (29:29.622)
Yeah, okay. So it sounds like a lot of like now as you've continued to go, you've sort of branched into that the iOS sphere now just because it's a whole new space. It's a whole new area of research. It's all new. You know, everything. Have you found that a lot of things that worked on Android also have sort of like a parallel into iOS, so they work there, but in a different way.

Sergey Toshin (29:54.327)
I believe there are like 80% of intersected categories in Android and iOS, but the biggest problem of Android, like previously, and the biggest problem of iOS right now is that there are like two types of iOS security.

First type of IOS security is like an NCO group that they hack everything into the system of building chains, decompiling everything, reversing assemblers. And the second type of IOS security, it's like running an application emulator, checking keychain flux and so on. There should be different, the right type of...

Yes, security, doing normal vulnerability tracing, checking deeply. It's not like a super critical vulnerability that gives you a root on the device, but anyway you need to protect the application and you need to do it more deeply.

Joel Margolis (teknogeek) (30:58.602)
Yeah, okay. And have you done any of that like deep level decompiling type of research on iOS? Because when I think about iOS hacking, I think that there's a really large section of it that is essentially zero day research and looking for bugs that can be used for jailbreaking the system, because it's not easy to root it by default. Is that something that you've spent any time looking at or is it primarily the applications themselves?

Sergey Toshin (31:25.09)
So actually we're not decompiling it, because there is no good way to get the sources from iOS application. And that's why, for example, with our customers, we go in with Android, and then we say, like we also secure iOS applications, and we sign like NDAs, the given sources, and they like super, I don't know.

afraid to give sources because they say like, we never did that before. But I say like, okay, your Android application, it's not obfuscated. It's like by default, it's open source. And you, anyone can take your Android application and what's the matter to deal with iOS?

Joel Margolis (teknogeek) (31:54.534)
Of course.

Joel Margolis (teknogeek) (32:03.939)
Ha ha

I love that strat because like so many people don't realize that you could just Decompile an Android app. That's actually one of the things that I love the most about Android app hacking is I'm like a real I'm a source code person I like reading the code and understanding how it works and Having it all right in front of me in like an application that you could just take apart, you know how everything works There's no black magic. It's just what you see is what you get. I love that approach to hacking

And that's always one of the things that's really like pushed me away from iOS is that you don't get that same level of, you know, understanding and readability. It's so much more obfuscated. You have to do, you know, a read assembly and all this stuff. Has that been a challenge for you as well when moving into the iOS space?

Sergey Toshin (32:52.33)
Um, so actually I didn't, uh, hack like, uh, pure IPA.

applications like I'm not taking it. I never took an IPA file and checked for vulnerabilities. Normally I took for example Android application, checked like deep links and then I tried to apply them to the iOS application and sometimes it worked like there's a secure check in Android application but there are no checks in iOS application and that's how for example I hacked iOS applications and the second vector is like

I took sources and checked for vulnerabilities, adopted the scanner to it, and that's how it worked. But it's really a big problem for us, for a company securing iOS applications. Because when we developed a scanner for Android, we take in a lot of applications, we can analyze, we can get statistics.

Joel Margolis (teknogeek) (33:37.71)
Got it, got it.

Sergey Toshin (33:54.542)
we can check how some new experimental rules work, what's the output. But in iOS we cannot do the same and that's why we asking our customers, hello guys, are you okay to, like we don't store sources and that's why they need to share sources like via mail or via a link with us and that's why we analyzing it.

and like adding rules checking if something is wrong and there are like undetected vulnerabilities. Yeah, so it's harder with iOS.

Joel Margolis (teknogeek) (34:34.574)
It's a whole different problem space. I really take my hat off to the people who do iOS hacking all the time because it's a whole different beast compared to Android. I honestly think Android is quite a bit easier. So stemming off of that actually, lots of people reach out, they always wanna be getting into mobile hacking. I'm sure this is something that people probably ask you as well, but do you have any tips or recommendations or?

things that you would suggest to people who are new to, maybe they're experienced hackers, but they're new to mobile hacking and they don't really know where to start.

Sergey Toshin (35:11.394)
I would recommend taking all the application and also disclose vulnerabilities and trying to reproduce some vulnerabilities, checking logs, checking what's going on and touching the vulnerability with your hands. But I think it's a bit harder to get inter-mobile security because when you hack in web, you can put XSS vector super easy and you don't know what...

to know like many things but when you hack mobile applications you need to know like android context or ios context and you need to read the sources and like additionally you need to read the compiled sources and sometimes it's harder than reading like normal not upscaled sources and that's why there are like a number of things you need to learn before you getting successful in mobile hacking and it would take some time.

and it would take a lot of efforts from a person who wants to start mobile hacking. But if this hill is passed, then you will be getting a lot of money from bug bounties.

because everyone is vulnerable and there are a lot of vulnerabilities and there are like maybe five persons competent with you and if you compare it to web backbounties there are like 500 people competent with you.

Joel Margolis (teknogeek) (36:40.503)
So true that's and that hasn't really changed much either. When I first got into Bug Bounty, everybody was like, oh, you do mobile hacking like you should you should hack on mobile because nobody does mobile hacking and you know, five years later, it's very little has changed. So so yeah, absolutely. I'll totally I go that. I love that piece that you mentioned about like retesting vulnerabilities. Do you have any ways that you identify?

