From OWASP to App Secrets – Lessons Learned
Hosted by Nicolas P.
Details
This event is organized as an on-site event only.
From OWASP to App Secrets – Lessons Learned
1. Talk: "SBA Top 10 Software Vulnerabilities - a Revue""
By: Fabian Funder (SBA Research)
2. Talk: "Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps"
By: David Schmidt (University Vienna)
Talk language: English
On-site event only!: Floragasse 7, 1040 Vienna (5. floor)
Further information will be announced soon!
Agenda
*********
17:55: Gathering
18:05: Welcome
18:10: Talk: "SBA Top 10 Software Vulnerabilities - a Revue"
18:40: Talk:"Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps"
19:10: Food, Drinks & Get together
Looking forward to seeing you there!
Picture source: Generated with AI (DALL·E)
Talks & Speaker Details:
"SBA Top 10 Software Vulnerabilities - a Revue"
SBA Research presents its very own "Top 10 Software Vulnerabilities" – a revue based on real-world penetration testing results in Austria. By analyzing and comparing findings from numerous projects, we identified the most frequent and impactful weaknesses that organizations face in practice. This talk provides insights into our top 10 list, highlights recurring security pitfalls, and shows what we encounter most often in Austrian systems.
Speaker Fabian Funder:
Fabian is a security consultant at SBA Research specializing in penetration testing and auditing of web and mobile applications. His work includes source code reviews, architecture assessments, and penetration tests to identify and mitigate software vulnerabilities.
"Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps"
This talk presents a large-scale analysis of 10,331 Android and iOS apps to uncover how secrets are embedded and leaked. We found 416 valid credentials across 65 services, including Git keys exposing thousands of repositories. iOS apps tend to reveal more secrets than Android, and even when developers remove credentials in updates, they often forget to revoke them—leaving systems exploitable.
Speaker David Schmidt:
David is a PhD student working in the CD Laboratory AsTra at the University of Vienna. His work focuses on large-scale analysis of the mobile app ecosystem, developing automated techniques to uncover security and privacy vulnerabilities. By accelerating the detection of security issues, his research aims to strengthen the overall security of mobile apps.