Luke McLaren
Luke McLaren (@datalocaltmp) is a mobile security researcher focused on reverse engineering and bug hunting in large-scale messaging platforms. He shares his work publicly under the handle @datalocaltmp and runs his blog at s11research.com, a resource hub for dissecting mobile apps.
Luke’s research has uncovered vulnerabilities in Meta’s products including WhatsApp, Messenger, and Quest, with a focus on the native code, encryption layers, and signaling logic that power real-world communications.
Session
This talk explores three separate vulnerabilities uncovered in WhatsApp across multiple platforms - iOS, Android, and MacOS - affecting both end-to-end encrypted messaging and calling features. I’ll walk through each bug, including a URL validation flaw (iOS), an XMPP parsing bug leading to native vulnerabilities in PJSIP (all platforms), and a logic issue that allowed unauthorized video streams during group voice chats (Android).
Attendees will get a deep dive into WhatsApp’s architecture, including cross-platform compilation quirks and native XMPP signaling. The talk will also cover reverse engineering strategies and practical bug-hunting methodologies for complex mobile apps.