Where I explore languages, formats, tools and protocols.
| 2026-02 | "An AWKward Modem" in Paged Out! #8 |
| 2025-10 | "Print to Play" in Paged Out! magazine #7 (gist) (0xcryptax "Best hacking paper") |
| 2025-08 | Passkeys PoC, protocol and security smells (PDF) (informal notes) |
| 2025-07 | Core Graphics Bug Report |
Where I demonstrate that JSON apparent simplicity is just hidden complexity that can lead to software errors and security issues.
| 2018-03 | Parsing JSON Considered Harmful, Toulouse Hacking Conference (slides) |
| 2016-11 | Presentation at Black Alps Security Conference, Yverdon (slides) |
| 2016-11 | Article and comments in The Register |
| 2016-10 | Presentation at Soft-Shake Conference, Geneva (slides) |
| 2016-10 | First version of the article |
| 2016-10 | JSON Test Suite (GitHub) |
| 2016-07 | A JSON Parser in Swift 3 compliant with RFC 7159 (GitHub) |
Where I reverse engineer and document Twitter API, exploit vulnerabilities to automatise account creation and get access to user accounts.
| 2015-04 | 3 Nasty Twitter API Hacks, DahuCon, (redacted slides): Account Takeover, Automated Account Creation, SMS Abuse |
| 2014-05 | STTwitter - A stable, mature and comprehensive Objective-C library for Twitter REST API 1.1 (GitHub) |
| 2014-05 | STTwitter, CocoaHeads Lausanne, (slides) |
| 2013-10 | iOS / Twitter Integration, SoftShake 2013, (slides) |
| 2013-10 | Abusing Twitter API, One Year Later, AppSec Forum 2013, (slides, video) |
| 2013-04 | Abusing Twitter API and OAuth Implementation, Hack In The Box 2013, Amsterdam, (article, slides, video) |
| 2012-11 | Abusing Twitter API, AppSec Forum 2012, (slides) |
| 2009-04 | TwitHunter - An experimental Twitter client with scoring for Mac OS X (GitHub) |
Where I explore Unicode specifications, their implementation in various environments, edge cases and some security aspects.
| 2014-11 | Unicode Hacks, AppSec Forum 2014, (slides) |
| 2014-10 | I � Unicode, SoftShake 2014, (slides) |
| 2014-10 | Unicode Poster, (GitHub) |
| 2013-01 | UniBinary, an efficient algorithm to encode/decode data into printable Unicode characters, (GitHub) |
As a trail runner and Unicode enthusiast, I am a proud sponsor of characters:
🏃♂ U+1F3C3 U+200D U+2642 U+FE0F man runner
⛰ U+26F0 mountain
🏔 U+1F3D4 snow capped mountain
Where I demonstrate that, despite Apple claims, a malicious iPhone app can harvest a user data without even using private APIs.
| 2010-11 | iOS 4 Privacy, DefCon Switzerland HashDays 2010 (video, slides) |
| 2010-09 | iOS 4 Privacy, Compass Security Event 2010. |
| 2010-04 | iPhone and AppStore: Security and Privacy. Workshop on mobile security, Federal Intelligence Service FIS, Reporting and Analysis Centre for Information Assurance MELANI, Bern. |
| 2010-02 | iPhone Privacy, February 3rd, Black Hat DC, Arlington, VA, USA, white paper, Black Hat slides, SpyPhone Project on github, 81 citations, Forbes, Wall Street Journal |
| 2009-12 | iPhone Privacy, December 2nd, développeurs iPhone de Suisse Romande, Geneva Airport. SpyPhone Project on GitHub |
