Franc is a beginner Android developer who was tasked with creating an app to securely store a secret in the
SharedPreferences folder. Lacking experience in secure coding practices, Franc came up with a peculiar
solution: he added a button to the app that crashes it deliberately, hoping this would deter any attempts
to exploit the app.
Your challenge: Develop an app that outsmarts Franc’s flawed logic. Force his app to send you the secret
stored in its SharedPreferences and display the secret in a TextView within your app.
What you should send ?
- The exploit for Franc's app (an apk or code which I just need to copy/paste to an empty Android studio project)
- A paypal account to receive your 80 euro reward
Ahhh.....
Unfortunately, Frank is on a tight budget, so only the first solution will receive the reward. The rest will earn a spot on our humble wall of fame. :)
Good luck !
We've launched a super-secure browser with unique security settings, and we take pride in our product.
We're actively working to enhance the user experience by addressing a few UI design issues, including
an intermittent webview jumping when typing. Your feedback and support are essential in making our
browser even better.
If you manage to send our secure cookie to www.example.com then report it imediatelly
to https://twitter.com/Ch0pin as he is responsible for this mess. We will add you in our HoF for
that, but no CVE (Although I think you can request one).
constrains: No root/frida/etc... The poc should work for SDK version > 32
Good luck !
Can you change the "Connected to" to point to your server, without braking the sandbox ?
NO ADB, NO ROOT, NO FRIDA/OBJECTION solutions are accepted... Just plain user input
Submition: PM me at @ch0pin and I'll add your name to the Hall Of Fame
Do you have something to teach to the community ? then just Clone -> PR -> And we will see about it :)
- @jackds.nl (first blood)
- @tomisec
- @iamsalimabdella
- @minamikazecafe
- @Ath3r1s
- @hulkvision
- @fr4via
- @sdexyz (first blood)
- @bl4ckh0l3z
- @pm_atbrik
- @megatr0nz
- @kirasumairu1
- @thongvv10
- @rpinuaga
- @_blackb3ard
- @EzV01d
- @jgmfingers
- @komen205
- @s5uraj
- @saitawngpha
- @norvarius
- TheDauntless
- @minamikazecafe
- @saspect488
- @tomiwa_ot
- @SeanPesce
- @bernasv
- @hulkvision
- @tomisec
- @iamsalimabdella
- @fr4via