Android: Access to app protected components
https://blog.oversecured.com/Android-Access-to-app-protected-components/
https://blog.oversecured.com/Android-Access-to-app-protected-components/
News, Techniques & Guides
Android: Access to app protected components
Introduction This vulnerability resembles Open Redirect in web security. Since class Intent is Parcelable, objects belonging to this class can be passed as extra data in another Intent object. Many...
Qualcomm chip vulnerability
400 vulnerable code sections were uncovered on Qualcomm’s Snapdragon digital signal processor (DSP) chip
https://media.defcon.org/DEF%20CON%2028/DEF%20CON%20Safe%20Mode%20presentations/DEF%20CON%20Safe%20Mode%20-%20Slava%20Makkaveev%20-%20Pwn2Own%20Qualcomm%20compute%20DSP%20for%20fun%20and%20profit.pdf
400 vulnerable code sections were uncovered on Qualcomm’s Snapdragon digital signal processor (DSP) chip
https://media.defcon.org/DEF%20CON%2028/DEF%20CON%20Safe%20Mode%20presentations/DEF%20CON%20Safe%20Mode%20-%20Slava%20Makkaveev%20-%20Pwn2Own%20Qualcomm%20compute%20DSP%20for%20fun%20and%20profit.pdf
TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices
https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf
https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices.pdf
GitHub
TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern…
Contribute to secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices development by creating an account on GitHub.
Android Bug Foraging
Analysis of vulnerabilities found in:
-Tinder
-Google Camera
-Samsung Find My Mobile
-undisclosed app name
https://youtu.be/qbj-4NXsE-0
Analysis of vulnerabilities found in:
-Tinder
-Google Camera
-Samsung Find My Mobile
-undisclosed app name
https://youtu.be/qbj-4NXsE-0
YouTube
Pedro Umbelino | Joao Morais - Android Bug Foraging - DEF CON 28SM AppSec Village
The speakers are waiting for your questions on the DEF CON Discord server!
Join us (here: https://discord.gg/defcon), and join the channels:
#asv-talks-qa-text
#asv-talks-qa-voice
In this session, we will analyze four real-world examples of different high…
Join us (here: https://discord.gg/defcon), and join the channels:
#asv-talks-qa-text
#asv-talks-qa-voice
In this session, we will analyze four real-world examples of different high…
Forwarded from The Bug Bounty Hunter
Hacking iOS Simulator with simctl and dynamic libraries
https://curvedlayer.com/2020/08/09/ios-simulator-plugin-simctl.html
https://curvedlayer.com/2020/08/09/ios-simulator-plugin-simctl.html
Curvedlayer
Hacking iOS Simulator with simctl and dynamic libraries
Extend the iOS Simulator by building a plugin for it. A dynamic loader and simctl allow injecting custom code into the Simulator. With that, you can modify its behavior.
MMS Exploit Part 5: Defeating Android ASLR, Getting RCE
https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-5-defeating-aslr-getting-rce.html
https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-5-defeating-aslr-getting-rce.html
Blogspot
MMS Exploit Part 5: Defeating Android ASLR, Getting RCE
Posted by Mateusz Jurczyk, Project Zero This post is the fifth and final of a multi-part series capturing my journey from discovering a ...
ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations
https://www.zdnet.com/article/re-vol-te-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations/
https://www.zdnet.com/article/re-vol-te-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations/
ZDNET
ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations
Academics detail a new attack on 4G encrypted calls. Attack works only when the attacker is on the same base station (mobile tower) as the victim.
Hacker101 CTF: Android Challenge Writeups
https://medium.com/bugbountywriteup/hacker101-ctf-android-challenge-writeups-f830a382c3ce
https://medium.com/bugbountywriteup/hacker101-ctf-android-challenge-writeups-f830a382c3ce
Medium
Hacker101 CTF: Android Challenge Writeups
In this article, I will be demonstrating how to solve the Hacker101 CTF (Capture The Flag) challenges for the Android category. Hacker101…
Forwarded from The Bug Bounty Hunter
Android Pentesting Lab
Step by Step guide for beginners!
https://medium.com/@imparable/android-pentesting-lab-4a6fe1a1d2e0
Step by Step guide for beginners!
https://medium.com/@imparable/android-pentesting-lab-4a6fe1a1d2e0
Medium
Android Pentesting Lab
Step by Step guide for beginners!
