Mobile Security
Mobile Security (what I test in real assessments)
Mobile security work is mostly about trust boundaries: what the app accepts from the device, other apps, the operating system, and the network — and how those inputs can be used to reach privileged logic. The fastest way to get real signal is to audit the app’s component attack surface (Activities, Services, Broadcast Receivers, Content Providers) and then validate data flows (intents, binders, URIs) with concrete, reproducible tests.
This section is structured like a practical assessment: enumerate exposed entry points, validate authorization assumptions, prove exploitability safely, and show developers exactly what to change. iOS coverage will be added next; Android comes first because components are the most common root cause of “it should be internal” findings.
Android component attack surface
If you’re coming from web/API security: think of these as your “routes/controllers + internal APIs” on-device. The vulnerabilities here are reliable because they don’t depend on UI happy paths — they depend on what the app will accept when launched or messaged from the outside.
- Android Activities UI entry points, deep links, flow bypass, intent tampering
- Android Services Background work + IPC surface, exported commands, binder abuse
- Android Broadcast Receivers Inbound message handlers, forged broadcasts, ordered leaks
- Android Content Providers Data sharing boundary, URI permission pitfalls, read/write exposure
- Android IPC & Intent Abuse Intent spoofing, implicit intent interception, PendingIntent safety, confused deputy chains
iOS section is planned next (URL schemes/universal links, app extensions, keychain, pasteboard, file sharing, IPC patterns).
Android static analysis walkthrough
Before touching a device or emulator, I start with static analysis to map the full Android attack surface. This step answers a single question: what can be reached from outside the app?
Manifest review, component enumeration, and intent/IPC inspection consistently reveal access-control gaps, confused-deputy paths, and parameter-driven logic that never shows up in UI testing.