Multiple Vulnerabilities found in Airtel Android Application

Before presenting my talk at SourceZeroCon on Deep Dive into Android Static Analysis, I spent a lot of time understanding WebViews and looked for vulnerable implementations in popular Android applications (mainly applications with 100M+ downloads). One such application was Airtel Thanks where I identified a number of vulnerabilities. This blog post discusses about the high impact vulnerabilities that were reported. Airtel has fixed these vulnerabilities and it is recommended to update Airtel Thanks application to the latest version from Play Store....

November 27, 2022 · 8 min · 1542 words · Gaurang Bhatnagar

Introducing InsecureShop

About InsecureShop InsecureShop is an intentionally designed vulnerable Android application built in Kotlin. The aim of creating this application is to teach developers and security professionals about the vulnerabilities present in modern Android applications. This also serves as a platform to test your Android pentesting skills. The InsecureShop project was released as part of the SourceZeroCon 2021 (Slides | Video). You can checkout the project here: https://www.insecureshopapp.com Research In early 2020, I started my research on Android WebView and how loading an untrusted URL in applications’ WebView can lead to the exfiltration of session cookies and local storage files by leveraging symlink attacks and insecure WebView properties....

December 18, 2021 · 3 min · 450 words · Gaurang Bhatnagar