Securing the digital experience for millions of customers.
For one of the world’s largest entertainment companies, delivering ticketing services, concessions and streaming content to more than 60 million customers around the globe every month, security is paramount. Serving so many diverse users brings attention, and sometimes unwanted attention. Hackers and malicious users can take advantage of applications and digital products that aren’t properly secured. This can put people and their data at risk. To identify and mitigate risk, then make the necessary fixes to prevent an incident before it happens, they turn to RIIS.
Hacking the planet.
The client delivers entertainment services around the globe to millions of users every day. But, in addition to the number of people they serve, they provide content to all these users on a large number of platforms ranging from iPhones, iPads and Apple TVs, to Android phones, tablets, TVs and the Oculus Quest VR headset, Amazon Fire Sticks, Facebook portals and more.
Putting on our bad guy hats.
Whenever the client has an application that’s ready to be updated or released, they give us a copy and we immediately start thinking like bad the guys. During our audit, we test for issues both manually and with scanning software using the techniques a hacker would use. We look for ways to extract credit card or user information. We also look at the technology used to supply the applications with their content. If we find a vulnerability in either the application or its supporting technology, we bring it to the attention of the development team and offer paths to a successful fix.
Knowing the right tool for the hacker’s job.
Even with such a diverse collection of devices that the applications work with, they fall largely into one of two categories, iOS or Android. This allows us to reuse many of our tools and methods from engagement to engagement, just like an attacker would. When performing a penetration test on mobile apps at RIIS, you need to be proficient in developer tools like ADB and Xcode, as well as being skilled in the “dark arts” and their many tools.
Getting the loot.
The objective for us when performing a penetration test on a new application is to secure as much as we can, but we also always try to find “the goods” that would motivate a hacker. We made it more difficult for hackers to intercept traffic from the application to target it’s users by implementing effective certificate pinning. Proper encryption made it more difficult to defraud or steal tickets from the applications. And, in some cases, we have even noticed issues with partnering organizations like reflected XSS or open redirects. Getting those issues corrected was a big win for the client and RIIS.
Audits don’t have to be painful.
It’s important to effectively hand off new applications from their team to ours so they can be audited and released to the public without delays. We accomplish this with regular team calls and updates about pending features we may need to test requiring new hardware. Staggering releases where possible so there are no bottlenecks or overloads is another key element. When combined, these processes make it possible to deliver regular security improvements at scale for millions of users around the world. At RIIS, this is the type of positive impact we strive to deliver for all of our clients.
Key technologies used.
As previously mentioned, some standard development tools are necessary for what we do and helpful for debugging. Those include ADB for the Android world and Xcode for iOS. Some of the tools we use when performing the “dark arts” include Fridump, Passionfruit, MobSF, Burpsuite and Shodan. We wouldn’t necessarily recommend that you try those at home, but for this job we have to think and act like the bad guys to keep all the good guys safe.
Key Services Provided: