There is a class of bug that is easy to find and rarely reported: an exported activity that calls contentResolver.openInputStream on a URI from intent.getData() or a Uri extra without checking what...

The file write primitive is the inverse of the file read primitive. Instead of getting bytes out of the target app’s private storage, you get bytes in. It is rarer than the read primitive but when ...

Android WebView’s file:// scheme is a feature from a time when hybrid apps needed to load bundled HTML from assets/. It is still on by default. Combined with an intent injection that controls the W...

A JavaScript bridge is a code-execution primitive sitting one HTML payload away. The developer attaches a native object to a WebView so the web layer can call into native code; whatever they expose...

Intent redirection is the bug that explains why a properly-permission-protected internal activity can still be reached by any installed third-party app. The reason is rarely the protection on the i...

The intent injection class we have covered so far, where a string extra ends up in WebView.loadUrl, is the easy case. There is a sister vulnerability that is more common, less reported, and harder ...

After the last post on intent injection through exported activities, a few people reached out with the same kind of feedback. Their target apps had an exported activity, the activity took an extra ...

android:allowBackup defaults to true if not specified in the manifest. The setting was designed for user can restore their app data after factory reset. The side effect: adb backup can dump the app...

Threat Hunting Basics Threat hunting is the proactive practice of searching for hidden threats or malicious activity within an organization’s environment, before or sometimes after alerts are trigg...

I have already discussed about Early Bird APC Injection using QueueUserAPC method on this blog. On a high level, with respect to the old method, we start by creating a suspended process example Not...