Android Archives - 7ASecurity Blog

7ASecurity Completes Bridgefy Audit

Admin — Mon, 31 Jul 2023 11:04:27 +0000

7ASecurity worked with Bridgefy to complete a whitebox pentest of the mobile app, SDK, cloud infrastructure, and privacy to help improve Bridgefy’s overall security posture. What is Bridgefy? Bridgefy, a popular mobile messaging app, allows you to send offline messages by leveraging Bluetooth technology. This app aims to provide secure messaging when infrastructure is not …

The post 7ASecurity Completes Bridgefy Audit appeared first on 7ASecurity Blog.

7ASecurity Completes ArgoVPN Audit

Admin — Fri, 28 Jul 2023 09:21:57 +0000

This blog post summarizes a whitebox security review conducted by 7ASecurity against the ArgoVPN platform. What is ArgoVPN? ArgoVPN is a free VPN with an unlimited bandwidth that is developed for Android devices. It allows users to visit blocked websites, online services, social media and messaging apps. The developers designed ArgoVPN to meet the needs …

The post 7ASecurity Completes ArgoVPN Audit appeared first on 7ASecurity Blog.

7ASecurity Completes Mozilla K-9 Mail Audit

Admin — Thu, 20 Jul 2023 11:01:58 +0000

7ASecurity had the privilege to collaborate with the Open Source Technology Improvement Fund (OSTIF), as well as the K-9 Mail and Thunderbird teams at Mozilla, in a recent security audit of the Mozilla K-9 Mail application. What is K-9 Mail? K-9 Mail is an open source email application that runs on most Android devices. Ideally, the application is reliable, intuitive and secure …

The post 7ASecurity Completes Mozilla K-9 Mail Audit appeared first on 7ASecurity Blog.

XMPP MitM attack via PLAIN mechanism

Admin — Thu, 08 Jun 2023 08:48:00 +0000

Are you testing MitM of an old protocol that starts using clear-text communications?You should consider spoofing server replies with some downgrade attack! This old trick still works sometimes against protocols that like:XMPP, SMTP, POP3 and others Let’s illustrate this with an XMPP example from the field 🙂 Introduction: In XMPP, credentials are not supposed to …

The post XMPP MitM attack via PLAIN mechanism appeared first on 7ASecurity Blog.

Hacking Mandated Apps – Part 7: AES Crypto FAIL [ MSTG-CRYPTO-1 ]

Admin — Mon, 09 Sep 2019 03:27:21 +0000

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog …

The post Hacking Mandated Apps – Part 7: AES Crypto FAIL [ MSTG-CRYPTO-1 ] appeared first on 7ASecurity Blog.

Hacking Mandated Apps – Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ]

Admin — Fri, 06 Sep 2019 01:40:27 +0000

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V3: Cryptography Requirements, as follows: …

The post Hacking Mandated Apps – Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ] appeared first on 7ASecurity Blog.

Hacking Mandated Apps – Part 5: RCE in WebView [ MSTG-PLATFORM-7 ]

Admin — Thu, 05 Sep 2019 00:51:55 +0000

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V6: Platform Interaction Requirements, as follows: MSTG‑PLATFORM‑7: If native methods of the app …

The post Hacking Mandated Apps – Part 5: RCE in WebView [ MSTG-PLATFORM-7 ] appeared first on 7ASecurity Blog.

Hacking Mandated Apps – Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ]

Admin — Wed, 04 Sep 2019 01:14:00 +0000

Part 1: Intro Part 2: Translating APKs Part 3: What is SSL? [ MSTG‑NETWORK‑1 ] The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V5: Network Communication Requirements, as follows: MSTG‑NETWORK‑2: The TLS settings are in line with current best practices, or as close as possible if …

The post Hacking Mandated Apps – Part 4: How NOT to implement SSL [ MSTG‑NETWORK‑2 ] appeared first on 7ASecurity Blog.

Hacking Mandated Apps – Part 2: Translating APKs

Admin — Mon, 02 Sep 2019 02:41:26 +0000

If you missed Hacking Mandated Apps – Part 1: Intro please start there for background 🙂 Translating APKs in beautiful exotic languages As explained in the intro, the team did not get access to the sources of the app. We had to first retrieve the APK from a Korean APK download service, decompile the APK and then …

The post Hacking Mandated Apps – Part 2: Translating APKs appeared first on 7ASecurity Blog.

Free Android sec tools, resources and smartphonesdumbapps release

Admin — Thu, 14 Feb 2013 08:12:00 +0000

UPDATE: April 2nd – Added new pinning article thanks @an_animal! UPDATE: Feb 14th – Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources! Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component. …

The post Free Android sec tools, resources and smartphonesdumbapps release appeared first on 7ASecurity Blog.