Awesome
Android-Reports-and-Resources
HackerOne Reports
Hardcoded credentials
Disclosure of all uploads via hardcoded api secret
https://hackerone.com/reports/351555
WebView
Android security checklist: WebView
https://blog.oversecured.com/Android-security-checklist-webview/
Insecure deeplinks
Account Takeover Via DeepLink
https://hackerone.com/reports/855618
Sensitive information disclosure
https://hackerone.com/reports/401793
RCE/ACE
Why dynamic code loading could be dangerous for your apps: a Google example
RCE in TinyCards for Android
https://hackerone.com/reports/281605 - TinyCards made this report private.
Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
https://hackerone.com/reports/971386
CVE-2020-8913: Persistent arbitrary code execution in Google Play Core library
https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/ - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913
TikTok: three persistent arbitrary code executions and one theft of arbitrary files
https://blog.oversecured.com/Oversecured-detects-dangerous-vulnerabilities-in-the-TikTok-Android-app/ - Oversecured detects dangerous vulnerabilities in the TikTok Android app
Memory corruption
Exploiting memory corruption vulnerabilities on Android
https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/ - Exploiting memory corruption vulnerabilities on Android + an example of such vulnerability in PayPal apps
Cryptography
Use cryptography in mobile apps the right way
https://blog.oversecured.com/Use-cryptography-in-mobile-apps-the-right-way/
SQL Injection
SQL Injection in Content Provider
https://hackerone.com/reports/291764
Session theft
Steal user session
https://hackerone.com/reports/328486
Steal files
Android security checklist: theft of arbitrary files
https://blog.oversecured.com/Android-security-checklist-theft-of-arbitrary-files/
How to exploit insecure WebResourceResponse configurations + an example of the vulnerability in Amazon apps
https://blog.oversecured.com/Android-Exploring-vulnerabilities-in-WebResourceResponse/ - Android: Exploring vulnerabilities in WebResourceResponse
Vulnerable to local file steal, Javascript injection, Open redirect
https://hackerone.com/reports/499348
Token leakage due to stolen files via unprotected Activity
https://hackerone.com/reports/288955
Steal files due to exported services
https://hackerone.com/reports/258460
Steal files due to unprotected exported Activity
https://hackerone.com/reports/161710
Steal files due to insecure data storage
https://hackerone.com/reports/44727
Insecure local data storage, makes it easy to steal files
https://hackerone.com/reports/57918
Bypasses
Accidental $70k Google Pixel Lock Screen Bypass
https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
Golden techniques to bypass host validations
https://hackerone.com/reports/431002
Two-factor authentication bypass due to vuln endpoint
https://hackerone.com/reports/202425
Another endpoint Auth bypass
https://hackerone.com/reports/205000
Bypass PIN/Fingerprint lock
https://hackerone.com/reports/331489
Bypass lock protection
https://hackerone.com/reports/490946
Bypass of biometrics security functionality
https://hackerone.com/reports/637194
XSS
HTML Injection in BatterySaveArticleRenderer WebView
https://hackerone.com/reports/176065
XSS via SAMLAuthActivity
https://hackerone.com/reports/283058
XSS in ImageViewerActivity
https://hackerone.com/reports/283063
XSS via start ContentActivity
https://hackerone.com/reports/189793
XSS on Owncloud webview
https://hackerone.com/reports/87835
Privilege Escalation
20 Security Issues Found in Xiaomi Devices
https://blog.oversecured.com/20-Security-Issues-Found-in-Xiaomi-Devices/
Discovering vendor-specific vulnerabilities in Android
https://blog.oversecured.com/Discovering-vendor-specific-vulnerabilities-in-Android/
Common mistakes when using permissions in Android
https://blog.oversecured.com/Common-mistakes-when-using-permissions-in-Android/
Two weeks of securing Samsung devices: Part 2
https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-2/
Two weeks of securing Samsung devices: Part 1
https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/
Intent Spoofing
https://hackerone.com/reports/97295
Access of some not exported content providers
https://hackerone.com/reports/272044
Access protected components via intent
https://hackerone.com/reports/200427
Fragment injection
https://hackerone.com/reports/43988
Javascript injection
https://hackerone.com/reports/54631
CSRF
Deeplink leads to CSRF in follow action
https://hackerone.com/reports/583987
Case sensitive account collisions
overwrite account associated with email via android application
https://hackerone.com/reports/187714
Intercept Broadcasts
Possible to intercept broadcasts about file uploads
https://hackerone.com/reports/167481
Vulnerable exported broadcast reciever
https://hackerone.com/reports/289000
View every network request response's information
https://hackerone.com/reports/56002
Practice Apps
Oversecured Vulnerable Android App
A vulnerable app showing modern security bugs in Android apps
Damn Vulnerable Bank
Vulnerable Banking Application for Android
InsecureShop
Intentionally Vulnerable Android Application
Vuldroid
Vulnerable Android Application made with security issues
InjuredAndroid
Android-InsecureBankv2
Damn Insecure and Vulnerable app
Damn Insecure and vulnerable App for Android
OWASP-GoatDroid-Project
Sieve mwrlabs
Tools
Resources
Detect secret leaks in Android apps online
Attacking vulnerable Broadcast Recievers
Android Webview Vulnerabilities
Android reverse engineering recon
Webview addjavascriptinterface RCE
Install PLayStore On Android Emulator
Android: Access to app protected components
Android: arbitrary code execution via third-party package contexts
Interception of Android implicit intents
Evernote: Universal-XSS, theft of all cookies from all sites, and more