Schedule
DEF CON 34 ▾
The DC34 schedule is being finalized. Check back for updates!
DEF CON 33 ▾
Friday
Testing Environment Setup and Local Storage Enumeration
This session will walk you through setting up a mobile testing environment and extracting APKs from installed apps. You'll also explore how to locate and analyze sensitive data stored locally, including shared preferences, databases, and more.
Rooting the Rootless: Kernel Tactics to Nullify RASP Protections
Mobile apps today depend heavily on Runtime Application Self-Protection (RASP) to stay secure while running. But attackers are getting smarter. They're finding new ways to slip past these defenses by going deeper into the mobile operating system and targeting the kernel itself. This session explores how attackers manipulate mobile kernels to bypass modern RASP protections through live demos, covering kernel architecture, vulnerabilities, and memory manipulation techniques.
Matrioska: A User-Centric Defense Against Virtualization-Based Repackaging Malware on Android
The Android virtualization technique allows an app to create independent virtual environments running on top of the Android native one. While the technique has legitimate uses, attackers have identified ways to exploit it — researchers have found 71,303 malicious samples. This talk presents Matrioska, a new defense mechanism that achieves 99% accuracy in detecting virtualization-based repackaging attacks, outperforming state-of-the-art solutions.
Bypassing Security Mechanisms Using Application Patching and Code Instrumentation
This session will walk you through bypassing mobile app security protections like root detection and SSL pinning using tools like Frida and apktool. It covers both static patching and dynamic code instrumentation to help you manipulate app behavior for testing and analysis.
Saturday
Cracking the Vault: Runtime API Testing in MDM-Locked Apps
This workshop dives deep into bypassing typical MDM-imposed restrictions to perform dynamic runtime API testing on apps that rely heavily on MDM policies. Walk through the Appknox approach for injecting custom instrumentation and intercepting APIs in live environments — without root, jailbreak, or MDM tampering.
Hunting Advanced Mobile Vulnerabilities with AI
What if AI could perform autonomous vulnerability research? This talk demonstrates how AI agents, powered by LLMs and custom tooling, can analyze Android applications, uncover advanced vulnerabilities, and assist in exploit development. Starting with the open-source JADX MCP plugin for static analysis, discover how AI can reason about app structure and find real-world vulnerabilities.
Examining Access Control Vulnerabilities in GraphQL - A Feeld Case Study
Using the Feeld dating app as a case study, this talk dives into how the lack of access controls in GraphQL and REST endpoints led to exposure of users' personal data — including sensitive photos, videos, and private messages. Covering common access control vulnerabilities, real-world examples, and remediation strategies.
Traditional Pentest Meets AI: New Challenges in Android Security
This presentation explores the evolving landscape of Android application security testing as artificial intelligence becomes increasingly integrated into mobile devices. The talk bridges traditional penetration testing methodologies with emerging AI-specific security challenges, providing practitioners with updated frameworks and tools for comprehensive Android security assessments.
Friday – Sunday
Demonstration
A dedicated area equipped with the necessary tools, where visitors can experiment with various techniques and concepts under expert guidance.
Mobile CTF
Capture the Flag events featuring mobile application security challenges at varying levels of difficulty. This beginner-friendly contest includes challenges across: Dynamic Code Instrumentation, Reversing Native Code, Code Obfuscation/Deobfuscation, Exploiting App Components, Malware Analysis, Mobile Forensics, Bypassing Security Mechanisms, and Exploiting WebViews.