🔓 Reverse Engineer Android Apps Hands-On!
𝗔𝗡𝗗𝗥𝗢𝗜𝗗 𝗔𝗣𝗣 𝗧𝗥𝗜𝗖𝗞𝗦: 𝗗𝗘𝗙𝗘𝗡𝗦𝗘𝗦 𝗔𝗡𝗗 𝗕𝗬𝗣𝗔𝗦𝗦𝗘𝗦 (2h Workshop) with Dr. 𝗔𝗟𝗘𝗞𝗦𝗔𝗡𝗗𝗥 𝗣𝗜𝗟𝗚𝗨𝗡
See how attackers target your favourite Android apps! This hands-on 2h workshop puts you in the reverse engineer's shoes: explore popular RE tools/techniques, spot common weaknesses, analyse real-world apps' protection mechanisms (Google Play & dev hardening), and test their limits. Android devs, bring your own Android app to dissect! By the end, you'll know how to identify/exploit flaws and why many defences fall short.
Led by Dr. Aleksandr Pilgun: University of Luxembourg researcher, ACVTool creator for app coverage analysis, expert in fraudulent apps and FinTech RE.
📅 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/
🗓️ Schedule link: https://pretalx.com/bsidesluxembourg-2026/schedule/
Hack like the bad guys (ethically) – bring your own app! 📱
#BsidesLuxembourg #Android #ReverseEngineering #AndroidSecurity #Apps #BSides
For my #reverseengineering fan friends, if you missed it: RE//verse talks now live on YouTube: https://youtube.com/playlist?list=PLBKkldXXZQhD1hzCkhhMQXjEQ_qWnFtQn&si=lG1F0j2loNd6Psjl
Some great presentations on that list, including two really fun keynotes, reversing AoE2 with @ZetaTwo , and a tour-de-force Xbox hack from @gaasedelen !
Signal vs Wire — binary analysis of both APKs (apktool, strings, ELF inspection).
The gap is larger than most people think:
Signal: Rust core (libsignal_jni.so), Kyber-1024 post-quantum hybrid ratchet, SQLCipher for at-rest encryption, SVR with Intel SGX attestation, IME_FLAG_NO_PERSONALIZED_LEARNING (keyboard can't index your messages), zero third-party trackers.
Wire: Kotlin/Ktor, no hardened native core (more accessible to Frida), no SQLCipher (messages extractable in plaintext on rooted devices), no post-quantum, Segment SDK for behavioural telemetry.
But the finding that surprised me most:
Wire APKs from unofficial stores (Uptodown et al.) contain additional tracking workers and ACCESS_SUPERUSER permission requests not present in the official build. Supply chain integrity is not a footnote — it's the threat model.
Conclusion: Signal is the only one of the two suitable for threat models involving physical or administrative device compromise.
soon the full paper
#infosec #AndroidSecurity #Signal #Wire #ReverseEngineering #mobileforensics #supplychain #MASA
Back home after a great weekend at
@ph0wn 🇫🇷
We ran a workshop on "Full system Time Travel Debugging on Android" before attendees took on our #CTF challenge.
The challenge is still live. Try it here 👉 https://ttd.eshard.com
#reverseengineering #ctf #softwareengineering #cybersecurity
Hello, wonderful people. Taking a break is good, so I am taking a couple moments to write the #nakeddiefriday post of the week.
Today we have this interesting sample. Yes, it has certainly seen better days; been sitting in a queue for a real while now. This is again a smartcard chip without a name to it. I believe this to be fabbed by Samsung, and be rather old. The chip is built using poly-gate CMOS with 3 metal layers; later processes moved to a higher layer count.
Subscribe to #reverseengineering entries via RSS feed