Android App Links let apps claim ownership of HTTPS domains so that links to those domains open directly in the app instead of showing a browser or a chooser. The claim becomes authoritative when t...
Android - Inspecting the React Native Bridge
React Native apps have a JavaScript runtime and a native runtime, with a bridge between them. The bridge is enumerable - apps expose a collection of NativeModules that JavaScript can call. Each mod...
Android - Janus and v1-Only APK Signing
CVE-2017-13156 (Janus) lets an attacker prepend a malicious DEX to an APK and have the system execute the prepended DEX while the v1 signature still verifies. v1 signs files inside the ZIP, not the...
Android - Tokens and PII in Logcat
Log.d, Log.v, Log.i calls in production builds dump strings to logcat. On Android 4.1+ the READ_LOGS permission is signature-only, so a regular third-party app cannot read another app’s logs. But a...
Android - Class.forName from an Intent Extra
Class.forName(intent.getStringExtra("class_name")) is one step short of the dynamic-code-loading bug. The attacker cannot supply new code, but they can pick which existing class on the app’s classp...
Android - Dynamic Code Loading via DexClassLoader
Apps that load code at runtime from outside the APK - via DexClassLoader, PathClassLoader, or InMemoryDexClassLoader - are common in plugin architectures, dynamic feature modules, and hot-patch fra...
Android - Notification Title Spoofing
Android displays the posting app’s name and icon alongside every notification - you cannot lie about which app sent it. What you can control is the content: title, body, channel name, and what happ...
Android - Task Hijacking and StrandHogg 2.0
Android manages activities in stacks called tasks. Each task has a taskAffinity — a string that determines which task an activity belongs to. When no taskAffinity is declared on an activity, Androi...
Android - Network Security Config Trust-Anchor Override
network_security_config.xml is Android’s declarative way to control TLS trust. From API 24, Android stopped trusting user-installed CAs by default - apps had to explicitly opt in. That protection d...
Android - HostnameVerifier That Returns True
A HostnameVerifier that returns true unconditionally means TLS connections accept any hostname as long as the certificate is valid for some hostname. A network attacker with a Let’s Encrypt cert fo...