ContentProviders that back onto SQLite and accept caller-supplied selection / selectionArgs / sortOrder parameters without parameterization are vulnerable to classic SQL injection. The attack surfa...

A ContentProvider is how one app hands data to another. The caller asks for a content:// URI, the provider answers - a row, a file, a stream. When the data is a file, the provider overrides openFil...

A broadcast is how an app sends a message to other components. One part fires an Intent, and any BroadcastReceiver listening for it gets a copy. An explicit broadcast says who it is for - a package...

Custom permissions are how Android apps protect their components from other apps on the device. The intention is straightforward: declare a permission, mark it signature, and only apps signed with ...

At Black Hat EU 2024, Dimitrios Valsamaras presented a Parcelable injection variant that bypasses one of the most common Android-side defences. The trick exploits a feature of Android’s Context.cre...

Server-side request forgery is the bug everyone knows from web apps. The mobile equivalent, an Android activity that takes an intent-controlled URL and makes an HTTP request to it, gets reported le...

A URI permission grant is a temporary, single-URI permission attached to an Intent. By default an app cannot read another app’s ContentProvider; the grant is the controlled exception. When an app s...

Lets suppose a scenario to understand the PendingIntent in Android. Your app posts a notification. Hours later your app long since killed by the OS, the user taps it, and your screen opens with you...

There is a class of bug that is easy to find and rarely reported: an exported activity that calls contentResolver.openInputStream on a URI from intent.getData() or a Uri extra without checking what...

The file write primitive is the inverse of the file read primitive. Instead of getting bytes out of the target app’s private storage, you get bytes in. It is rarer than the read primitive but when ...