rfedler

Introduction

Many people underestimate the possibilities a remote attacker has who managed to exploit a remote code execution vulnerability on Android devices.

On Windows systems, it is widely accepted that a vulnerability in one software can lead to the compromise of other software and, ultimately, to the infection of the whole system. The same is, in fact, also possible for Android, even though many people believe the attacker would be confined to the vulnerable app’s context (in the Android file system and UID/GID sandboxing sense).

In this blog post we will show how a vulnerability in one single app can lead to the permanent (and virtually irreversible) infection of an Android device with malware. To this end we will walk the reader through the single steps that lead […]

Recently we were working on an engagement to test a fat client using a web service and ran into a problem with Burp. Surprisingly enough, there was not a single resource on the Internet to help us out. Hoping that others dealing with the same issue won’t lose their sanity like we almost did, I am writing this blog post now ;)

We were trying to test a web application, or rather a client application (a binary!) communicating with a web service built on top of an HTTP REST API, with Burp as a transparent/invisible proxy in between. For some completely unknown reason, when Burp was between the client software and the server, the client application just refused to log in.

A comparison of HTTP requests and […]