android-security

2 articles
sort: new top best
clear filter
bug-bounty542 xss283 rce149 bragging-post120 google105 account-takeover98 open-source91 exploit90 facebook82 csrf80 authentication-bypass75 stored-xss72 microsoft71 privilege-escalation70 access-control65 ai-agents63 reflected-xss61 writeup59 web-security53 input-validation53 ssrf51 cve50 sql-injection49 cross-site-scripting48 tool46 smart-contract46 defi45 ethereum45 privacy44 web-application43 malware42 information-disclosure39 responsible-disclosure37 llm37 apple36 web336 browser35 api-security35 burp-suite35 opinion35 lfi35 vulnerability-disclosure34 automation34 machine-learning32 phishing32 html-injection31 code-generation31 denial-of-service31 infrastructure31 idor30
0 8/10
Bypassing custom Token Authentication in a Mobile App
vulnerability

Researcher bypassed custom token-based brute force protection in an Android mobile app by reverse-engineering a native .so library with JADX, extracting it via ADB, analyzing it with IDA, and using FRIDA to dynamically inject JavaScript that overloaded the token generation function at runtime, allowing arbitrary token generation and defeating the rate-limiting mechanism.

token-bypass brute-force android-security native-code-analysis frida rate-limiting reverse-engineering binary-analysis mobile-app-security authentication-bypass code-injection dynamic-instrumentation
FRIDA JADX IDA Burpsuite Android APK
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 15 hours ago · details
0 8/10
Duolingo Is Talking to ByteDance: Cracking the Pangle SDK's Encryption
vulnerability

ByteDance's Pangle SDK, embedded in 40+ popular apps including Duolingo and BeReal, transmits sensitive device fingerprinting data (battery level, IP address, storage, IDFV) encrypted with AES-256-CBC where the encryption key and IV are embedded in every message in plaintext, making the encryption trivial to break via reverse-engineered SDK code. Additionally, a hardcoded AES key was found in the native library, shared across all SDK versions.

encryption-weakness reverse-engineering bytedance pangle-sdk mobile-security data-collection cryptanalysis device-fingerprinting aes-encryption android-security ios-security privacy tldr-weak-key-management
ByteDance Pangle SDK Duolingo BeReal Character.AI Wattpad Letterboxd HelloTalk SmartNews Sweatcoin CamScanner libtobEmbedPagEncrypt.so libpglarmor.so PangleEncryptManager.java PglCryptUtils.java aT.java AES-256-CBC ECIES api16-access-ttp.tiktokpangle.us
buchodi.com · ibobev · 2 days ago · details · hn