Qualcomm QCACLD WiFi monitor mode for Android
https://github.com/kimocoder/qualcomm_android_monitor_mode
https://github.com/kimocoder/qualcomm_android_monitor_mode
GitHub
GitHub - kimocoder/qualcomm_android_monitor_mode: Qualcomm QCACLD WiFi monitor mode for Android
Qualcomm QCACLD WiFi monitor mode for Android. Contribute to kimocoder/qualcomm_android_monitor_mode development by creating an account on GitHub.
CnC communication of a fake Aarogya Setu COVID-19 app
https://medium.com/@cryptax/cnc-communication-of-a-fake-aarogya-setu-covid-19-app-810817a36257
https://medium.com/@cryptax/cnc-communication-of-a-fake-aarogya-setu-covid-19-app-810817a36257
Medium
CnC communication of a fake Aarogya Setu COVID-19 app
Aarogya Setu is the Indian open source COVID-19 contact tracing app. Like many other COVID-19 tracing apps, it has many malicious…
Setup macOS for iOS Research
https://www.mac4n6.com/blog/2020/8/13/step-by-step-macos-setup-for-ios-research-via-bizzybarney
https://www.mac4n6.com/blog/2020/8/13/step-by-step-macos-setup-for-ios-research-via-bizzybarney
mac4n6.com
Part 1: Step-by-step macOS Setup for iOS Research (via @bizzybarney) — mac4n6.com
CLI…WTF Command line interface (CLI) isn’t for everyone. Trust me; I get it. @iamevltwin forced me out of my comfort zone a few years ago and opened my eyes to the power of Terminal (command prompt on Mac). Now it is pinned to the Dock on every Mac…
👍1
Google Firebase messaging vulnerability allowed attackers to send push notifications to app users
https://abss.me/posts/fcm-takeover/
https://abss.me/posts/fcm-takeover/
abss.me
Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties
TL;DR A malicous attacker could control the content of push notifications to any application that runs the FCM SDK and has it’s FCM server key exposed & at the same time send these notifications to every single user of the vulnerable application!
Write-up for Samsung SCTF’s Android Reverse Engineering Challenge https://link.medium.com/sZIupscha9
Medium
Vault 101 : Samsung CTF Android Reverse Engineering Challenge Write-up
Write-up for SCTF’s Android Reverse Engineering Challenge: Vault 101 using pure static analysis based reverse engineering and custom…
Samsung 'Find My Mobile' vulnerability report
https://char49.com/articles/malicious-apps-could-take-over-samsung-devices
Detailed report: http://char49.com/tech-reports/fmmx1-report.pdf
https://char49.com/articles/malicious-apps-could-take-over-samsung-devices
Detailed report: http://char49.com/tech-reports/fmmx1-report.pdf
Mintegral SDK - The malicious code uncovered in iOS versions of the SDK from the Chinese mobile ad platform
https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/
https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/
Snyk
SourMint: Malicious code, ad fraud, and data leak in iOS | Snyk
The Snyk research team has uncovered malicious code used for ad fraud in a popular Advertising SDK used by over 1,200 apps in the AppStore.
Part 2: Step-by-step iPhone Setup for iOS Research
https://www.mac4n6.com/blog/category/analysis
https://www.mac4n6.com/blog/category/analysis
mac4n6.com
Stealing local files using Safari Web Share API (NOT FIXED!)
https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html
https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html
blog.redteam.pl
Stealing local files using Safari Web Share API
red team, blue team, penetration testing, red teaming, threat hunting, digital forensics, incident response, cyber security, IT security
Bypass PIN codes for Visa contactless payments
A successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
Info: https://www.zdnet.com/article/academics-bypass-pins-for-visa-contactless-payments/
Research: https://arxiv.org/pdf/2006.08249.pdf
Video demo: https://youtu.be/JyUsMLxCCt8
A successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
Info: https://www.zdnet.com/article/academics-bypass-pins-for-visa-contactless-payments/
Research: https://arxiv.org/pdf/2006.08249.pdf
Video demo: https://youtu.be/JyUsMLxCCt8
ZDNET
Academics bypass PINs for Visa contactless payments
Researchers: "In other words, the PIN is useless in Visa contactless transactions."
Transparent Tribe: Evolution analysis
Part 1: https://securelist.com/transparent-tribe-part-1/98127/
Part 2 (Android): https://securelist.com/transparent-tribe-part-2/98233/
Part 1: https://securelist.com/transparent-tribe-part-1/98127/
Part 2 (Android): https://securelist.com/transparent-tribe-part-2/98233/
Securelist
Transparent Tribe: Evolution analysis, part 1 | Securelist
Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013.