How to make your Android app network communication secure
https://infinum.com/the-capsized-eight/how-to-prepare-your-android-app-for-a-pentest
https://infinum.com/the-capsized-eight/how-to-prepare-your-android-app-for-a-pentest
Infinum
How to Prepare Your Android App for a Pentest – Networking Edition
Android app penetration testing is a must when developing an app, especially if you deal with sensitive user information.
Subnoscription scams found on Google Play -
25 apps with almost 600M installs
https://news.sophos.com/en-us/2020/01/14/fleeceware-apps-persist-on-the-play-store/
25 apps with almost 600M installs
https://news.sophos.com/en-us/2020/01/14/fleeceware-apps-persist-on-the-play-store/
Sophos News
Fleeceware apps persist on the Play Store
Fleeceware remains a problem on Google Play, where Android users still run the risk of being charged hundreds of dollars or euros for “subnoscriptions” to apps
All iPhones running iOS 10 or later can now be used as hardware security keys for Google accounts
https://www.zdnet.com/article/you-can-now-use-an-iphone-as-a-security-key-for-google-accounts/
Step-by-step tutorial: https://support.google.com/accounts/answer/9289445
https://www.zdnet.com/article/you-can-now-use-an-iphone-as-a-security-key-for-google-accounts/
Step-by-step tutorial: https://support.google.com/accounts/answer/9289445
ZDNet
You can now use an iPhone as a security key for Google accounts
All iPhones running iOS 10 or later can now be used as hardware security keys for Google accounts.
Seventeen Android HiddenAd Trojans Found in Google Play With Total Over 550K Downloads
https://labs.bitdefender.com/2020/01/seventeen-android-nasties-spotted-in-google-play-total-over-550k-downloads/
https://labs.bitdefender.com/2020/01/seventeen-android-nasties-spotted-in-google-play-total-over-550k-downloads/
Bitdefender Labs
Seventeen Android Nasties Spotted in Google Play, Total Over 550K Downloads
Bitdefender researchers recently found 17 Google Play apps that, once installed,
start hiding their presence on the user’s device and constantly display
aggressive ads.
start hiding their presence on the user’s device and constantly display
aggressive ads.
Android Enterprise Security Whitepaper
https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf
https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf
Vulnerability in Android OneDrive app allowed to bypass passcode or fingerprint
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654
How to develope and test secure #iOS apps + video demos #MASVS #MSTG
https://www.dropbox.com/sh/tsog4fwa3wg4rd9/AADuNKjtQNaliYSBjr28SevPa?dl=0
https://www.dropbox.com/sh/tsog4fwa3wg4rd9/AADuNKjtQNaliYSBjr28SevPa?dl=0
Chinese phone maker OPPO partners with #HackerOne to launch bug bounty program
https://security.oppo.com/en/
https://security.oppo.com/en/
How to write #iOS program that allows to render arbitrary strings to the #iPhone screen by directly modifying the framebuffer pixels https://link.medium.com/REb7yRhkn3
Medium
Exploring the iOS screen framebuffer– a kernel reversing experiment
It’s been over two years since I last published a blog, so I thought I’d give this another go in 2020 and kick it off by writing about an…
Exploiting SQL Injection in Android's Download Provider (CVE-2019-2198)
Blind SQL injection in Android's Download Provider will retrieve user cookies of downloaded file website (e.g. Gmail).
Patched in November's 2019 Android Security Bulletin.
PoC + info:https://github.com/IOActive/AOSP-DownloadProviderDbDumperSQLiWhere/
Blind SQL injection in Android's Download Provider will retrieve user cookies of downloaded file website (e.g. Gmail).
Patched in November's 2019 Android Security Bulletin.
PoC + info:https://github.com/IOActive/AOSP-DownloadProviderDbDumperSQLiWhere/
GitHub
GitHub - IOActive/AOSP-DownloadProviderDbDumperSQLiWhere: PoC Exploiting SQL Injection in Android's Download Provider in Selection…
PoC Exploiting SQL Injection in Android's Download Provider in Selection Parameter (CVE-2019-2198) - IOActive/AOSP-DownloadProviderDbDumperSQLiWhere
Awesome GitHub Repos
1. Book of Secret Knowledge = https://lnkd.in/fWKCdi4
2. Awesome Hacking = https://lnkd.in/f7VPTEX
3. Awesome Bug Bounty = https://lnkd.in/fPrQiVD
4. Awesome Penetration Testing = https://lnkd.in/fAUZgu5
5. Awesome Web Hacking = https://lnkd.in/f5n2hSd
6. Awesome Hacking Resources = https://lnkd.in/fcJ6wFH
7. Awesome Pentest = https://lnkd.in/fNNSFeN
8. Awesome Red Teaming = https://lnkd.in/fGpievF
9. Awesome Web Security = https://lnkd.in/ffG73u2
10. Penetration Test Guide based on OWASP = https://lnkd.in/ffyBwzG
11. Pentest Compilation = https://lnkd.in/f5JwJTD
12. Infosec Reference = https://lnkd.in/fY6wNmX
1. Book of Secret Knowledge = https://lnkd.in/fWKCdi4
2. Awesome Hacking = https://lnkd.in/f7VPTEX
3. Awesome Bug Bounty = https://lnkd.in/fPrQiVD
4. Awesome Penetration Testing = https://lnkd.in/fAUZgu5
5. Awesome Web Hacking = https://lnkd.in/f5n2hSd
6. Awesome Hacking Resources = https://lnkd.in/fcJ6wFH
7. Awesome Pentest = https://lnkd.in/fNNSFeN
8. Awesome Red Teaming = https://lnkd.in/fGpievF
9. Awesome Web Security = https://lnkd.in/ffG73u2
10. Penetration Test Guide based on OWASP = https://lnkd.in/ffyBwzG
11. Pentest Compilation = https://lnkd.in/f5JwJTD
12. Infosec Reference = https://lnkd.in/fY6wNmX
lnkd.in
LinkedIn
This link will take you to a page that’s not on LinkedIn
Android Unpacking Automation (Docker + Frida)
https://github.com/corellium/corellium-android-unpacking
https://github.com/corellium/corellium-android-unpacking
GitHub
GitHub - corellium/corellium-android-unpacking: Android Unpacking Automation using Corellium Devices
Android Unpacking Automation using Corellium Devices - corellium/corellium-android-unpacking
Hacking Sony PlayStation Blu-ray Drives #slides
https://github.com/oct0xor/presentations/blob/master/Hacking%20Sony%20PlayStation%20Blu-ray%20Drives.pdf
https://github.com/oct0xor/presentations/blob/master/Hacking%20Sony%20PlayStation%20Blu-ray%20Drives.pdf
GitHub
presentations/Hacking Sony PlayStation Blu-ray Drives.pdf at master · oct0xor/presentations
Collection of my slide decks. Contribute to oct0xor/presentations development by creating an account on GitHub.
