Huy “Apple”
Around this time last year, there was a “scandal”: several banking apps in Vietnam were found exploiting an iPhone vulnerability to retrieve installed app lists. This is the story of a student in Hanoi I call Huy “Apple,” who helped uncover this.
Huy and his friends made an interesting discovery, but it was a misunderstanding. Banks weren’t monitoring users, but trying to combat fraud.
Online scams are now a “silent pandemic” in Vietnam. The scammers are organized, technically capable, and constantly bypass banking systems. They trick users into revealing passwords, then bypass eKYC and take over accounts. Stolen funds are then quickly transferred across banks to erase traces.
These operations often rely on jailbroken phones using known apps. That’s why banks check for them. If detected, the bank apps refuse to run.
This approach violates Apple’s policies, but the intent is user protection. I know this firsthand from working on investigations and mitigation efforts. Calif worked with partners and communicated this to Apple (and also Google). Apple understood and only required app updates, not suspension.
Back to Huy. He and a friend reverse engineered and shared their findings on Twitter. I found it fascinating. They’re so young, yet capable of highly technical work.
I messaged Bruce Dang at Apple. He already knew them. In the jailbreak community, they’re well-known. Recently, they even made an iPhone behave like an iPad.
One of our interns in Massachusetts even shared this story. In his computer science class, another student was talking about mobile game hacking. He was curious so he asked what was involved. His classmate showed him some game mods and tools, and said that they were written by some guy named @Little_34306. Our intern was like, “Why does that name sound so familiar?” Then he finds out that it is actually his coworker Huy. You can’t make this stuff up.
When I met Huy, I immediately realized how passionate he is about Apple products and security. He showed me various “mods” on his iPhone. All I could think was: “But I still prefer Android!”, and silently questioned my life choices.
He also brought a backpack with him. After chatting for a while, he opened it and let me peek inside. Oh boy, Bruce once said these hackers have “gear” even better than what you find in the U.S., and he wasn’t exaggerating!
Earlier today, Huy and Bruce have co-authored a post on Calif’s blog about iOS anti-tampering and anti-debugging. Just for fun. Since joining us, Huy has worked on several interesting Apple-related projects. Hopefully we’ll be able to talk about those soon.
When Calif started, I didn’t expect to meet so many fascinating people. Everyone has a fun story. If I told them all, we’d be here all night. Maybe I should write a book someday!
Potential conflicts of interest:
I’m an independent board member of VNPAY, which develops some of the banking apps involved.
I’m the CEO of Calif, which provides security solutions to some of the banks involved.