First, I’d like to point out that this lab can be solved using easier approaches such as Frida scripts or patching the Mach‑O binary and reinstalling the modified application. However, I challenged...

In a recent bug bounty program, I came across two interesting vulnerabilities in a mobile application. Each presented a unique challenge and a valuable learning experience. 1. Sensitive Log Vulne...

TL;DR: Thick-client applications (desktop/native clients) are ubiquitous in enterprise environments and require a comprehensive blend of binary analysis, OS-level testing, network protocol examinat...

Hi everyone! In this article, I’ll walk you through an example of hacking a Unity application using a tool called dnSpy. The target? A Unity game developed by my friend George. It all started when...

Identify Exposed Services Exposed Services offer another interesting threat surface for applications and in this course we will learn what it is about. Activity: Runs in the foreground and ren...

Basic Broadcast Receivers There are two ways how broadcast receivers could be used by an app. First they could be exported via the AndroidManifest.xml with a <receiver> tag. The other way i...

WebViews vs. CustomTabs Many apps are not written in Java or Kotlin, but get implemented in Javascript and HTML that then gets rendered in a WebViews. So when looking for security issues in apps, ...

Exported vs. Non-Exported Components The strongest protection against malicious apps, is to simply not export any components. But the attribute android:exported="false" is not the only way to prot...

Android Storage Overview Shared Preferences Databases Cache Files While the topic of Content Providers is closely related to data and file storage, we decided to place it into a separate ...

How to Access Contacts on Android? To learn about Content Providers, we can start by looking at the Contacts stored on the phone, and how an app can access them. This is actually also implemented ...