Mobile hacking has become an essential part of the bug bounty hunter’s tool belt, and no one knows the space better than Russian Android hacker Sergey Toshin, aka @bagipro. With years of experience, he’s currently ranked as the number one hacker for Google Play Security Reward Program and listed on Evernote’s Security Hall of Fame. Most recently, Sergey founded an automated mobile app called Oversecured, which automatically scans for all known Android and Java-specific vulnerabilities, such as arbitrary code execution, theft of arbitrary files and cross-site scripting. Even though this startup venture is taking up most of his time, he loves to travel and visited more than 25 countries before the pandemic lockdown. Sergey also loves seeing the world through the windshield of his Ford Mustang, which he drives every night before dawn. Check out our interview with him below to learn more.
How did you come up with your HackerOne username?
This is a super funny story. I earned my first money collecting scrap metal, I was nine-years-old. Over the summer, my friend and I earned about $10 each (in those days, that seemed like a crazy amount!). We had a cart, which we made from a stroller that we found somewhere. Instead of a cradle for a child, we tied two boxes (top and bottom) and put the scrap metal found on the street there. And we named this cart "bugiZ300". We also had a second cart made using the same technology called "bugi luxembourg", but after a month, someone stole it. We chose these names because they were funny. I was connected to unlimited internet in 2008 and started using "bugi" nickname, but people on forums started calling me "bagi". Moreover, other forums had restrictions on the length of the nickname, so I had to add some ending. I added "pro" as the pro version of bagi. That's why I'm “bagipro” now :).
How did you discover hacking?
In 2007 I watched the "Hottabych" movie. It's about a guy who hacked Microsoft and defaced their main page. It changed my mind, and I wanted to become a hacker because it seemed too modern and interesting (before that I wanted to be a truck driver because they travel too much, and an archaeologist because that also involves being curious). After some time, I started programming in C, C++, PHP, and Java. But a relocation to Moscow in 2014 and finding my first office job at a position in mobile security turned me onto mobile app hacking.
What motivates you to hack and why do you hack for good through bug bounties?
I automated the search of all known Android vulnerabilities and founded a startup called Oversecured. It allows security researchers to scan arbitrary Android apps and send alerts for vulnerabilities found, after companies upload each new version. And now, it's cool to see how tricky vulnerabilities are detected in popular apps. Some time ago, I was motivated to test my tool in real apps and get feedback to improve the scanning technology. But now I'm using money received from bug bounties to fund my project and advertise it in bug bounty reports.
What makes a program an exciting target?
An exciting target is a non obfuscated Android app :D. It's much easier to understand what's going on in a particular source.
How many programs do you focus on at once? Why?
I never focused on a program (except Google Play SRP). Usually, it works: I download hundreds of apps from different programs and scan them, then report bugs. If I see a big app with multiple features and only a few vulnerabilities detected, I start searching for bugs manually and debug the scanning core to check why they were missed.
How do you prioritize which vulnerability types to go after based on the program?
The vulnerability scanner does all that work!
How do you keep up to date on the latest vulnerability trends?
It's very rare to see a disclosure or a write-up related to Android security. Some of them are published in Telegram channels (such as "Android Security & Malware"), I also check out Android Security Bulletins.That's why I try to make them! I write articles and post them on blog.oversecured.com, then repost on Twitter, and add to different write-up databases, e.g. on GitHub.
What educational hacking resources do you wish existed that doesn't exist today?
I have an idea to create a repository with hundreds of tiny vulnerable apps, so new people in Android security can practice how to exploit vulnerabilities and bypass different security checks.
What do you enjoy doing when you aren't hacking?
I have a Ford Mustang and drive each night at 3-4 am within 2 hours before sleep. Before the lockdown, I traveled a lot and visited over 25 different countries. But the startup takes a lot of time: I need to talk to the designers and the developers and give them tasks, check the results, improve the scanning core and the rule set, perform researches, write articles to blog.oversecured.com, talk to journalists, earn money to fund everything, so I currently don't have a lot of free time.