Posts

Showing posts with the label addJavascriptInterface

About addJavascriptInterface abuse in Android Browsers

Image
So I started out writing this post like most of the other posts I've been writing this year, just another rash vulnerability disclosure; but I decided to turn it into more of a discussion about the addJavascriptInterface vulnerability.

I base my discussions here on some vulnerabilities I've found in various Android Browser apps. I'm going to specifically talk about some novel methods I used to enumerate Browser applications using JavaScript bridges insecurely. Obviously, in finding out how to detail the existence of the vulnerability you will also learn how to protect your applications from the discussed exploitation methods.


Grepping for Glory : using grep to uncover Android Application Level Vulns

Image
I've spent some time trawling through masses of Android App Sauce lately and I thought I'd share some quick tips and tricks that can help you uncover some critical vulnerabilities. In this post I'll discuss some basic bash scripting that pin points code being either in Java or Jasmin/Smali form.

A quick disclaimer, 

the screenshots below are from actual apps sourced from the play store, I've used real examples here to motivate the need to look for the mentioned vulnerabilities and detail how easy they are to find. Although I've made sure to santize them for any useable or exploitable information seeing that some of these apps have been downloaded hundreds of the thousands of times.