Questions tagged [android]
Questions tagged [Android] should focus on security of the operating system itself, or of Android-specific apps. Questions about Android that are not directly security-related should be asked at android.stackexchange.com.
1,397 questions
0
votes
0
answers
29
views
Whatsapp notifications bypassing Nordvpn despite "Block connection without VPN" on Android. How to resolve? [migrated]
I use Nordvpn on my Xiaomi Redmi Note 12. When Nordvpn is not connected I still receive notifications via Whatsapp "You may have new messages". When I then connect to Nordvpn the actual new ...
- 183
1
vote
0
answers
94
views
Intercepting and manipulating via MITM but with generic TLS traffic, not https. And with Android as a target
I’m trying to intercept TLS traffic on port 8443 between an Android app and a IPcam (8443 is the webcam’s port) on my LAN, on-the-fly (like Burp Suite does with HTTP(S)). Protocol in 8443 is not HTTPS....
- 513
0
votes
0
answers
97
views
Why are the Chrome/Chromium JavaScript engines (V8) vulnerabilities more difficult to reproduce on Android compared to Windows and Debian?
I conducted tests on the vulnerabilities of 5 Chrome/Chromium JavaScript engines (V8) on three platforms (the list of vulnerabilities is as follows).
Without exception, the Android system failed to ...
- 1
4
votes
1
answer
107
views
What is best way to intercept https traffic on an APK that uses WebView
I have this project where I am trying to to intercept HTTPS traffic of an APK.
I have done this plenty of times with HTTP Toolkit and Bypassing pinning.
This project however has been very difficult as ...
- 41
1
vote
1
answer
135
views
Is Android Keystore/iOS Keychain without biometric authentication still secure against physical access attacks?
I'm implementing refresh token storage in a mobile app and trying to understand the practical security differences between these two approaches:
Option 1: Hardware-backed storage WITHOUT biometric ...
- 185
1
vote
2
answers
116
views
In PCI DSS SAQ A, does "customer’s browser" include merchant apps using TPSP-provided UI elements for card data?
I’m trying to understand a PCI DSS SAQ A requirement that says:
"All elements of the payment page(s)/form(s) delivered to the
customer’s browser originate only and directly from a PCI DSS
...
0
votes
1
answer
162
views
Securing OpenSSL for my Android project
I am working on a security-related project and have to make sure there are no OpenSSL attacks.
According to my understanding, OpenSSL attacks can be at at hardware as well as software level. Currently ...
- 111
1
vote
0
answers
151
views
Are RCS encrypted messages in Google Messages, that the senders say they didn't send, the sign of a security issue or glitch? [closed]
A frequent contact of mine has been receiving texts that say "End-to-end encrypted message" on her Android phone in Google Messages. These messages appear to be from me, and she says that ...
0
votes
0
answers
153
views
Altered Android app icon, indication of spyware?
While setting up and debugging a VPN connection on an Android device with the “Net Analyzer” app, I spotted by
chance a suspicious icon in the application as shown in the screenshot below (shows the ...
- 1
2
votes
1
answer
466
views
How to make sure a used custom-ROM phone isn't malicious?
I am (hypothetically!) thinking about buying a used phone for sustainability reasons. I am also thinking about this being a non-Google phone for ethical reasons. There are some people in my country ...
- 123
1
vote
0
answers
55
views
Where can I get a list of trusted certificate authorities? [duplicate]
Background
(Disclaimer: I know very little on this whole topic)
Let's Encrypt has recently dropped some Certificate Authorities (the TLSv1.0?), which is an issue for Android 4 devices, since now they ...
- 235
3
votes
4
answers
773
views
Google Find My Device unknown tracker alert algorithm?
I was reading Google's blueprint about their new technology called Find My Device and what took my interest was unknown tracker identification and how Google does that.
Unknown tracker alerts. The ...
- 335
6
votes
3
answers
1k
views
Keyboard isolation in Android
I'm currently running GrapheneOS on a Pixel 6a, and I have installed several alternative keyboards from F-Droid and the Play Store.
How isolated are keyboards in Android? When I enable a keyboard in ...
- 975
0
votes
2
answers
327
views
Should mobile app developers actively prevent apps from running on outdated devices/rooted devices/emulators for security purposes?
From personal experience many mobile apps that I've tested don't actively detect and discourage (with a warning) or even block the app from running on/in:
a rooted/jailbroken Android/iOS device
...
- 7,715
2
votes
0
answers
123
views
Possible attacks againts head unit of contemporary cars
I purchased a new car this week. It has multimedia unit (sometimes called head unit of car). It has FM/AM/DAB radio functions (with its radio antenna) ,bluetooth 5.0,Wireless CarPlay – Android Auto, ...
