@_bagipro profile picture
Sergey Toshin @_bagipro

Ranked as the #1 security researcher for Google Play Security Rewards Program. The founder of @OversecuredInc Android and iOS vulnerability scanners

Joined December 2015
  • Tweets 154
  • Following 187
  • Followers 7,043
16 Photos and videos
I’m looking to talk to people who work with mobile app security inside companies. I want to better understand your real workflow, tools, pain points, and what still feels too manual. There’s a reward of your choice for the interview. Form: hub.oversecured.com/cusdev
8
1,076
[1/3] It's common to get a ParcelFileDescriptor pointing to a directory through an Android ContentProvider. But can you actually turn that into a directory listing?
1
2
26
2,747
[2/3] Examples: - FileProvider pointing to files/cache directories - A misconfigured ContentProvider that can be tricked into returning a ParcelFileDescriptor pointing to a directory
1
7
1,245
[3/3] With a directory listing you get the file names, and then you can read their contents through the same provider You can do it using native code!
1
8
1,149
We launched Android DAST. And the first problem we hit is that login flows block everything. So we used LLM to log in automatically. This is what debugging looks like
1
1
28
4,706
more replies
[2/3] The hard part: every app is different, so prompt engineering took a while
1
3
1,070
[3/3] We tried local models, but they didn't work for the general case. So we ended up going with the cloud models
4
926
An attack on Android content providers that researchers might overlook [1/4] Android has a mechanism to restrict access using the exported attribute or by requiring permissions
3
13
88
6,683
[2/4] But system apps ("android.uid.system" and maybe systemui) automatically bypass these restrictions and can access arbitrary components [3/4] It's trivial to force a system app to call ContentResolver.query() or openInputStream() for an arbitrary Uri
1
1
16
4,976
[4/4] If the implementation of ContentProvider.getType(), query(), openFile() does anything other than simply returning a ParcelFileDescriptor or data from a database (making directories, debug mode, dumping logs), an attacker can trigger it this way and gain privilege escalation
12
1,705
We’re hiring a Mobile App Security Expert! What you'll do: - Research Android/iOS internals and ship new SAST/DAST checks - Turn real-world findings into PoCs and write-ups - Be the technical voice with customers: explain findings, advise architecture, guide CI/CD setup
6
17
154
14,947
Interested? Fill out the form: docs.google.com/forms/d/e/1F…
9
2,447
New Android host validation bypass technique! [1/4] All parsed URIs in Android are android.net.Uri.StringUri objects. However, the scheme parser only looks for the ":" delimiter
5
73
300
28,992
more replies
[3/4] This will only work if the scheme isn't validated either. This attack can increase the impact in cases when, e.g., the victim's access token is appended to the request headers
1
9
3,519
[4/4] Limitations: 1. The lack of scheme validation 2. You also need to bypass the network security config: - Easy case: usesCleartextTraffic is set to "true" - Hard case: checking the app's network security config and trying to load your own host (or you control DNS responses)
11
3,234
Sergey Toshin retweeted
Oversecured@OversecuredInc
21 Nov 2024
🚨 Security Alert: Over 2 billion Android users and 100 million Pixel users may be at risk of file theft, VPN bypass, unauthorized Bluetooth access, and geolocation leaks. Visit our blog for details. blog.oversecured.com/Disclos…

Disclosure of 7 Android and Google Pixel Vulnerabilities | Oversecured Blog

We continually refine and enhance the Oversecured Mobile Application Vulnerability Scanner through regular analysis of mobile applications. This helps us to optimize our analysis techniques and...

oversecured.com
9
136
438
226,574
We have updated scan reports for all Google phone apps and additionally included reports for Wear OS, Android TV, Android Desktop, and Android Auto! Time to report the vulnerabilities to bughunters.google.com! blog.oversecured.com/Oversec…

Google Bug Hunters

Welcome to Google's Bug Hunting community, learn more about hunting & reporting bugs you’ve found in Google products.

bughunters.google.com
Sergey Toshin@_bagipro
21 Mar 2024
Android bug hunters, your chance to get rewards from Google Only Google has agreed to release the reports without prior fixes. I see dozens of valid bugs (and I submitted 0 of them)
2
9
81
18,893
Sergey Toshin retweeted
Thomas Brewster@iblametom
2 May 2024
NEW - A whole bunch of fresh Xiaomi vulnerabilities discovered by researchers who say they're serious and all users should update ASAP. forbes.com/sites/thomasbrews…

1
8
22
25,585
Load more