Getting Started? Β» Buy me a coffee Β» Wanna Talk?
π Android Security Notes? Β» Here, You will find important concepts, resources, hand-crafted and self-curated notes written by a kind-hearted fellow. The main purpose of this project is to serve as a First-Aid to newbies (like me) and intermediate peep who perform android security.
π€ Wanna contribute? Β» If you see something wrong or incorrectly interpreted then open an issue or send a pull request. We appreciate your contribution and all suggestions/PRs are welcome. You can also ping me on twitter@iamsarvagyaa.
π Things to be done! Β» I started this project from scratch. Steadily, I will update more resources and notes that I've found useful while learning Android Security. The upcoming lineup for this project ...
- I will add more resources
- Add conference papers, notes and more
- Write more blogposts related to android security ...
- Getting Started
- HackerOne Reports
- BugBounty Writeups
- CTF Challenge Writeups
- Healthy Digests
- Vulnerable Applications
β Getting Started
- Diving in Android Security
- Android Security - Understanding Android Basics
- Android Pentesting Lab Setup
- Getting started with Frida on Android Apps
- Android Penetration Testing: Apk Reverse Engineering
- Android Penetration Testing: APK Reversing (Part 2)
β HackerOne Reports
- Account hijacking possible through ADB backup feature :: #12617
- Twitter android app Fragment Injection :: #43988
- Bypass Setup by External Activity Invoke :: #55064
- Webview Vulnerablity in OwnCloud apk :: #87835
- No permission set on Activities [Android App] :: #145402
- Flaw in login with twitter to steal Oauth tokens :: #44492
- Authentication Failed Mobile version :: #55530
- Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App :: #121275
- Coinbase Android Security Vulnerabilities :: #5786
- Insecure Data Storage in Vine Android App :: #44727
- Sending payments via QR code does not require confirmation :: #126784
- Bypass pin(4 digit passcode on your android app) :: #50884
- REG: Content provider information leakage :: #146179
- Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content :: #56002
- HTML/XSS rendered in Android App of Crashlytics through fabric.io :: #41856
- ByPassing the email Validation Email on Sign up process in mobile apps :: #57764
- Insecure Local Data Storage : Application stores data using a binary sqlite database :: #57918
- Vulnerable to JavaScript injection. (WXS) (Javascript injection)! :: #54631
- Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code :: #5314
- Reflected XSS in Zomato Mobile - category parameter :: #230119
- MEW Wallet PIN Bypass [Android] :: #1242212
- Firebase Database Takeover in Zego Sense Android app :: #1065134
- Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) :: #637194
- Persistant Arbitrary code execution in mattermost android :: #1115864
- porcupiney.hairs : Java/Android - Insecure Loading of a Dex File :: #1161956
- Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android] :: #453791
- Cookie steal through content Uri :: #876192
- Bypassing Passcode/Device credentials :: #747726
- [Java] CWE-755: Query to detect Local Android DoS caused by NFE :: #1061211
- Path traversal in ZIP extract routine on LINE Android :: #859469
- Android: Explanation of Access to app protected components vulnerability :: #951691
- Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks :: #1011956
- Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 :: #906433
- Denial of Service | twitter.com & mobile.twitter.com :: #903740
- Insecure Storage and Overly Permissive API Keys in Android App :: #753868
- [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure :: #401793
- No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted :: #194329
- CVE-2019-5765: 1-click HackerOne account takeover on all Android devices :: #563870
- API Keys Hardcoded in Github repository :: #766346
- Changing email address on Twitter for Android unsets "Protect your Tweets" :: #472013
- Golden techniques to bypass host validations in Android apps :: #431002
- Improper protection of FileContentProvider :: #331302
- Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock :: #331489
- Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app :: #351555
- [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge :: #440749
- SQL Injection found in NextCloud Android App Content Provider :: #291764
- [Android] HTML Injection in BatterySaveArticleRenderer WebView :: #176065
- SQLi allow query restriction bypass on exposed FileContentProvider :: #518669
- [Zomato Android/iOS] Theft of user session :: #328486
- Protected Tweets setting overridden by Android app :: #519059
- Bypassing lock protection :: #490946
- Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day :: #486629
- Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App :: #205000
- [IRCCloud Android] XSS in ImageViewerActivity :: #283063
- [IRCCloud Android] Theft of arbitrary files leading to token leakage :: #288955
- Two-factor authentication bypass on Grab Android App :: #202425
- Android - Access of some not exported content providers :: #272044
- Improper markup sanitisation in Simplenote Android application :: #297547
- [Android] XSS via start ContentActivity :: #189793
- [iOS/Android] Address Bar Spoofing Vulnerability :: #175958
- Access of Android protected components via embedded intent :: #200427
- Possible to steal any protected files on Android :: #161710
- [Quora Android] Possible to steal arbitrary files from mobile device :: #258460
- Multiple critical vulnerabilities in Odnoklassniki Android application :: #97295
- Android - Possible to intercept broadcasts about uploaded files :: #167481
- Download attachments with traversal path into any sdcard directory (incomplete fix 106097) :: #284346
