Try   HackMD

My computer, my data, my code - liberating your data from user-hostile apps.

This 2 hour workshop will guide you through analysing a real application, and re-implementing it just enough in code to get your own data out.

Date: Saturday, 24th February 2024
Venue: smallcase, 51, Convent Road, Richmond Town, Bangalore
Time: 11 am.

RSVP are closed but reach out if you're interested: https://fossunited.org/meetup/rsvp/2024/02

Learning Outcomes:

  1. A basic idea of what goes into re-implementing real-world applications as FOSS. What tools are required, what do actual flows look like.
  2. Experience with ZAP/mitmproxy, the open-source proxy for such usecase.
  3. A better understanding of HTTP, sessions, authentication.
  4. Writing some basic web request code, generating CSV files.

Pre-requisites

  1. Basic understanding of at least one programming language. Ideally one of Python/Ruby/Bash/Javascript, but others will also do.
  2. A mobile device - either iOS or Android will do. Recommended, but not necessary.
  3. A laptop with a working *nix setup and WiFi. WSL/MacOS/Linux should be fine.
  4. A working setup of your favorite programming language.

Workshop Flow

  1. Agenda, Fundamentals Workshop Walkthrough - Tooling introduction, and explanation of fundamentals (HTTP Requests, Proxies, Reverse Engineering, FOSS)
  2. Traffic Capture & Analysis - Walk everyone through signing up and using the application while attached to a proxy. Basics of ZAP (First 15 minutes), then letting users play around for the next 30 as we guide them towards web flows.
  3. Code Generation - Simple code generation using tools such as https://curlconverter.com/. Understand what the code does.
  4. Data Export - Final code changes to generate your data export, suggestions for improvements etc.

Non-Goals

Due to this being a short 2 hour workshop, we cannot go in depth, and this is meant as a beginner-friendly workshop to dip your toes in the field. A few call-outs for what will not be covered:

  1. Learning Reverse Engineering - We cannot deep-dive into learning Android/iOS RE skills, and will limit ourselves to just traffic analysis.
  2. Teaching Basics of Programming - We assume you know how to code in atleast one programming language, and are sufficiently profecient to know how to make web requests in your language of choice.

Workshop Trainers

Nemo is creator of endoflife.date. Previously, he was a founding engineer at Razorpay, where he reversed applications for fun and fintech.

Vivek is an ex-engineer at Razorpay, he hacks things for fun and profit.

Both of us have conducted workshops together in the past.

Last changed by 
nemo
0
178
Published on HackMD