Application Security

Nullcon 2022: Tech Talks Compilation 1

Application Security
Sep 26, 2022
5 mins
Ajmal M

This is a serialised narration of the Tech Talks that happened over Nullcon 2022. Contributors include: Ajmal M,Anurag M, Bhagavan B, Saumya K, Sai Deepak and Varun B

What is the crux of Nullcon other than you get to meet and network with many people? Yes! The talks by the legends - researchers and security experts – folks you would have seen only on internet so far. Also, the opportunity to meet and share your thoughts, take advice right from them in person. Here all of us at Appsecco were super excited to spend time at Nullcon. It was the first ever security conference experience for many of us.  

The talks cover a grand diversity of topics ranging from the important basics - how to get your documentation right – from there up to kernel hacking. There were talks on malware research, the CXO track, hacking web3, electron, and lot more from the experts.  

The purpose behind writing this blog is to share all our learnings with the world – for those who could not attend them or for those who may want to look back. Each of us, from Appsecco, will be putting down our short notes on what we found interesting and what we learned from the talks. We will let you proceed right to the interesting sections from here.  

AUTOMATE YOUR WHATSAPP CHATS - Aditi Bhatnagar

Byline : Anurag M

Everyone want their life to become accessible, so I thought of attending this talk where I thought how cool it would be to send automatic replies to my friends on Whatsapp. And in this talk,the speaker explains how to automate your chats on Android devices. So, to make a bot that can reply to chats, we need the bot to do these three things:

  1. Read the screen.
  2. Type a message in the chat box.
  3. And press the send button

To do the above, Android has a feature known as Accessibility Service which is an alternative to communicate with the application. Google provides some Accessibility services like Talkback, Voice Access, Text-to-speech, etc. but the Accessibility services which come pre-loaded in Android are not enough to serve the purpose. So, the speaker decided to create her own Android Accessibility Service.

In the above documentation, there is a section called “Take action for users” which states “Accessibility services can act on behalf of users, including changing the input focus and selecting (activating) user interface elements" which the speaker leverages for automating the chats.

Like any other Accessibility Service, this chat accessibility service will continue to run in the background taking callbacks from the system when the accessibility events are fired. So, what the application does is:

  • It has a UI where you can insert the name of the person for which you want to automate your chats.
  • Enter the text which you want to send.
  • Whenever the WhatsApp screen opens, it tries to match the name of the person you have entered in the application and sends the message.

So, by using the Accessibility service you can automate not only WhatsApp but almost everything. All you need is your own custom Accessibility service according to your need.

You Automated Whatsapp but how does this impact Security?

Most malicious malware uses Android Accessibility Service to read what’s on your screen, acting as keyloggers orcan perform actions that users are not aware of. Allowing permissions while installing an application to use an accessibility service has impacted the victims to transfer funds to the actor’s controllable account. These activities go undetected because it’s an Android inbuilt feature and the actor can also tweak the settings so you may not know that you granted permission to such a service.  

Prevention:  Don’t accept all the unnecessary permissions while installing an application and double check on the Accessibility Services running on your Android Device.

MAKING SURE YOUR DOCUMENTATION IS AS GOOD AS YOUR FINDINGS - Paula Pustulka, Cure53.

Byline 1 : Sai Deepak

The talk covered about importance of documenting and reporting a bug which can be understood easily by multiple audiences with different knowledge levels of the audiences.

If a report is not clear, then there is good chance of getting rejected. Rather, if the document is readable by everyone then there is better chance of recognition and getting rewards.

The talk covered about markers of a good bug report which are structure, understanding and readability. People need to know the audience they are targeting, analyse the knowledge of the audience and try to imagine different scenarios before writing the report.

The team should get feedback everytime so that people can correct the mistakes and make note of them and modify every time.

Formatting of document is also important such as creating a glossary if complex terms are used in the document. Also, the importance of using gender neutral pronouns such as they instead of using he/she throughout the document.

The talk also covered certain good practices while writing report such as writing short sentences, if abbreviations are used, try to expand them, explain one idea in one paragraph,including screenshots and videos when possible, using bold and italics strategically in the report.

Byline 2 : Anurag M

The speaker emphasizes that while writing a report if you can try to answer on “What’s going on” (5Ws) and “How can I help” (H1) will help you to make your report more structured,understandable and readable. These are as follows:

  • **Who** is affected? (W1)
  • **What**happened? (W2)
  • **When** did it take place? (W3)
  • **Why** did it take place? (W4)
  • **How** do we fix it? (H1)

According to the speaker, general good practices include paying attention to Structure, Readability and Understanding.

More Tips given by speaker:

  •  5Ws & 1H can be used to structure your Introduction and Conclusion.
  • Create a template for your report or choose one for yourself and stick with it.
  • Try to consistently use one font, one alignment, equal spacing between paragraphs, and use bold, italics, and underlining appropriately when writing a report.
  • Avoid highlighting unless it has a meaning to it. You should use specific colors to highlight. For example: If it is a Critical finding highlight it with red color.
  • Make sure that you do not alter terminology (or how you spell a term) throughout report.Example: XSS, xss, xss, Xss, Cross-site-scripting, Cross-Site scripting...
  • Don’t just copy paste the code. Use markdown, screenshots and use fonts which resembles to code to give it better readability.
  • Use spell-check,grammar check and some AI based applications to assist while writing. Eg: Grammarly, Wordtune etc.
  • While attaching screenshots or images, check their quality and size. Make sure to maintain consistent size of image across the report.
  • Add caption to each image or screenshot you are attaching.
  • Research technical writing resources online. Read some good reports from good sources to increase your technical as well as report writing skills.

## End of Part 1  ##

With that we’ll conclude the Part 1. We couldn’t fit it all in a single post 😀. The next part in this series continues...

Special Mention Cover Picture Courtesy Anand Prakash. We LOVE IT Anand.

HAZE WEBFLOW TEMPLATE

Build a website that actually performs better.

1
Lorem ipsum dolor sit amet consectutar
2
Lorem ipsum dolor sit amet consectutar
3
Lorem ipsum dolor sit amet consectutar