- [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity :: #283058
- Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager :: #192886
- Twitter for android is exposing user's location to any installed android app :: #185862
- Vulnerable exported broadcast receiver :: #289000
- Android MailRu Email: Thirdparty can access private data files with small user interaction :: #226191
- Vine - overwrite account associated with email via android application :: #187714
- Activities are not Protected and able to crash app using other app (Can Malware or third parry app) :: #65729
- Account takeover intercepting magic link for Arrive app :: #855618
β BugBounty Writeups
- Brave β Stealing your cookies remotely
- Hack crypto secrets from heap memory to exploit Android application
- Guest Blog Post: Firefox for Android LAN-Based Intent Triggering
- Arbitrary File Write On Client By ADB Pull
- Vulnerability in Facebook Android app nets $10k bug bounty
- Universal XSS in Android WebView (CVE-2020-6506)
- How two dead accounts allowed REMOTE CRASH of any Instagram android user
- Donβt stop at one bug $$$$
- Arbitrary code execution on Facebook for Android through download feature
- Ability To Backdoor Facebook For Android
- From Android Static Analysis to RCE on Prod
- Smear phishing: a new Android vulnerability
- Hunting Android Application Bugs Using Android Studio
- Android pin bypass with rate limiting
- Global grant uri in Android 8.0-9.0
- From N/A to Resolved For BackBlaze Android App[Hackerone Platform] Bucket Takeove
- Xiaomi Android : Harvest private/system files (Updated POC)
- Indirect UXSS issue on a private Android target app
- Full Account Takeover (Android Application)
- NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114]
- Address bar spoofing in Firefox Lite for Android and the idiocy that followed
- One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse
β CTF Challenge Writeups
- Good old friend - THCon 2021 - by cryptax
- draw.per - THCon 2021 - by cryptax
- Water Color - S4CTF 2021 - by 1gn1te
- Memedrive - RITSEC CTF 2021 - by klefz
- ezpz - darkCON CTF - by karma9874
- Fire in the Androiddd - darkCON CTF - by karma9874
- MobaDEX - HackTM CTF Finals 2020 - by umutoztunc
- hehe - PhantomCTF 3.0 - by FrigidSec
- Vault 101 - Hackers Playground 2020 - by saketupadhyay
- android - Google Capture The Flag 2020 - by luker983
- android - Google Capture The Flag 2020 - by s3np41k1r1t0
- android - Google Capture The Flag 2020 - by TFNS
- android - Google Capture The Flag 2020 - by NicolaiSoeborg
- prehistoric mario - ALLES! CTF 2020 - by ARESxCyber
- prehistoric mario - ALLES! CTF 2020 - by ashiq
- Tamarin - TokyoWesterns CTF 6th 2020 - by pwning
- Tamarin - TokyoWesterns CTF 6th 2020 - by hxp
- Tamarin - TokyoWesterns CTF 6th 2020 - by Hong5489
- Chasing a lock - RaziCTF 2020 - by ternary-bits
- Chasing a lock - RaziCTF 2020 - by Londek
- Chasing a lock - RaziCTF 2020 - by t3rmin0x
- Chasing a lock - RaziCTF 2020 - by blackbear666
- CTF Coin - RaziCTF 2020 - by cthulhu
- CTF Coin - RaziCTF 2020 - by t3rmin0x
- Friends - RaziCTF 2020 - by cthulhu
- Friends - RaziCTF 2020 - by t3rmin0x
- Meeting - RaziCTF 2020 - by t3rmin0x
- Strong padlock - RaziCTF 2020 - by t3rmin0x
- Strong padlock - RaziCTF 2020 - by Al3x2
- Strong padlock - RaziCTF 2020 - by Londek
- tough - RaziCTF 2020 - by t3rmin0x
β Healthy Digests
- Let's Reverse Engineer an Android App! - Well written blogpost by M.Yasoob Ullah Khalid, which explains how APK reverse engineering generally works.
- Reverse Engineering Nike Run Club Android App Using Frida - In this blogpost M.Yasoob Ullah Khalid, tell about How we can reverse an android application using Frida.
- Android Application Security Series - Well structured, Android Application Security Series. Start learning from this healthy digest. In this series Aditya covered OWASP MOBILE TOP 10 vulnerabilities in detailed form.
- Android App Reverse Engineering 101 - Wanna learn reverse engineering of Android Applications? If yes, then dive into this course. I learned a lot from this, huge thanks to maddiestone.
- MOBISEC - Hands-On classes, slides related to mobile security. I recommend everyone to watch all the recordings of class sessions. Kudos Yanick Fratantonio sir, thank you for all the sessions.
- Oversecured Blog - One of the best blog for android security, I love to read all the posts twice in a month. β€οΈ
β Vulnerable Applications
- hpAndro - One of the nice vulnerable android application to practice. Plenty of challenges are there, and most of the challenges are beginner friendly. I recommend everyone to checkout this vulnerable application. This challenge is maintained by hpandro1337, you can also checkout his YouTube Channel : Android AppSec.
- InjuredAndroid - A vulnerable android application ctf examples based on bug bounty findings, exploitation concepts, and pure creativity. Created and maintained by B3nac.
- Oversecured Vulnerable Android App - an Android app that aggregates all the platform's known and popular security vulnerabilities. Plenty of vulnerabilities are there to practice our Security skills. Vulnerable Lab maintained by Bagipro.
- MOBISEC Challenges - Plenty of challenges are there related to Android App development, Reversing of Android Application and Exploitations. Challenges created by sir Yanick Fratantonio. This is in my TODO list...
- LinkedIn : iamsarvagyaa
- Twitter : iamsarvagyaa
- Instagram : iamsarvagyaa
- Keybase : iamsarvagyaa
- E-mail : [email protected]
π£ If you enjoyed this project and wanna appreciate me, Buy me a cup of coffee. You can also help via sharing this project among the community to help it grow. You may support me on Buy me a coffee, monetary contributions are always welcome. If you wish to sponsor this project, ping me - iamsarvagyaa[at]gmail.com