Beyond Base64: The Vulnerability Leaving Millions of Calls Exposed

Time and again, we’re reminded that mere encoding doesn’t equate to robust encryption or security. Relying primarily on encoding as a defense can expose companies to unexpected vulnerabilities. While encoding can help obscure information, it’s crucial to remember it’s not a substitute for genuine encryption or tight access control. This recent lapse came to light in a popular online consulting platform’s mobile app, available on both Android and iOS. As the focus of this blog article is educational, centered around the vulnerability, I will abstain from naming the organization....

September 25, 2023 · 6 min · 1242 words · Gaurang Bhatnagar

Multiple Vulnerabilities found in Airtel Android Application

Before presenting my talk at SourceZeroCon on Deep Dive into Android Static Analysis, I spent a lot of time understanding WebViews and looked for vulnerable implementations in popular Android applications (mainly applications with 100M+ downloads). One such application was Airtel Thanks where I identified a number of vulnerabilities. This blog post discusses about the high impact vulnerabilities that were reported. Airtel has fixed these vulnerabilities and it is recommended to update Airtel Thanks application to the latest version from Play Store....

November 27, 2022 · 8 min · 1542 words · Gaurang Bhatnagar

Introducing InsecureShop

About InsecureShop InsecureShop is an intentionally designed vulnerable Android application built in Kotlin. The aim of creating this application is to teach developers and security professionals about the vulnerabilities present in modern Android applications. This also serves as a platform to test your Android pentesting skills. The InsecureShop project was released as part of the SourceZeroCon 2021 (Slides | Video). You can checkout the project here: https://www.insecureshopapp.com Research In early 2020, I started my research on Android WebView and how loading an untrusted URL in applications’ WebView can lead to the exfiltration of session cookies and local storage files by leveraging symlink attacks and insecure WebView properties....

December 18, 2021 · 3 min · 450 words · Gaurang Bhatnagar

Pentesting an IOT based Biometric Attendance device

During one of the Red Team engagements, I got a chance to pentest a Biometric attendance device that the client often used to mark the attendance and restrict access to specific rooms. I did not pop any zero-days here, but several misconfigurations were leveraged that allowed me to achieve root access on the device. Following is the snapshot of the device I was testing. Starting with the assessment, I found that the device was connected to the network, and I was able to get its IP address from the device’s network settings....

October 30, 2021 · 3 min · 583 words · Gaurang Bhatnagar