Home
Niraj Kharel
Cancel

Android - App Link autoVerify=false

Android App Links let apps claim ownership of HTTPS domains so that links to those domains open directly in the app instead of showing a browser or a chooser. The claim becomes authoritative when t...

Android - Inspecting the React Native Bridge

React Native apps have a JavaScript runtime and a native runtime, with a bridge between them. The bridge is enumerable - apps expose a collection of NativeModules that JavaScript can call. Each mod...

Android - Janus and v1-Only APK Signing

CVE-2017-13156 (Janus) lets an attacker prepend a malicious DEX to an APK and have the system execute the prepended DEX while the v1 signature still verifies. v1 signs files inside the ZIP, not the...

Android - Tokens and PII in Logcat

Log.d, Log.v, Log.i calls in production builds dump strings to logcat. On Android 4.1+ the READ_LOGS permission is signature-only, so a regular third-party app cannot read another app’s logs. But a...

Android - Class.forName from an Intent Extra

Class.forName(intent.getStringExtra("class_name")) is one step short of the dynamic-code-loading bug. The attacker cannot supply new code, but they can pick which existing class on the app’s classp...

Android - Dynamic Code Loading via DexClassLoader

Apps that load code at runtime from outside the APK - via DexClassLoader, PathClassLoader, or InMemoryDexClassLoader - are common in plugin architectures, dynamic feature modules, and hot-patch fra...

Android - Notification Title Spoofing

Android displays the posting app’s name and icon alongside every notification - you cannot lie about which app sent it. What you can control is the content: title, body, channel name, and what happ...

Android - Task Hijacking and StrandHogg 2.0

Android manages activities in stacks called tasks. Each task has a taskAffinity — a string that determines which task an activity belongs to. When no taskAffinity is declared on an activity, Androi...

Android - Network Security Config Trust-Anchor Override

network_security_config.xml is Android’s declarative way to control TLS trust. From API 24, Android stopped trusting user-installed CAs by default - apps had to explicitly opt in. That protection d...

Android - HostnameVerifier That Returns True

A HostnameVerifier that returns true unconditionally means TLS connections accept any hostname as long as the certificate is valid for some hostname. A network attacker with a Let’s Encrypt cert fo...