Here is this year’s write-up for my mobile challenges from BsidesSF CTF 2021. This year I wrote two mobile challenges — Charge Tracker and Message Store. As always, I tried to make them fun and applicable in the real world. With that let’s dive into the challenge writer PoV for these challenges.

Charge tracker

This is a 101 Android reversing challenge which will print the flag to the debug log stream when the battery is 49% (In reference to the 49ers).

Here is the pertinent code block:

Log.d("Battery update:",levelStr);
if(level == 49){
Log.d("Flag:", getResources().getString(R.string.part1) + part2 + "1tN0w}");
}

The flag is…


Here is this year’s write-up for my cloud challenges from BsidesSF CTF 2021. This year I wrote two cloud challenges — Whole New Me and Shout into the Void. As always, I tried to make them fun and applicable in the real world. With that let’s dive into the challenge writer PoV for these challenges.

Whole new me

This challenge centered around App Engine, Google’s serverless platform for developing and hosting web applications. Specifically, it focused on how App Engine managed application versioning. I tried to hint towards versioning through the name, domain (appspot.com) and description,

If a player inspected the HTML source…


Following the tradition of the past few years, here is this year’s writeup for my challenges. Unlike previous years where I (almost) exclusively wrote mobile challenges, this year I tried my hand at writing web challenges. Web challenges proved to be a lot easier to write than mobile because I didn’t have to grapple with Java and Android idiosyncrasies.

The primary focus for all my challenges was making them fun and applicable in the real world. I modeled them after bug bounty reports or issues I had seen first-hand. …


Disclaimer: I am not an expert on mentoring, this originally started as a philosophical rant that ended with a caffeine fueled research binge. It is a topic I feel passionately about and wanted to share my views on it. This does not in any way reflect the views of my employers — past, present or future.

Acknowledgements: A big shout-out to Phil Ames (@philames), David Tomaschik (@matir), Conan Dooley (@conandooley) and Matthew Bryant (@iammandatory) for their valuable input and feedback.

Not enough people in security

Security is an ever evolving and growing industry, with data breaches becoming a major concern companies are keen to hire…


Weather Companion350 points, 11 solves — Mobile, Reversing

“A simple weather application that fetches and displays the weather. What hides within?”

After loading and running the application on Android Studio, you will see that it displays the weather. The applications makes one request to pull down a json file — https://storage.googleapis.com/weather-companion/weather.json?GoogleAccessId=weather-companion-service-acco@bsides-sf-ctf-2019.iam.gserviceaccount.com&Expires=1554057388&Signature=Zwv1...snip…

This is a signed URL, it is a form of authenticating a request to fetch a resource from a Google storage bucket. Let’s dive into the decompiled application to understand what is going on under the hood. Proguard was used to obfuscate the application’s code, which makes it fairly hard to read the code. The classes in…


I was part of the Bsides San Francisco CTF crew for the third year in the row, this year I contributed four challenges and helped out with slack / scoreboard support. The other organizers include -

The team is always a pleasure to work with and a delight to learn from. We scrambled frantically before d-day but pulled through without major hiccups, like they say “The…


Web applications are central to our day-to-day activities — this includes banking, shopping, email, and social media. Given that the web has become a central fixture in our lives, understanding the fundamentals of web application security is more crucial than ever. Books like the The Tangled Web, Web Application Hacker’s Handbook and Hacking Exposed: Web Applications are great introductions to the concepts but are not up-to-date. This tutorial series is meant to be a beginner friendly introduction to web application security, taking into account newer attacks, techniques and mitigation methods. …


  1. Find an area that interests you the most and focus on it. When you are starting out in security it is best to specialize, this is good for both — employment opportunities and personal growth.
  2. Be prepared to work hard, security isn’t easy. The more you dig into a topic the more you spot gaps in your understanding, treat it as an opportunity to learn new things and keep at it.
  3. The learning never stops in security, things constantly keep evolving, and if you stop staying current, you will fall behind. …


I constantly find myself questioning if I belong in my line of work. Working with incredibly talented security engineers is a great way to constantly learn new things, but in my case it also doubles as a constant reminder that I don’t perform as well as the rest of my team.

Do I belong here?”, “Am I technical enough?”, “Why am I not as smart as them?”, are some of the questions I deal with on a regular basis. This is all part of having an imposter syndrome, which makes me undermine both my work and the recognition it receives…


(Originally published on Mar 1st, 2017)

A couple of weeks ago I had a blast organizing the BSides SF CTF alongside — @bmenrigh, @CornflakeSavage, @iagox86 and @matir. The CTF had challenges that were primarily in the easy to intermediate range, with a few curve balls thrown in for the seasoned players. We had a few on-site challenges, including a lock picking challenge by @bmenrigh and @matir. This was by far my favorite challenge, which had a lock mounted on a wooden post that was hooked to a receipt printer. …

Security Engineer in silicon valley, foodie, gamer and serial doodler. Specialize in red teaming and application security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store