It’s amazing what you can learn about a mobile app using a zip utility and a text editor.
As someone who has spent years working in the mobile app security space, my two favorite Windows tools are 7-zip and Notepad++. Why? Because every .ipa file you download from iTunes and every .apk file you download from Google Play is just a zip file by another name.
When you unzip one of these apps and start examining the contents with your text editor, you can learn a lot about how the app was put together, including some of the security tricks used by the developers.
Take the Dropbox app, for example.
If you’ve worked in infosec for more than 3 minutes, those two letters (pw) should instantly trigger one word in your mind: password.
(Seriously, I want to give Dropbox props for enforcing this control. I’ve used mobile and web apps that allow for single-character passwords, which is a blatant disregard for the security of the users and of any data they might store in the app.)
I have a hunch that Dropbox may have started paying a little more attention to enforcing password security after their 2014 security incident. Whatever the reason, I’m glad to see them doing it.
The bit about this little HTML file that fascinates me is that ONE LINE of their script contains 85,100 words that their mobile app users are forbidden from selecting as a password, even if these words meet Dropbox’s password complexity requirements.
Of all the word lists in all the apps in all the app stores in all the word, this list appears in theirs.
If you work in the infosec industry, especially if you’re a pen tester, you might want to consider adding this word list to your toolkit. If it’s good enough for Dropbox’s 300+ million users, it ought to be good enough for you, too.
(I know it goes without saying, but I’m going to say it anyway. This word list contains a handful… well, more than a handful of NSFW passwords. Don’t be stupid and end up in an HR disciplinary meeting because you decided to send this word list to all your users as part of your security awareness training program.)