Information disclosure

The First Assembly NLR aka com.subsplash.thechurchapp.firstassemblynlr application 2.8.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

CVE-2014-6776

The United Advantage NW Federal Cr aka com.myappengine.uanwfcu application 1.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

CVE-2014-6770

The Aerospace Jobs aka com.appaerospacejobs.layout application 1.399 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

CVE-2014-6639

The TIO MobilePay - Bill Payments aka com.tionetworks.mobile.android.tioclient application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Code injection

The Secret Circle - talk freely aka com.easyxapp.secret application 2.2.00.26 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Design/Logic Flaw

The Farm Frenzy Gold aka com.herocraft.game.farmfrenzy.gold application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability

Exploit for Android platform in category remote exploits CreatMalTxt POC - WebView var obj; function TestVulnerability temp="not"; var myObject = window; for var name in myObject if myObject.hasOwnPropertyname try...

Boat Browser 8.08.0.1 - Remote Code Execution

Boat Browser 8.08.0.1 - Remote Code Execution CreatMalTxt POC - WebView var obj; function TestVulnerability temp="not"; var myObject = window; for var name in myObject if myObject.hasOwnPropertyname try...

CVE-2014-3100

The CVE-2014-3100 issue is a stack-based buffer overflow in Android 4.3’s KeyStore service (encode_key in /system/bin/keystore) that allows arbitrary code execution and may leak sensitive key information or bypass cryptographic operation restrictions when handling an overly long key name. The vul...

Patched Code-Execution Bug Affects Most Android Users

A serious code-execution vulnerability in Android 4.3 and earlier was patched in KitKat, the latest version of the operating system. Researchers at IBM this week disclosed the nature of the vulnerability, which was privately disclosed to the Android Security Team in September and patched last...

Towelroot : One-Click Android Rooting Tool Released By Geohot

Waiting for the root access for your AT&T or Verizon Android phone? Then there is really a Great News for you! Geohot aka George Hotz - a famed cracker who was responsible for hacking the PlayStation 3 and subsequently being sued by Sony - has built and released a root tool called Towelroot on...

Android Outlook App Could Expose Emails, Attachments

There are two issues with the way Microsoft’s Outlook application encrypts content on older versions of Android that could expose users’ emails and email attachments. Paolo Soto, a researcher with the security firm Include Security, said his team initially dug up the vulnerabilities in November...

Google Chrome for Android Detected

Binary data 8092.prm...

Android Fragment Injection vulnerability

Hi, We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings the one that is found on every Android device, Gmail, Google Now, Dropbox and Evernote. To be more accurate, any App which extended the PreferenceActivity clas...

CVE-2013-6271

CVE-2013-6271 affects Android 4.0–4.3; a vulnerability in com.android.settings.ChooseLockGeneric allows an unprivileged app to bypass restrictions and remove the device lock by invoking updateUnlockMethodAndFinish with PASSWORD_QUALITY_UNSPECIFIED. Exploits/PoC exist (CRT-RemoveLocks; Metasploit ...

[OWASP GoatDroid] Project that will help educate security to application developers Android

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications:...

Android su applications privilege escalation

Unsafe environment variables and file descriptors usage...

Android 4.2.x Superuser Shell Character Escape

Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root, either without prompting the user or after the user has denied the request: - CyanogenMod/ClockWorkMod/Koush Superuser current releases, including v1.0.2.1 ...

Vendor Customizations Lead to Android Security Issues

When Android phone manufacturers tweak devices and customize phones with special software, apps and code, it has a direct effect on the security of each device. In some cases, the changes made can account for more than 60 percent of vulnerabilities found in devices. That’s according to a paper “T...

Firefox For Android Same-Origin Bypass

CVE Number: CVE-2013-1727 Vender Identifier: MFSA 2013-84 Title: Firefox for Android - Same-origin bypass through symbolic links Affected Software: Prior to v24 confirmed on v14 Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc. Issue Status: v24 was released which fixes this...