Luxembourg Vibe-Code & Hack Apps

What happens when a security researcher downloads iOS app from the App Store and starts pulling it apart?
In this live session, you'll find out — no slides, no theory, no mercy.
I'll take a real iOS application, download it, and perform a full static security analysis live — step by step, using professional-grade tools. You'll watch as hardcoded secrets, insecure data storage, weak encryption, and exposed API endpoints surface in minutes.
Then, for a bonus round, we'll take a quick look at a banking app from the wild to see how the same mistakes show up in financial software handling real money.

What you'll walk away with: — How attackers reverse-engineer iOS binaries — The most common security mistakes in production apps — What static analysis actually looks like in practice — Why "it's on the App Store, so it's safe" is a dangerous myth

Who this is for: iOS developers, security engineers, tech leads, and anyone responsible for the security of mobile applications.

About the host: Sergii Koval — 15+ years in iOS/macOS security. Security architect for banking and enterprise platforms. Creator of Threat Explorer, a proprietary iOS security analysis platform. Based in Luxembourg.

Format: Live demo via Google Meet. ~60 minutes. Free. Recorded for YouTube.
This is part of a monthly series. Each session, a different app goes on the table.

What happens when a security researcher downloads a health app from the App Store and starts pulling it apart? In this live session, you'll find out — no slides, no theory, no mercy.
I'll take a real healthcare iOS application, download it, and perform a full static security analysis live — step by step, using professional-grade tools. You'll watch as unencrypted databases with patient information, Firebase configurations leaking backend data, hardcoded API keys, and user profiles stored in plain text surface in minutes. Then, for a bonus round, we'll examine how a well-known health or fitness app handles your medical data behind the scenes.

What you'll walk away with: — How health apps store your most sensitive data (and how poorly they protect it) — What Firebase misconfigurations actually expose in practice — Why local databases on your device are rarely as encrypted as you'd expect — How attackers move from a single leaked config file to full backend access.

Who this is for: iOS developers working with health data, product managers in MedTech, security engineers, and anyone building apps that handle personal or medical information.

About the host: Sergii Koval — 15+ years in iOS/macOS security. Security architect for banking and enterprise platforms. Creator of Threat Explorer, a proprietary iOS security analysis platform. Based in Luxembourg.

Format: Live demo via Google Meet. ~60 minutes. Free. Recorded for YouTube. This is part of a monthly series. Each session, a different industry goes on the table.

What happens when a security researcher downloads a government app from the App Store and starts pulling it apart? In this live session, you'll find out — no slides, no theory, no mercy.
I'll take a real government or public-sector iOS application — digital ID, tax portal, public transport, municipal services — download it, and perform a full static security analysis live. You'll watch as exposed server endpoints, weak transport security configurations, unprotected API routes, and sensitive URLs embedded in the binary surface in minutes. Then, for a bonus round, we'll look at how network traffic from a government app behaves when someone is listening.

What you'll walk away with: — How government apps construct and expose their network requests — What a man-in-the-middle interception actually reveals in practice — Why the largest user base combined with the slowest update cycle is a security problem — How hardcoded server configurations become an attacker's roadmap.

Who this is for: developers in the public sector, civic tech practitioners, security professionals, and anyone who uses government apps daily and would prefer to know what's going on under the bonnet.

About the host: Sergii Koval — 15+ years in iOS/macOS security. Security architect for banking and enterprise platforms. Creator of Threat Explorer, a proprietary iOS security analysis platform. Based in Luxembourg.

Format: Live demo via Google Meet. ~60 minutes. Free. Recorded for YouTube. This is part of a monthly series. Each session, a different industry goes on the table.

What happens when a security researcher downloads a dating app, a fitness tracker, or a food delivery app from the App Store and starts pulling it apart? In this live session, you'll find out — no slides, no theory, no mercy.
I'll take a real social or lifestyle iOS application, download it, and perform a full static security analysis live. You'll watch as graphic assets ready for phishing clones, authentication tokens left in the open, interface files that reconstruct the entire UI, and downloadable resources that can be hijacked surface in minutes. Then, for a bonus round, we'll walk through how an attacker assembles these pieces into a convincing fake app designed to steal user credentials.

What you'll walk away with: — How attackers build phishing clones from assets inside legitimate app binaries — What exposed authentication tokens and social media credentials look like in practice — Why your UI design files and graphic assets are a security risk, not just a design deliverable — How on-demand resources and interface files become tools for social engineering.

Who this is for: mobile developers, startup founders, UI/UX designers, security engineers, and anyone interested in understanding how everyday app assets get repurposed for identity theft.

About the host: Sergii Koval — 15+ years in iOS/macOS security. Security architect for banking and enterprise platforms. Creator of Threat Explorer, a proprietary iOS security analysis platform. Based in Luxembourg.

Format: Live demo via Google Meet. ~60 minutes. Free. Recorded for YouTube. This is part of a monthly series. Each session, a different industry goes on the table.