Sergey Toshin

[4/4] If the implementation of ContentProvider.getType(), query(), openFile() does anything other than simply returning a ParcelFileDescriptor or data from a database (making directories, debug mode, dumping logs), an attacker can trigger it this way and gain privilege escalation

[2/4] But system apps ("android.uid.system" and maybe systemui) automatically bypass these restrictions and can access arbitrary components [3/4] It's trivial to force a system app to call ContentResolver.query() or openInputStream() for an arbitrary Uri

An attack on Android content providers that researchers might overlook [1/4] Android has a mechanism to restrict access using the exported attribute or by requiring permissions

Interested? Fill out the form: docs.google.com/forms/d/e/1FAI…

We’re hiring a Mobile App Security Expert! What you'll do: - Research Android/iOS internals and ship new SAST/DAST checks - Turn real-world findings into PoCs and write-ups - Be the technical voice with customers: explain findings, advise architecture, guide CI/CD setup

[4/4] Limitations: 1. The lack of scheme validation 2. You also need to bypass the network security config: - Easy case: usesCleartextTraffic is set to "true" - Hard case: checking the app's network security config and trying to load your own host (or you control DNS responses)

[3/4] This will only work if the scheme isn't validated either. This attack can increase the impact in cases when, e.g., the victim's access token is appended to the request headers

New Android host validation bypass technique! [1/4] All parsed URIs in Android are android.net.Uri.StringUri objects. However, the scheme parser only looks for the ":" delimiter

@m1ru1 @hkashfi Antiviruses won’t protect. Just install every app and OS update once available

@_bagipro @hkashfi I know you are working mainly on mobile apps vuln, but do you have recommendations for android av scanner? Quite worried with new android phones with backdoors

Wait, Temu (the infamous online sale app) was abusing CVE-2023-20963 on Android devices until they caught the developer and removed it? I want full analysis for that case alone!

@hkashfi 2/2 However, based on exploit codes and other public comments, it's not about "spying on its users", but about advertising itself in rural Chinese areas

@hkashfi 1/2 This story isn't about the abuse of CVE-2023-20963. I've personally checked the exploit pack used by the PDD app, it contained about 50 exploits, most of them for different Android vendors (LG, Xiaomi, Huawei, Samsung, etc)

🚨 Security Alert: Over 2 billion Android users and 100 million Pixel users may be at risk of file theft, VPN bypass, unauthorized Bluetooth access, and geolocation leaks. Visit our blog for details. blog.oversecured.com/Disclosure-of-…

@MishaalRahman @EpicGames It seems to be INSTALL_PACKAGES if you want to install an app without any user interaction. But on the latest Androids, it's a hell from the user's perspective to get such a permission granted for a non-default/pre-installed app, similar to getting device admin permissions

@_bagipro @EpicGames You're saying they want to avoid having to request the REQUEST_INSTALL_PACKAGES permission? I guess that makes sense given their arguments in court.

Curious why the @EpicGames app for Android doesn't use Android's session-based installation API. Instead, it tries to install APKs by sending the android.intent.action.VIEW intent and letting the system Package Installer app handle the installation. Unless I'm mistaken, since it's using the non-session based installation method, then Epic Games Store can't take advantage of the Android APIs that would let it update apps without user action (introduced in Android 12) or declare update ownership (introduced in Android 14). Any ideas @TimSweeneyEpic?

We have updated scan reports for all Google phone apps and additionally included reports for Wear OS, Android TV, Android Desktop, and Android Auto! Time to report the vulnerabilities to bughunters.google.com! blog.oversecured.com/Oversecured-Ap…

NEW - A whole bunch of fresh Xiaomi vulnerabilities discovered by researchers who say they're serious and all users should update ASAP. forbes.com/sites/thomasbr…

🔎📱 We found 20 vulnerabilities in Xiaomi apps that could have let someone steal your data. No worries, it's already fixed. To keep your data safe, update your phone. blog.oversecured.com/20-Security-Is…

@Yogehi Fixed