iamsarvagyaa/AndroidSecNotes

Getting Started? » Buy me a coffee » Wanna Talk?

🚀 Android Security Notes? » Here, You will find important concepts, resources, hand-crafted and self-curated notes written by a kind-hearted fellow. The main purpose of this project is to serve as a First-Aid to newbies (like me) and intermediate peep who perform android security.

🤝 Wanna contribute? » If you see something wrong or incorrectly interpreted then open an issue or send a pull request. We appreciate your contribution and all suggestions/PRs are welcome. You can also ping me on twitter@iamsarvagyaa.

📜 Things to be done! » I started this project from scratch. Steadily, I will update more resources and notes that I've found useful while learning Android Security. The upcoming lineup for this project ...

• I will add more resources
• Add conference papers, notes and more
• Write more blogposts related to android security ...

🗒️ Synopsis

• Getting Started
• HackerOne Reports
• BugBounty Writeups
• CTF Challenge Writeups
• Healthy Digests
• Vulnerable Applications

↑ Getting Started

• Diving in Android Security
• Android Security - Understanding Android Basics
• Android Pentesting Lab Setup
• Getting started with Frida on Android Apps
• Android Penetration Testing: Apk Reverse Engineering
• Android Penetration Testing: APK Reversing (Part 2)

↑ HackerOne Reports

• Account hijacking possible through ADB backup feature :: #12617
• Twitter android app Fragment Injection :: #43988
• Bypass Setup by External Activity Invoke :: #55064
• Webview Vulnerablity in OwnCloud apk :: #87835
• No permission set on Activities [Android App] :: #145402
• Flaw in login with twitter to steal Oauth tokens :: #44492
• Authentication Failed Mobile version :: #55530
• Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App :: #121275
• Coinbase Android Security Vulnerabilities :: #5786
• Insecure Data Storage in Vine Android App :: #44727
• Sending payments via QR code does not require confirmation :: #126784
• Bypass pin(4 digit passcode on your android app) :: #50884
• REG: Content provider information leakage :: #146179
• Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content :: #56002
• HTML/XSS rendered in Android App of Crashlytics through fabric.io :: #41856
• ByPassing the email Validation Email on Sign up process in mobile apps :: #57764
• Insecure Local Data Storage : Application stores data using a binary sqlite database :: #57918
• Vulnerable to JavaScript injection. (WXS) (Javascript injection)! :: #54631
• Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code :: #5314
• Reflected XSS in Zomato Mobile - category parameter :: #230119
• MEW Wallet PIN Bypass [Android] :: #1242212
• Firebase Database Takeover in Zego Sense Android app :: #1065134
• Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) :: #637194
• Persistant Arbitrary code execution in mattermost android :: #1115864
• porcupiney.hairs : Java/Android - Insecure Loading of a Dex File :: #1161956
• Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android] :: #453791
• Cookie steal through content Uri :: #876192
• Bypassing Passcode/Device credentials :: #747726
• [Java] CWE-755: Query to detect Local Android DoS caused by NFE :: #1061211
• Path traversal in ZIP extract routine on LINE Android :: #859469
• Android: Explanation of Access to app protected components vulnerability :: #951691
• Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks :: #1011956
• Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 :: #906433
• Denial of Service | twitter.com & mobile.twitter.com :: #903740
• Insecure Storage and Overly Permissive API Keys in Android App :: #753868
• [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure :: #401793
• No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted :: #194329
• CVE-2019-5765: 1-click HackerOne account takeover on all Android devices :: #563870
• API Keys Hardcoded in Github repository :: #766346
• Changing email address on Twitter for Android unsets "Protect your Tweets" :: #472013
• Golden techniques to bypass host validations in Android apps :: #431002
• Improper protection of FileContentProvider :: #331302
• Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock :: #331489
• Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app :: #351555
• [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge :: #440749
• SQL Injection found in NextCloud Android App Content Provider :: #291764
• [Android] HTML Injection in BatterySaveArticleRenderer WebView :: #176065
• SQLi allow query restriction bypass on exposed FileContentProvider :: #518669
• [Zomato Android/iOS] Theft of user session :: #328486
• Protected Tweets setting overridden by Android app :: #519059
• Bypassing lock protection :: #490946
• Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day :: #486629
• Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App :: #205000
• [IRCCloud Android] XSS in ImageViewerActivity :: #283063
• [IRCCloud Android] Theft of arbitrary files leading to token leakage :: #288955
• Two-factor authentication bypass on Grab Android App :: #202425
• Android - Access of some not exported content providers :: #272044
• Improper markup sanitisation in Simplenote Android application :: #297547
• [Android] XSS via start ContentActivity :: #189793
• [iOS/Android] Address Bar Spoofing Vulnerability :: #175958
• Access of Android protected components via embedded intent :: #200427
• Possible to steal any protected files on Android :: #161710
• [Quora Android] Possible to steal arbitrary files from mobile device :: #258460
• Multiple critical vulnerabilities in Odnoklassniki Android application :: #97295
• Android - Possible to intercept broadcasts about uploaded files :: #167481
• Download attachments with traversal path into any sdcard directory (incomplete fix 106097) :: #284346
• [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity :: #283058
• Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager :: #192886
• Twitter for android is exposing user's location to any installed android app :: #185862
• Vulnerable exported broadcast receiver :: #289000
• Android MailRu Email: Thirdparty can access private data files with small user interaction :: #226191
• Vine - overwrite account associated with email via android application :: #187714
• Activities are not Protected and able to crash app using other app (Can Malware or third parry app) :: #65729
• Account takeover intercepting magic link for Arrive app :: #855618