Jeff Bezos smartphone was hacked by NSO group spyware - #Pegasus
https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince
the Guardian
Jeff Bezos hack: Amazon boss's phone 'hacked by Saudi crown prince'
Exclusive: investigation suggests Washington Post owner was targeted five months before murder of Jamal Khashoggi
ProtonVPN is the first VPN provider to open source apps on all platforms (Windows, macOS, Android, and iOS) and undergo an independent security audit
https://github.com/ProtonVPN/android-app
https://github.com/ProtonVPN/android-app
GitHub
GitHub - ProtonVPN/android-app: Official ProtonVPN Android app
Official ProtonVPN Android app. Contribute to ProtonVPN/android-app development by creating an account on GitHub.
Stats of Android.Xiny trojan family
Installing applications without user permission has always been Android.Xiny's principal function. Thus, attackers can profit from pay-per-install referral programmes
https://news.drweb.com/show/?i=13627&lng=en
Installing applications without user permission has always been Android.Xiny's principal function. Thus, attackers can profit from pay-per-install referral programmes
https://news.drweb.com/show/?i=13627&lng=en
Dr.Web
Yet another [almost] non-removable trojan for Android
At the end of 2019, system-monitoring routines on some of our customers' smart phones detected changes in the file /system/lib/libc.so.
Forensic analysis of Jeff Bezos hacked #iPhoneX
iPhone was exploited via #WhatsApp vulnerability that probably triggered RCE.
Similar exploit was fixed in October 2019 - CVE-2019-11932(double-free vulnerability) but instead of video it was triggered by GIF.
https://www.documentcloud.org/documents/6668313-FTI-Report-into-Jeff-Bezos-Phone-Hack.html
iPhone was exploited via #WhatsApp vulnerability that probably triggered RCE.
Similar exploit was fixed in October 2019 - CVE-2019-11932(double-free vulnerability) but instead of video it was triggered by GIF.
https://www.documentcloud.org/documents/6668313-FTI-Report-into-Jeff-Bezos-Phone-Hack.html
www.documentcloud.org
FTI Report into Jeff Bezos Phone Hack
Analysis of Opera for Android vulnerability to a sandboxed cross-origin iframe bypass attack (CVE-2019-19788)
https://blog.confiant.com/trending-client-side-innovations-in-malvertising-payloads-914d9f614ed1
https://blog.confiant.com/trending-client-side-innovations-in-malvertising-payloads-914d9f614ed1
Medium
Trending Client-Side Innovations In Malvertising Payloads
This blog post will cover two techniques that persistent, high volume malvertisers have been leveraging in recent months to maximize the…
What mobile OS you are using?
anonymous poll
Android – 417
👍👍👍👍👍👍👍 80%
iOS – 78
👍 15%
other – 10
▫️ 2%
Windows Mobile – 9
▫️ 2%
KaiOS – 6
▫️ 1%
👥 520 people voted so far.
anonymous poll
Android – 417
👍👍👍👍👍👍👍 80%
iOS – 78
👍 15%
other – 10
▫️ 2%
Windows Mobile – 9
▫️ 2%
KaiOS – 6
▫️ 1%
👥 520 people voted so far.
United Nations officials will not use #WhatsApp to communicate because it’s not supported as a secure mechanism #JeffBezos
https://www.reuters.com/article/us-un-whatsapp/u-n-says-officials-barred-from-using-whatsapp-since-june-2019-over-security-idUSKBN1ZM32P
https://www.reuters.com/article/us-un-whatsapp/u-n-says-officials-barred-from-using-whatsapp-since-june-2019-over-security-idUSKBN1ZM32P
Reuters
U.N. says officials barred from using WhatsApp since June 2019 over security
UNITED NATIONS (Reuters) - United Nations officials do not use WhatsApp to communicate because “it’s not supported as a secure mechanism,” a U.N. spokesman said on Thursday, after U.N. experts accused Saudi Arabia of using the online communications platform…