Skip to content

An actively maintained, Self curated notes related to android application security for security professionals, bugbounty hunters, pentesters, reverse engineer, and redteamers.



Folders and files

Last commit message
Last commit date

Latest commit



5 Commits

Repository files navigation

Android Security Notes

Getting Started? Β» Buy me a coffee Β» Wanna Talk?

πŸš€ Android Security Notes? Β» Here, You will find important concepts, resources, hand-crafted and self-curated notes written by a kind-hearted fellow. The main purpose of this project is to serve as a First-Aid to newbies (like me) and intermediate peep who perform android security.

🀝 Wanna contribute? » If you see something wrong or incorrectly interpreted then open an issue or send a pull request. We appreciate your contribution and all suggestions/PRs are welcome. You can also ping me on twitter@iamsarvagyaa.

πŸ“œ Things to be done! Β» I started this project from scratch. Steadily, I will update more resources and notes that I've found useful while learning Android Security. The upcoming lineup for this project ...

  • I will add more resources
  • Add conference papers, notes and more
  • Write more blogposts related to android security ...

πŸ—’οΈ Synopsis

↑ Getting Started

↑ HackerOne Reports

  • Account hijacking possible through ADB backup feature :: #12617
  • Twitter android app Fragment Injection :: #43988
  • Bypass Setup by External Activity Invoke :: #55064
  • Webview Vulnerablity in OwnCloud apk :: #87835
  • No permission set on Activities [Android App] :: #145402
  • Flaw in login with twitter to steal Oauth tokens :: #44492
  • Authentication Failed Mobile version :: #55530
  • Multiple Stored XSS on through Veris Frontdesk Android App :: #121275
  • Coinbase Android Security Vulnerabilities :: #5786
  • Insecure Data Storage in Vine Android App :: #44727
  • Sending payments via QR code does not require confirmation :: #126784
  • Bypass pin(4 digit passcode on your android app) :: #50884
  • REG: Content provider information leakage :: #146179
  • Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content :: #56002
  • HTML/XSS rendered in Android App of Crashlytics through :: #41856
  • ByPassing the email Validation Email on Sign up process in mobile apps :: #57764
  • Insecure Local Data Storage : Application stores data using a binary sqlite database :: #57918
  • Vulnerable to JavaScript injection. (WXS) (Javascript injection)! :: #54631
  • Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code :: #5314
  • Reflected XSS in Zomato Mobile - category parameter :: #230119
  • MEW Wallet PIN Bypass [Android] :: #1242212
  • Firebase Database Takeover in Zego Sense Android app :: #1065134
  • Bypass of biometrics security functionality is possible in Android application ( :: #637194
  • Persistant Arbitrary code execution in mattermost android :: #1115864
  • porcupiney.hairs : Java/Android - Insecure Loading of a Dex File :: #1161956
  • Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android] :: #453791
  • Cookie steal through content Uri :: #876192
  • Bypassing Passcode/Device credentials :: #747726
  • [Java] CWE-755: Query to detect Local Android DoS caused by NFE :: #1061211
  • Path traversal in ZIP extract routine on LINE Android :: #859469
  • Android: Explanation of Access to app protected components vulnerability :: #951691
  • Java: CWE-749 Unsafe resource loading in Android WebView leaking to injection attacks :: #1011956
  • Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506 :: #906433
  • Denial of Service | & :: #903740
  • Insecure Storage and Overly Permissive API Keys in Android App :: #753868
  • [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure :: #401793
  • No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted :: #194329
  • CVE-2019-5765: 1-click HackerOne account takeover on all Android devices :: #563870
  • API Keys Hardcoded in Github repository :: #766346
  • Changing email address on Twitter for Android unsets "Protect your Tweets" :: #472013
  • Golden techniques to bypass host validations in Android apps :: #431002
  • Improper protection of FileContentProvider :: #331302
  • Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock :: #331489
  • Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app :: #351555
  • [Mail.Ru Android] Typo in permission name allows to write contacts without user knowledge :: #440749
  • SQL Injection found in NextCloud Android App Content Provider :: #291764
  • [Android] HTML Injection in BatterySaveArticleRenderer WebView :: #176065
  • SQLi allow query restriction bypass on exposed FileContentProvider :: #518669
  • [Zomato Android/iOS] Theft of user session :: #328486
  • Protected Tweets setting overridden by Android app :: #519059
  • Bypassing lock protection :: #490946
  • Improper validation allows user to unlock Zomato Gold multiple times at the same restaurant within one day :: #486629
  • Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App :: #205000
  • [IRCCloud Android] XSS in ImageViewerActivity :: #283063
  • [IRCCloud Android] Theft of arbitrary files leading to token leakage :: #288955
  • Two-factor authentication bypass on Grab Android App :: #202425
  • Android - Access of some not exported content providers :: #272044
  • Improper markup sanitisation in Simplenote Android application :: #297547
  • [Android] XSS via start ContentActivity :: #189793
  • [iOS/Android] Address Bar Spoofing Vulnerability :: #175958
  • Access of Android protected components via embedded intent :: #200427
  • Possible to steal any protected files on Android :: #161710
  • [Quora Android] Possible to steal arbitrary files from mobile device :: #258460
  • Multiple critical vulnerabilities in Odnoklassniki Android application :: #97295
  • Android - Possible to intercept broadcasts about uploaded files :: #167481
  • Download attachments with traversal path into any sdcard directory (incomplete fix 106097) :: #284346
  • [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity :: #283058
  • Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager :: #192886
  • Twitter for android is exposing user's location to any installed android app :: #185862
  • Vulnerable exported broadcast receiver :: #289000
  • Android MailRu Email: Thirdparty can access private data files with small user interaction :: #226191
  • Vine - overwrite account associated with email via android application :: #187714
  • Activities are not Protected and able to crash app using other app (Can Malware or third parry app) :: #65729
  • Account takeover intercepting magic link for Arrive app :: #855618

↑ BugBounty Writeups

↑ CTF Challenge Writeups

↑ Healthy Digests

↑ Vulnerable Applications

  • hpAndro - One of the nice vulnerable android application to practice. Plenty of challenges are there, and most of the challenges are beginner friendly. I recommend everyone to checkout this vulnerable application. This challenge is maintained by hpandro1337, you can also checkout his YouTube Channel : Android AppSec.
  • InjuredAndroid - A vulnerable android application ctf examples based on bug bounty findings, exploitation concepts, and pure creativity. Created and maintained by B3nac.
  • Oversecured Vulnerable Android App - an Android app that aggregates all the platform's known and popular security vulnerabilities. Plenty of vulnerabilities are there to practice our Security skills. Vulnerable Lab maintained by Bagipro.
  • MOBISEC Challenges - Plenty of challenges are there related to Android App development, Reversing of Android Application and Exploitations. Challenges created by sir Yanick Fratantonio. This is in my TODO list...

Wanna Contact with me?

πŸ“£ If you enjoyed this project and wanna appreciate me, Buy me a cup of coffee. You can also help via sharing this project among the community to help it grow. You may support me on Buy me a coffee, monetary contributions are always welcome. If you wish to sponsor this project, ping me - iamsarvagyaa[at]


An actively maintained, Self curated notes related to android application security for security professionals, bugbounty hunters, pentesters, reverse engineer, and redteamers.








No releases published


No packages published