Forwarded from The Bug Bounty Hunter
INTRODUCTION TO ANDROID HACKING BY @0XTEKNOGEEK
https://www.hackerone.com/blog/androidhackingmonth-intro-to-android-hacking
https://www.hackerone.com/blog/androidhackingmonth-intro-to-android-hacking
HackerOne
Guess what's coming!? #AndroidHackingMonth on @Hacker0x01
Mobile hacking has become an essential part of the bug bounty hunter’s tool belt as more and more companies are doubling down on mobile and investing in the security of their iOS and Android applications. As part of our determination to ensure you have the…
Analysis of techniques to bypass the Android Security Config control with Frida
https://neo-geo2.gitbook.io/adventures-on-security/frida/analysis-of-network-security-configuration-bypasses-with-frida
https://neo-geo2.gitbook.io/adventures-on-security/frida/analysis-of-network-security-configuration-bypasses-with-frida
neo-geo2.gitbook.io
Analysis of Network Security Configuration bypasses with Frida | Adventures on Security
Analysis of techniques to bypass the Android Security Config control with Frida
Bad Binder - Finding an Android In The Wild 0-day
https://github.com/maddiestone/ConPresentations/blob/master/OffensiveCon2020.BadBinder.pdf
https://github.com/maddiestone/ConPresentations/blob/master/OffensiveCon2020.BadBinder.pdf
GitHub
ConPresentations/OffensiveCon2020.BadBinder.pdf at master · maddiestone/ConPresentations
Slide decks from my conference presentations. Contribute to maddiestone/ConPresentations development by creating an account on GitHub.
Detecting Memory Corruption Bugs With HWASan in Android
https://android-developers.googleblog.com/2020/02/detecting-memory-corruption-bugs-with-hwasan.html
https://android-developers.googleblog.com/2020/02/detecting-memory-corruption-bugs-with-hwasan.html
Android Developers Blog
Detecting Memory Corruption Bugs With HWASan
Posted by Evgenii Stepanov, Staff Software Engineer, Dynamic Tools Native code in memory-unsafe languages like C and C++ is often vuln...
Malwarebytes Labs releases 2020 State of Malware Report
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
Forwarded from The Bug Bounty Hunter
JAVASCRIPT INJECTION IN SIX ANDROID MAIL CLIENTS
https://www.gubello.me/blog/javanoscript-injection-in-six-android-mail-clients/
https://www.gubello.me/blog/javanoscript-injection-in-six-android-mail-clients/
Blog un po' nerd
Javanoscript Injection in six Android mail clients
During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was…
Shodan Pentesting Guide
Shodan is a tool for searching devices connected to the internet. Unlike search engines which help you find websites, Shodan helps you find information about desktops, servers, IoT devices, and more.
https://community.turgensec.com/shodan-pentesting-guide/
Shodan is a tool for searching devices connected to the internet. Unlike search engines which help you find websites, Shodan helps you find information about desktops, servers, IoT devices, and more.
https://community.turgensec.com/shodan-pentesting-guide/
Hamas Android Malware On IDF Soldiers
This MRAT (Mobile Remote Access Trojan) is disguised as a set of dating apps, “GrixyApp”, “ZatuApp”, and “Catch&See”.
https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/
This MRAT (Mobile Remote Access Trojan) is disguised as a set of dating apps, “GrixyApp”, “ZatuApp”, and “Catch&See”.
https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/
Check Point Research
Hamas Android Malware On IDF Soldiers-This is How it Happened - Check Point Research
Introduction: Earlier today, IDF’s spokesperson revealed that IDF (Israel Defense Force) and ISA (Israel Security Agency AKA “Shin Bet”) conducted a joint operation to take down a Hamas operation targeting IDF soldiers, dubbed ‘Rebound’. In this article,…
Phishing campaign targeting mobile banking users
Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack
https://blog.lookout.com/lookout-phishing-ai-reveals-mobile-banking-phishing-campaign
Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack
https://blog.lookout.com/lookout-phishing-ai-reveals-mobile-banking-phishing-campaign
Lookout
Inside Look Into Phishing Campaign Targeting Mobile Banking | Threat Intel
Lookout Phishing AI discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks.
WhatsApp bug allowed anyone who has the victim phone to read their contacts list without unlocking the device
Fixed in version 2.19.198
https://medium.com/bugbountywriteup/facebook-bug-bounty-reading-whatsapp-contacts-list-without-unlocking-the-device-a40e9c660a42
Fixed in version 2.19.198
https://medium.com/bugbountywriteup/facebook-bug-bounty-reading-whatsapp-contacts-list-without-unlocking-the-device-a40e9c660a42
Medium
WhatsApp Bug Bounty: Reading contacts list without unlocking the device
A bug allows anyone who has the victim’s phone to read all their contact list without unlocking the security lock
Forwarded from The Bug Bounty Hunter
Blind IDOR in LinkedIn iOS application
https://hailstorm1422.com/linkedin-blind-idor/
https://hailstorm1422.com/linkedin-blind-idor/
Faketoken: full analysis of this dangerous banking Trojan
https://www.buguroo.com/en/blog/faketoken-full-analysis-of-this-dangerous-banking-trojan
https://www.buguroo.com/en/blog/faketoken-full-analysis-of-this-dangerous-banking-trojan
iOS App Static Security Analysis using Frida
https://asciinema.org/a/302160
https://asciinema.org/a/302160
asciinema.org
iOS App Static Security Analysis using Frida
Frida noscript to perform static security analysis of an iOS app Source: https://github.com/interference-security/frida-noscripts/blob/master/iOS/ios-app-static-analysis.js Twitter: https://twitter.com...
ToTok app removed from Google Play for the second time
https://9to5google.com/2020/02/14/google-play-removes-totok/
https://9to5google.com/2020/02/14/google-play-removes-totok/
9to5Google
Messaging app ToTok, allegedly used for mass spying, removed from Google Play again
Last year, the New York Times reported how a chat app gaining traction worldwide was actually being used as a spying tool. Google Play removes ToTok...
No Clicks Required - Exploiting Memory Corruption Vulnerabilities in Messenger Apps
https://saelo.github.io/presentations/offensivecon_20_no_clicks.pdf
https://saelo.github.io/presentations/offensivecon_20_no_clicks.pdf
Static analysis of an Android App #BugBounty
Insecure storage of SMS API credentials -> Takeover the SMS API
https://blog.securitybreached.org/2020/02/19/hacking-sms-api-service-provider-of-a-company-android-app-static-security-analysis-bug-bounty-poc/
Insecure storage of SMS API credentials -> Takeover the SMS API
https://blog.securitybreached.org/2020/02/19/hacking-sms-api-service-provider-of-a-company-android-app-static-security-analysis-bug-bounty-poc/
Security Breached Blog
Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC - Security Breached Blog
This blog post is about static analysis of Android App & due to insecure storage of SMS API credentials I was able to Takeover the SMS API.
Tools and techniques required for iOS applications pentesting https://link.medium.com/Zm1K1eGpd4
Medium
Jailbreak and stuff!! Kickstart tools and techniques for iOS application pentesting
In this article, I have covered most of the tools and techniques required for kickstarting your iOS applications pentesting.
29 iOS PDF File convertors apps upload files via HTTP - Vulnerable to MitM attack
https://www.wandera.com/shadow-it-comet-docs/
https://www.wandera.com/shadow-it-comet-docs/
Wandera
Document management apps exposing files on employee devices
Document management apps failing to encrypt files while transferring them between the user and the cloud-based application that provides the service.