Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use
Forbes
Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
Xiaomi is collecting users’ browser habits and phone usage, raising red flags for privacy researchers.
Forwarded from The Bug Bounty Hunter
AndroPyTool
A framework for automated extraction of static and dynamic features from Android applications
https://github.com/alexMyG/AndroPyTool#how-to-install
A framework for automated extraction of static and dynamic features from Android applications
https://github.com/alexMyG/AndroPyTool#how-to-install
GitHub
GitHub - alexMyG/AndroPyTool: A framework for automated extraction of static and dynamic features from Android applications
A framework for automated extraction of static and dynamic features from Android applications - alexMyG/AndroPyTool
Reverse engineering Flutter apps
Build process of Flutter applications and explain in detail how to reverse engineer the code
https://blog.tst.sh/reverse-engineering-flutter-apps-part-1/
Build process of Flutter applications and explain in detail how to reverse engineer the code
https://blog.tst.sh/reverse-engineering-flutter-apps-part-1/
ping's blog
Reverse engineering Flutter apps (Part 1)
Chapter 1: Down the rabbit hole
To start this journey I'll cover some backstory on the Flutter stack and how it works.
What you probably already know: Flutter was built from the ground up with its own render pipeline and widget library, allowing it to…
To start this journey I'll cover some backstory on the Flutter stack and how it works.
What you probably already know: Flutter was built from the ground up with its own render pipeline and widget library, allowing it to…
List of iOS applications related to COVID-19 with capabilities and permissions they request
https://github.com/ivRodriguezCA/Covid19-Mobile-Apps
https://github.com/ivRodriguezCA/Covid19-Mobile-Apps
GitHub
GitHub - ivRodriguezCA/Covid19-Mobile-Apps: List of the most popular COVID10 mobile applications and the permissions they request.
List of the most popular COVID10 mobile applications and the permissions they request. - GitHub - ivRodriguezCA/Covid19-Mobile-Apps: List of the most popular COVID10 mobile applications and the per...
Forwarded from The Bug Bounty Hunter
Android Application Penetration Testing / Bug Bounty Checklist
https://blog.softwaroid.com/2020/05/02/android-application-penetration-testing-bug-bounty-checklist/
https://blog.softwaroid.com/2020/05/02/android-application-penetration-testing-bug-bounty-checklist/
Hacking/OSCP cheatsheet
https://ceso.github.io/posts/2020/04/hacking/oscp-cheatsheet/
https://ceso.github.io/posts/2020/04/hacking/oscp-cheatsheet/
30 Reverse Engineering Tips & Tricks
https://blog.vastart.dev/2020/04/guys-30-reverse-engineering-tips-tricks.html
https://blog.vastart.dev/2020/04/guys-30-reverse-engineering-tips-tricks.html
👍1
Cheatsheets for all vulnerabilities
https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets
https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets
GitHub
CheatSheetSeries/cheatsheets at master · OWASP/CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. - OWASP/CheatSheetSeries
Android SLocker uses Coronavirus scare to lock smartphones
https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/
https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/
Bitdefender Labs
Android SLocker Variant Uses Coronavirus Scare to Take Android Hostage
The coronavirus pandemic is an opportunity for criminals who try to take advantage of people’s thirst for information. Unfortunately, Android users can fall prey to... #android #covid19 #ransomware
PENETRATION TESTING PRACTICE LAB - VULNERABLE APPS / SYSTEMS
https://www.amanhardikar.com/mindmaps/Practice.html
https://www.amanhardikar.com/mindmaps/Practice.html
Reverse Engineering the Australian Government’s Coronavirus iOS app
https://medium.com/@wabz/reverse-engineering-the-australian-governments-coronavirus-ios-application-c08790e895e9
https://medium.com/@wabz/reverse-engineering-the-australian-governments-coronavirus-ios-application-c08790e895e9
Medium
Reverse Engineering the Australian Government’s Coronavirus iOS application
On the 29th of March, the Australian Government launched an iOS application on the AppStore. It’s a pretty neat little app with lots of…
Hacking "Razer Pay" e-wallet Android app
Attacker could:
-delete other user's bank account
-extract other user's private info
-possibly steal money from other user's bank account
-read other user's chat messages
https://blog.sambal0x.com/2020/04/30/Hacking-razer-pay-ewallet-app.html
Attacker could:
-delete other user's bank account
-extract other user's private info
-possibly steal money from other user's bank account
-read other user's chat messages
https://blog.sambal0x.com/2020/04/30/Hacking-razer-pay-ewallet-app.html
Richard’s Infosec blog
Hacking Razer Pay Ewallet App
Introduction This write-up is about hacking the Razer Pay Android app - an E-Wallet app used in Singapore and Malaysia. It was an interesting journey worth blogging due to the use of some interesting techniques including Frida, a tool that I only thought…
Frida Cheatsheet and Code Snippets for Android
https://erev0s.com/blog/frida-code-snippets-for-android/
https://erev0s.com/blog/frida-code-snippets-for-android/
Erev0S
Frida code snippets for Android
Quick reference guide for Frida code snippets used for Android dynamic instrumentation.