↑ BugBounty Writeups

• Brave — Stealing your cookies remotely
• Hack crypto secrets from heap memory to exploit Android application
• Guest Blog Post: Firefox for Android LAN-Based Intent Triggering
• Arbitrary File Write On Client By ADB Pull
• Vulnerability in Facebook Android app nets $10k bug bounty
• Universal XSS in Android WebView (CVE-2020-6506)
• How two dead accounts allowed REMOTE CRASH of any Instagram android user
• Don’t stop at one bug $$$$
• Arbitrary code execution on Facebook for Android through download feature
• Ability To Backdoor Facebook For Android
• From Android Static Analysis to RCE on Prod
• Smear phishing: a new Android vulnerability
• Hunting Android Application Bugs Using Android Studio
• Android pin bypass with rate limiting
• Global grant uri in Android 8.0-9.0
• From N/A to Resolved For BackBlaze Android App[Hackerone Platform] Bucket Takeove
• Xiaomi Android : Harvest private/system files (Updated POC)
• Indirect UXSS issue on a private Android target app
• Full Account Takeover (Android Application)
• NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114]
• Address bar spoofing in Firefox Lite for Android and the idiocy that followed
• One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse

↑ CTF Challenge Writeups

• Good old friend - THCon 2021 - by cryptax
• draw.per - THCon 2021 - by cryptax
• Water Color - S4CTF 2021 - by 1gn1te
• Memedrive - RITSEC CTF 2021 - by klefz
• ezpz - darkCON CTF - by karma9874
• Fire in the Androiddd - darkCON CTF - by karma9874
• MobaDEX - HackTM CTF Finals 2020 - by umutoztunc
• hehe - PhantomCTF 3.0 - by FrigidSec
• Vault 101 - Hackers Playground 2020 - by saketupadhyay
• android - Google Capture The Flag 2020 - by luker983
• android - Google Capture The Flag 2020 - by s3np41k1r1t0
• android - Google Capture The Flag 2020 - by TFNS
• android - Google Capture The Flag 2020 - by NicolaiSoeborg
• prehistoric mario - ALLES! CTF 2020 - by ARESxCyber
• prehistoric mario - ALLES! CTF 2020 - by ashiq
• Tamarin - TokyoWesterns CTF 6th 2020 - by pwning
• Tamarin - TokyoWesterns CTF 6th 2020 - by hxp
• Tamarin - TokyoWesterns CTF 6th 2020 - by Hong5489
• Chasing a lock - RaziCTF 2020 - by ternary-bits
• Chasing a lock - RaziCTF 2020 - by Londek
• Chasing a lock - RaziCTF 2020 - by t3rmin0x
• Chasing a lock - RaziCTF 2020 - by blackbear666
• CTF Coin - RaziCTF 2020 - by cthulhu
• CTF Coin - RaziCTF 2020 - by t3rmin0x
• Friends - RaziCTF 2020 - by cthulhu
• Friends - RaziCTF 2020 - by t3rmin0x
• Meeting - RaziCTF 2020 - by t3rmin0x
• Strong padlock - RaziCTF 2020 - by t3rmin0x
• Strong padlock - RaziCTF 2020 - by Al3x2
• Strong padlock - RaziCTF 2020 - by Londek
• tough - RaziCTF 2020 - by t3rmin0x

↑ Healthy Digests

• Let's Reverse Engineer an Android App! - Well written blogpost by M.Yasoob Ullah Khalid, which explains how APK reverse engineering generally works.
• Reverse Engineering Nike Run Club Android App Using Frida - In this blogpost M.Yasoob Ullah Khalid, tell about How we can reverse an android application using Frida.
• Android Application Security Series - Well structured, Android Application Security Series. Start learning from this healthy digest. In this series Aditya covered OWASP MOBILE TOP 10 vulnerabilities in detailed form.
• Android App Reverse Engineering 101 - Wanna learn reverse engineering of Android Applications? If yes, then dive into this course. I learned a lot from this, huge thanks to maddiestone.
• MOBISEC - Hands-On classes, slides related to mobile security. I recommend everyone to watch all the recordings of class sessions. Kudos Yanick Fratantonio sir, thank you for all the sessions.
• Oversecured Blog - One of the best blog for android security, I love to read all the posts twice in a month. ❤️

↑ Vulnerable Applications

• hpAndro - One of the nice vulnerable android application to practice. Plenty of challenges are there, and most of the challenges are beginner friendly. I recommend everyone to checkout this vulnerable application. This challenge is maintained by hpandro1337, you can also checkout his YouTube Channel : Android AppSec.
• InjuredAndroid - A vulnerable android application ctf examples based on bug bounty findings, exploitation concepts, and pure creativity. Created and maintained by B3nac.
• Oversecured Vulnerable Android App - an Android app that aggregates all the platform's known and popular security vulnerabilities. Plenty of vulnerabilities are there to practice our Security skills. Vulnerable Lab maintained by Bagipro.
• MOBISEC Challenges - Plenty of challenges are there related to Android App development, Reversing of Android Application and Exploitations. Challenges created by sir Yanick Fratantonio. This is in my TODO list...

Wanna Contact with me?

• LinkedIn : iamsarvagyaa
• Twitter : iamsarvagyaa
• Instagram : iamsarvagyaa
• Keybase : iamsarvagyaa
• E-mail : [email protected]

📣 If you enjoyed this project and wanna appreciate me, Buy me a cup of coffee. You can also help via sharing this project among the community to help it grow. You may support me on Buy me a coffee, monetary contributions are always welcome. If you wish to sponsor this project, ping me - iamsarvagyaa[at]gmail.com