2 min read


AMA with Yanick Fratantonio

Research @CiscoTalos 🔬 | Ex-Prof @EURECOM 👨‍🏫 | Malware & Android Security 🦔 | Shellphish/NOPS hacker 🐱‍💻

  • What are some of the best resources to get started with android pentesting?

    • I’m not a professional Android pentester, but literally all I know is dumped into material at https://mobisec.reyammer.io (where you can also find links to resources from other mobile security experts, many much more experts than me.

  • How CTFs can help with the resume?

    • Personally, CTFs helped me in many ways, but for the CV, I think it’s important to have some “public evidence” (writeups, etc) of what your level is. Anyone can add “played CTF xyz” on a CV, but to “count” it’s better to have something to support “hey I actually did stuff”.

    • Honestly, I would never suggest anyone to “play CTFs for the CV”. If they are fun (for any reason), great, if they are not, then I would spend my time in different ways.

  • If you would hire a person, what are the important things you would be looking for (in CV) apart from certifications?

    • In no specific order: some hints about 1) hands-on experience (regardless of CTFs, certifications, etc.); 2) open/flexible mindset: challenges will always be different, and knowledge often becomes stale: be ready (and happy!) to learn more; 3) team player: alone you can’t do much.

  • How can I get good at static analysis and reversing of android application?

    • About static stuff: practice practice practice. start with coding your own thing and check how it shows up in the APK, play with wargame/CTF challenges, try to take some real apps and try to understand how they do things (regardless of finding bugs).

  • Can we leverage SAST in bug Bounty? Is there any methodology for that?

    • It depends what you mean with SAST. I’m positive about custom static analysis / tool that you write to check for specific classes of bugs… but complex/expensive off-the-shelf static tools? Not sure, & the real answer is “I have no idea”, never played much with them.

  • In which version of android, did you find your first bug? How much has android security improved over these years compared to that version & todays, i.e version 11 and 12(Beta)?

    • Many of the bugs “I” found were thanks to collaborations with amazing people so for this question I don’t count those… but the first Android bugs that I really felt “mine” + an were in Android 5/6/7, which then led to https://cloak-and-dagger.org.

    • About how much the security of more recent Android versions improved… I would say “immensely”. One of the best “summary” of improvements is at https://source.android.com/security (see links on the left).

  • What is a better roadmap to bug bounty?

    • In terms of roadmap to bug bounty: I’m not a professional pentester, and I’m not sure I have anything to add wrt the previous @sillydadddy’s AMA amazing people! As lame as it is, I would redirect you there.

The original twitter AMA can be found here :- https://twitter.com/sillydadddy/status/1409743015212556290