What The Frida Gave Me: A Novel Take on E-Ticket Forging and E-Ticket Stealing

Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America’s major cities.

But thanks to Frida – a well-known but not very popular dynamic instrumentation framework – you can easily reverse engineer mobile e-ticketing applications. In this talk, we’ll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector. We’ll use Frida’s code injection and module loading capabilities to demonstrate e-ticket forging and e-ticket “stealing.” (And your commute just became that much less of a pain).

Expect to learn the analysis of intermediate-level obfuscation measures such as encrypted HTTP body and encrypted application storage in mobile applications, which can be instrumental in uncovering security vulnerabilities.

Note: I was involved in the responsible disclosure process, but the vendor does not consider this a vulnerability.