|
|
|
|
|
|
by dmix
4000 days ago
|
|
|
Mobile would be great for taking this kind of approach to bug hunting. Especially since Android just launched a (proper) bug bounty program [0]. A ton of old problems are new again on Android, especially due to the fact a significant percentage of the OS stuff is being re-implemented in Java (IPC, sandboxing, etc). The more I dig into it the more I'm convinced very few people are conducting serious security reviews outside of Google. Take this bug as an example: http://seclists.org/fulldisclosure/2014/Nov/81 An apk with system privileges (the settings app) would accept IPC messages from any unprivileged app and relay them with system privileges. [0] http://techcrunch.com/2015/06/16/google-launches-bug-bounty-... |
|
|