Offensive Security Bookmarks Collection
https://jivoi.github.io/2015/07/03/offensive-security-bookmarks/
https://jivoi.github.io/2015/07/03/offensive-security-bookmarks/
EK
Offensive Security Bookmarks
My security bookmarks collection.
Google Assistant on Pixel devices, was able to capture screenshots even when screens were protected with FLAG_SECURE.
Fixed in September 2019 bulletin
https://pankajupadhyay.in/2020/05/01/ok-google-bypass-flag-secure/
Fixed in September 2019 bulletin
https://pankajupadhyay.in/2020/05/01/ok-google-bypass-flag-secure/
Pankaj Upadhyay
Ok Google! bypass ‘flag_secure’
Google Assistant on Android 9 can bypass the screen-capture protection provided by Android’s FLAG_SECURE.
Aarogya Setu app servers discloses more information then necessary by backend server API.
By changing location you could identify COVID19 infected and unwell people in 500m radius anywhere in India.
https://medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34
By changing location you could identify COVID19 infected and unwell people in 500m radius anywhere in India.
https://medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34
Medium
Aarogya Setu: The story of a failure
In order to fight Covid19, the Indian government released a contact mobile application called Aarogya Setu. This application is available…
Oday iOS XML exploit granted an app full access to the entire file system, and more
https://daringfireball.net/linked/2020/05/02/psychic-paper
https://daringfireball.net/linked/2020/05/02/psychic-paper
Daring Fireball
‘Psychic Paper’, an Extraordinarily Powerful But Easily Understood iOS Exploit
Link to: https://siguza.github.io/psychicpaper/
0-click RCE via MMS
Exploited on Samsung Galaxy Note 10+ phone running Android 10
Analysis: https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
PoC: https://youtu.be/nke8Z3G4jnc
Exploited on Samsung Galaxy Note 10+ phone running Android 10
Analysis: https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
PoC: https://youtu.be/nke8Z3G4jnc
YouTube
Exploitation of a Samsung Galaxy Note 10+ Zero-Click RCE Bug via MMS
Director's cut with a soundtrack: https://youtu.be/ZQnb8kRMkHg.
This video demonstrates the exploitation of a vulnerability in the custom Samsung Qmage image codec via MMS. The exploit proof-of-concept achieves remote code execution with no user interaction…
This video demonstrates the exploitation of a vulnerability in the custom Samsung Qmage image codec via MMS. The exploit proof-of-concept achieves remote code execution with no user interaction…
iOS Static Analysis
-jailbreak
-install IPA apps
-bypass jailbreak detection
-bypass SSL pinning
-keychain dump
https://medium.com/@AbhishekMisal/ios-application-security-static-analysis-cbe7effc6a34
-jailbreak
-install IPA apps
-bypass jailbreak detection
-bypass SSL pinning
-keychain dump
https://medium.com/@AbhishekMisal/ios-application-security-static-analysis-cbe7effc6a34
Medium
iOS Application Security — Static Analysis
In this article, we will look at performing static security of iOS applications starting from jailbreaking an iOS device, installing a…