Forwarded from The Bug Bounty Hunter
Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
Blogspot
Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641
Posted by Samuel Groß, Project Zero Introduction This is the first blog post in a three-part series that will detail how a vulnerability...
Forwarded from The Bug Bounty Hunter
Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-2.html
Blogspot
Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass
Posted by Samuel Groß, Project Zero This post is the second in a series about a remote, interactionless iPhone exploit over iMessage.The f...
Forwarded from The Bug Bounty Hunter
Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-3.html
Blogspot
Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution
This is the third and last post in a series about a remote, interactionless iPhone exploit over iMessage. The first blog post introduced t...
Joker Trojan Family history by Google
-tracked since 2017
-removed 1.7K unique apps before going public
-SMS fraud then WAP billing (as we know Joker now)
-at peak, 23 different Jokers submitted in one day to Google Play
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html
-tracked since 2017
-removed 1.7K unique apps before going public
-SMS fraud then WAP billing (as we know Joker now)
-at peak, 23 different Jokers submitted in one day to Google Play
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html
Google Online Security Blog
PHA Family Highlights: Bread (and Friends)
Posted by Alec Guertin and Vadim Kotov, Android Security & Privacy Team In this edition of our PHA Family Highlights series we introdu...
Memory corruption vulnerability in audio processing during a voice call in #WeChat app
Report includes PoC code + steps how to reproduce the bug
https://bugs.chromium.org/p/project-zero/issues/detail?id=1948
Report includes PoC code + steps how to reproduce the bug
https://bugs.chromium.org/p/project-zero/issues/detail?id=1948
Researchers find that 17 of 140 major online services are vulnerable to SIM swapping attacks
https://www.zdnet.com/article/academic-research-finds-five-us-telcos-vulnerable-to-sim-swapping-attacks/
https://www.zdnet.com/article/academic-research-finds-five-us-telcos-vulnerable-to-sim-swapping-attacks/
ZDNet
Academic research finds five US telcos vulnerable to SIM swapping attacks
Researchers find that 17 of 140 major online services are vulnerable to SIM swapping attacks.
Detect Frida for Android
https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/
https://darvincitech.wordpress.com/2019/12/23/detect-frida-for-android/
Darvin's Blog
Detect Frida for Android
Frida is a dynamic instrumentation framework and has remained as the most popular reverse engineering tool among security researchers, pentesters and even the bad actors. Frida is more robust compa…
Security hardening of Android native code
https://darvincitech.wordpress.com/2020/01/07/security-hardening-of-android-native-code/
https://darvincitech.wordpress.com/2020/01/07/security-hardening-of-android-native-code/
Darvin's Blog
Security hardening of Android native code
This post is in-fact a continuation of my previous post on Frida detection. In this post, I will explain the mechanisms I have followed in hardening the native code written for Frida detection.Gene…
"Research shows that 91% of pre-installed apps do not appear in Google Play"
Privacy International and over 50 other organisations have submitted a letter asking Google to take action against exploitative pre-installed software on Android devices.
http://privacyinternational.org/advocacy/3320/open-letter-google
Privacy International and over 50 other organisations have submitted a letter asking Google to take action against exploitative pre-installed software on Android devices.
http://privacyinternational.org/advocacy/3320/open-letter-google
Privacy International
An open letter to Google
Today, Privacy International and over 50 other organisations have submitted a letter to Alphabet Inc. CEO Sundar Pichai asking Google to take action against exploitative pre-installed software on Android devices.
You can find the letter below. Add your voice…
You can find the letter below. Add your voice…
Android Trojan Shopper
It can disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more
https://securelist.com/smartphone-shopaholic/95544/
It can disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more
https://securelist.com/smartphone-shopaholic/95544/
Securelist
Smartphone shopaholic
Have you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five stars, while dozens of users rate it with just one, and in some cases the reviews seem to
Updated House (runtime mobile application analysis toolkit) can hook functions in dynamically loaded dex/jar files
https://github.com/nccgroup/house
https://github.com/nccgroup/house
GitHub
nccgroup/house
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. - nccgroup/house
How to make your Android app network communication secure
https://infinum.com/the-capsized-eight/how-to-prepare-your-android-app-for-a-pentest
https://infinum.com/the-capsized-eight/how-to-prepare-your-android-app-for-a-pentest
Infinum
How to Prepare Your Android App for a Pentest – Networking Edition
Making your app as secure as possible is a must when developing an application, especially if you deal with sensitive user information. To identify the weak spots of your application's security, it is good practice to have it tested by mobile security experts.…
Subscription scams found on Google Play -
25 apps with almost 600M installs
https://news.sophos.com/en-us/2020/01/14/fleeceware-apps-persist-on-the-play-store/
25 apps with almost 600M installs
https://news.sophos.com/en-us/2020/01/14/fleeceware-apps-persist-on-the-play-store/
Sophos News
Fleeceware apps persist on the Play Store
Fleeceware remains a problem on Google Play, where Android users still run the risk of being charged hundreds of dollars or euros for “subscriptions” to apps
All iPhones running iOS 10 or later can now be used as hardware security keys for Google accounts
https://www.zdnet.com/article/you-can-now-use-an-iphone-as-a-security-key-for-google-accounts/
Step-by-step tutorial: https://support.google.com/accounts/answer/9289445
https://www.zdnet.com/article/you-can-now-use-an-iphone-as-a-security-key-for-google-accounts/
Step-by-step tutorial: https://support.google.com/accounts/answer/9289445
ZDNet
You can now use an iPhone as a security key for Google accounts
All iPhones running iOS 10 or later can now be used as hardware security keys for Google accounts.
Seventeen Android HiddenAd Trojans Found in Google Play With Total Over 550K Downloads
https://labs.bitdefender.com/2020/01/seventeen-android-nasties-spotted-in-google-play-total-over-550k-downloads/
https://labs.bitdefender.com/2020/01/seventeen-android-nasties-spotted-in-google-play-total-over-550k-downloads/
Bitdefender Labs
Seventeen Android Nasties Spotted in Google Play, Total Over 550K...
Bitdefender researchers recently found 17 Google Play apps that, once installed, start hiding their presence on the user’s device and... #aggressiveadware #androidadware #androidaggressiveadware
Android Enterprise Security Whitepaper
https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf
https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf
Vulnerability in Android OneDrive app allowed to bypass passcode or fingerprint
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0654
How to develope and test secure #iOS apps + video demos #MASVS #MSTG
https://www.dropbox.com/sh/tsog4fwa3wg4rd9/AADuNKjtQNaliYSBjr28SevPa?dl=0
https://www.dropbox.com/sh/tsog4fwa3wg4rd9/AADuNKjtQNaliYSBjr28SevPa?dl=0
Dropbox
iOS Conf - Download
Shared with Dropbox
Chinese phone maker OPPO partners with #HackerOne to launch bug bounty program
https://security.oppo.com/en/
https://security.oppo.com/en/