Rabbit Hole Adventures: AppSec Teaser

Rabbit Hole Adventures: AppSec Teaser

I’m not saying that putting on makeup will change the world or even your life, but it can be a first step in learning things about yourself you may never have discovered otherwise. At worst, you could make a big mess and have a good laugh. - Kevyn Aucoin


This is just a teaser and the adventure will be short, but I do hope you will join me on this journey.

Mobile applications, while we use them every day I had one main goal to learn how to identify vulnerabilities. Heads to google chrome, and enter text; tools for mobile security into the search bar. Well, that was the wrong way of starting it but it got me somewhere.

While learning how to review a mobile application if you are in my shoes right now reading this blog looking for a tool to do so out of the box, just stop right there ⛔⛔⛔.

In this blog post, I am going to give four lessons that I learned and will be using in my everyday engagements.


  1. Lesson 1; Set your goals; having a set of goals allows you to narrow your research and be precise about what you are looking for. (Example; what kind of test do you want to conduct and why).
  2. Lesson 2; Cover the basics; you have to know what the application does, how it works and how the functions were implemented for them to work. (Example; what is SSL pinning and how does it work).
  3. Lesson 3; Take your time to read and understand; once you have learned and grasped a concept the road will be easy for you to practically give it a try. If you have got the time you can create a small application that is implementing SSL pinning or you can draw how SSL pinning works down on a sketchbook.
  4. Lesson 4; Do it manually first; this is something my friends who have grasped unique techniques have iterated each time when we have a sit down with them, that before you go ahead and run a tool, first try doing it manually.


Before I got to learn what application security is, I felt like I had a hammer and never knew where to start to look for holes to break. I got to learn this the hard way and I am proud that everything was a success, It was interesting and I will take this knowledge and finish a mobile application CTF series I have been sitting on, for a while now.

This time I don’t have any resources to share but I would be happy if you would share any resources to keep me going on this journey, here is my Twitter handle @th3_gr00t.

© GR00T