The issue itself is fairly easy to describe, Meta found that of 14 reputable brands seven had releases where one or more preinstalled APEX modules (privileged OS code) were signed using only the test keys that are publicly available in the Android Open Source Project (AOSP) repository.
A fairly classic mobile issue, the McAfee Security: Antivirus VPN is a highly privileged app and it exports a fairly generic `MainActivity`.The `MainActivity` is rather dynamic in terms of what type content it'll load, basically acting as a wrapper to load whatever the real intent was...
Two vulnerabilities, the first an insecure activity is exposed that allows other applications to automatically install any application on the Galaxy Store, the secondis a filter bypass which can lead to navigating the CloudGame webview to an untrusted domain.
**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
Oversecured pointed their code-scanning tool at discovering issues in vendor patches to the Android System APIs and found a number of places where Samsung introduces vulnerabilities.
Funny bug in Task.org, which is an open source reminder and todo list tracking app.The vulnerability is lack of path validation in the ShareLinkActivity's `share` intent...
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the `window.GalaxyStore` object to download or open any application from the store.
Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a "feature" because the developers thought it was crashing on that point so disabled it to let the user continue to use the application...
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device's time. So by changing the time on the device you can make more attempts at the pin.
Focuses on exploiting an Out-of-Bounds (OOB) read in the `IOSurface` subsystem.The vulnerability was an unchecked `scalar0` index into the scalar input array in `IOMobileFramebufferUserClient::get_displayed_surface()` called by `IOMobileFramebuffers::s_displayed_fb_service()`...
The vulnerability here is simply that Opera's Pinboard feature allows pinning URLs starting with `javascript:` creating a clickable link on a Pinboard that will execute JavaScript. Unfortunately (for the attacker) these tabs open in a new window and not within the Pinboard context unless middle clicking, then these links will trigger them within the Pinboard context.