A HostnameVerifier that returns true unconditionally means TLS connections accept any hostname as long as the certificate is valid for some hostname. A network attacker with a Let’s Encrypt cert fo...

The AndroidKeystore system is the right place to store crypto keys. Keys never leave the secure hardware, the OS enforces access. The detail that determines whether this is actually secure: setUser...

FileProvider is how Android apps safely share files with each other without exposing private storage directly. You configure it with an XML file that says which directories are shareable, and the f...

ContentProviders that back onto SQLite and accept caller-supplied selection / selectionArgs / sortOrder parameters without parameterization are vulnerable to classic SQL injection. The attack surfa...

A ContentProvider is how one app hands data to another. The caller asks for a content:// URI, the provider answers - a row, a file, a stream. When the data is a file, the provider overrides openFil...

A broadcast is how an app sends a message to other components. One part fires an Intent, and any BroadcastReceiver listening for it gets a copy. An explicit broadcast says who it is for - a package...

Custom permissions are how Android apps protect their components from other apps on the device. The intention is straightforward: declare a permission, mark it signature, and only apps signed with ...

At Black Hat EU 2024, Dimitrios Valsamaras presented a Parcelable injection variant that bypasses one of the most common Android-side defences. The trick exploits a feature of Android’s Context.cre...

Server-side request forgery is the bug everyone knows from web apps. The mobile equivalent, an Android activity that takes an intent-controlled URL and makes an HTTP request to it, gets reported le...

A URI permission grant is a temporary, single-URI permission attached to an Intent. By default an app cannot read another app’s ContentProvider; the grant is the controlled exception. When an app s...