Prelude Let’s start with an Android Security Patch I reported last year. diff --git a/src/com/android/settings/applications/AppInfoBase.java b/src/com/android/settings/applications/AppInfoBase.ja...

In my previous post, Samsung’s ISVP: Betraying the Trust of Security Researchers, I shared my experience uncovering a vulnerability in Samsung mobile devices that enabled silent app installation. ...

As a security researcher passionate about improving mobile security, I’ve had two distinct experiences with Samsung’s security bug bounty program in 2024 and 2025. Unfortunately, both encounters le...

ReferrerIntent 上文中使用了 LabeledIntent 作为 Intent 的子类来完成序列化不对称攻击, 里面说明了不选择 ReferrerIntent 的理由, 因为 ReferrerIntent 只多出一个 String16 的字段是我们可以控制的, 如下 public void writeToParcel(Parcel dest, int parcelab...

Prologue 今年年初的时候， AOSP 公布了一个看起来很奇怪的 patch final Intent intent = (Intent)accountManagerResult.getParcelable(AccountManager.KEY_INTENT); if (intent != null) { mPendingRequest = REQUEST_A...

Background Backing to 2015, Google introduced the MediaProjectionManager API in Android Lollipop, gave applications the ability to record the device’s screen. While this feature is incredibly powe...