Sergey Toshin (36:51.138)
Yeah.

Joel Margolis (teknogeek) (37:07.786)
you know, old reports or stuff that people have published, are you on Twitter a lot? Like where do you find reports to go read and reproduce?

Sergey Toshin (37:19.386)
I believe there are a lot of GitHub repositories that contain links to like different disclosed vulnerabilities to articles and like a person needs to like check. Maybe they don't understand everything immediately, but it's like you're reading something, understanding something and then coming again and again and again in the loop until you get everything.

Joel Margolis (teknogeek) (37:43.566)
Awesome. Had you ever done any Java programming before you started hacking on mobile?

Sergey Toshin (37:53.77)
The simple answer is no, but when I was a schoolboy, I wanted to create a lot of projects.

And let's say I didn't know anything about torrents. I was like 10 years old and I wanted to create like my own website. So it had to be completely free. No light in this, no everything. And like people, people freely share like their stuff on that website.

And then I know that Terence exists and there are a lot of such websites, but I was really passionate about this idea and I didn't know why, but I thought that I need to learn PHP and C++. I don't know why.

Joel Margolis (teknogeek) (38:40.446)
It's a very interesting selection of languages. So those are your first two. And then you kind of just, yeah, I think one of the really challenging things about mobile is that it's, especially Android, like you kind of almost need to know how to read code. You don't necessarily need to know how to write it, but being able to read and understand what a code snippet is doing is really, really important, especially for the deeper types of vulnerabilities that we're talking about. Not just...

Sergey Toshin (38:44.502)
Yup.

Joel Margolis (teknogeek) (39:07.75)
AI or API, you know, scanning or looking at the requests in burp or whatever, but actually finding like figuring out what the app is doing requires some, some level of understanding. And I think that can be a big hurdle. Do you ever have to spend time like learning about new like, for instance, Kotlin, did you have to do a deep dive on how Kotlin works and stuff in order to figure that out? Or did you kind of just adapt your tooling to figure out

you know, what does Kotlin look like at the end of compilation and just, you know, make it work with how it is.

Sergey Toshin (39:45.27)
I think I never adopted the scanner to Kotlin because when Kotlin is compiled to Dalvik bytecode, then it's decompiled to Java code and it's the same to normal Java code, but there's a lot of different checks and Kotlin stuff, but it's not important from a vulnerability detection perspective. Yes, there are a lot of like...

Joel Margolis (teknogeek) (39:58.222)
Mm-hmm.

Sergey Toshin (40:12.138)
synthetic classes closures that are compiled to Java classes and they look like a complete mess when they're decompiled. But anyway, it's not a big problem for vulnerability detection.

Joel Margolis (teknogeek) (40:26.35)
Nice, okay. That's really cool. Man, I'd love to pick your brain in depth about how your whole product works, but I don't want to bore people and have to bleep out a bunch of this episode. So yeah, we'll leave the super technical stuff for off air. But cool, man. I think that was most of the questions that I had. Was there anything else that you wanted to sort of shout out or any, you know, your company, your website, your Twitter, anything like that?

Sergey Toshin (40:56.89)
You can add links to my profiles in your podcast. So you'll have all the bingo. Twitter, website and the blog. Also we can add some most popular repositories. They contain a set of disclosed vulnerabilities, a set of articles. There are many of my vulnerabilities and many of my articles. But anyways there are like...

Joel Margolis (teknogeek) (41:02.126)
Absolutely.

Joel Margolis (teknogeek) (41:07.638)
Perfect.

Sergey Toshin (41:23.983)
a lot of different ones, so you can share it with the guys and they can start mobile hacking.

Joel Margolis (teknogeek) (41:30.55)
Awesome, perfect. Yes, we'll put those links down in the description. You can find links to Baggy Pro's profiles, the Overskirt website, the Overskirt blogs, a bunch of blog posts and mobile security write-ups. And if mobile hacking is something that you're looking to get into, that is an awesome place to start. Like I said, those are some of the best mobile hacking resources that are out there, especially that are like up to date and modern and bug bounty focused and that kind of stuff. So awesome.

Dude, this was great. I know it's early over in Asia or Japan or wherever you're currently at right now. So I appreciate you waking up at the crack of dawn and chugging two coffees before you got on here to talk with me. And hopefully you could get a little more sleep after this.

Sergey Toshin (42:18.498)
Yeah, um, when I woke up, I couldn't talk like, oh my god. My tongue doesn't work, my brain doesn't work.

Joel Margolis (teknogeek) (42:26.471)
Are you joined and you were like I just woke up ten minutes ago. I was like, do you want to get a coffee? You're like, yeah, I'm gonna I'm gonna go to the coffee shop. I'll be right back

Sergey Toshin (42:36.642)
Yeah, because yesterday I landed at 1am and I woke up at 7.50am. So... Yeah, it was hard.

Joel Margolis (teknogeek) (42:47.194)
Alright, well then you should go back to sleep. You've done enough brain dumping of mobile securities. Thanks very much Okay, it was awesome talking with you. Alright, peace

Sergey Toshin (42:54.798)
Thank you.

Sergey Toshin (42:58.382)
Bye.