blog of morioka12

morioka12のブログ (Security Blog)


1. 始めに

こんにちは、morioka12 です。





  • セキュリティ初学者・学生
    • 特に Mobile Security に興味がある方
  • モバイルアプリケーションの開発者
  • バグバウンティに興味がある方
  • (脆弱性調査をしている方)

2. Mobile Security Top 10

OWASP Mobile Top 10 2023 (初期リリース)

  1. 不適切な資格情報の利用
  2. 不十分なサプライチェーンセキュリティ
  3. 安全でない認証・承認
  4. 不十分な入出力の検証
  5. 安全でない通信
  6. 不十分なプライバシー管理
  7. 不十分なバイナリ保護
  8. セキュリティ設定の不備
  9. 安全でないデータ管理
  10. 不十分な暗号化

JSSEC Mobile Top 10 2023

  1. プラットフォームの不適切な利用
  2. 不適切なクレデンシャルの利用
  3. クライアントコードの品質と安全性
  4. 安全でない通信
  5. 安全でない認証
  6. 不十分な暗号化
  7. 安全でない認可制御
  8. コード改ざん
  9. 安全でないデータストレージ
  10. 余計な機能

3. 脆弱性報告の事例

バグバウンティにおいて、モバイルアプリケーションは、主に以下にようなタイプ(Asset Type)で提供されます。

XSS (Cross-site Scripting)

  • Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506
    • Bounty: $560

  • Blind Stored XSS on iOS App due to Unsanitized Webview
    • Bounty: $100

  • [Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure

  • UXss on brave browser via scan QR Code
    • Bounty: $500

  • XSS via message subject - mobile application

  • [Android] HTML Injection in BatterySaveArticleRenderer WebView
    • Bounty: $150

SQL Injection

  • GitHub Security Lab (GHSL) Vulnerability Report: SQLInjection in FileContentProvider.kt (GHSL-2022-059)
    • Bounty: $300

  • SQL Injection found in NextCloud Android App Content Provider
    • Bounty: $150

  • Local SQL Injection in Content Provider ( of for Android, version

  • SQLi allow query restriction bypass on exposed FileContentProvider
    • Bounty: $100

CSRF (Cross-site Request Forgery)

  • Periscope iOS app CSRF in follow action due to deeplink
    • Bounty: $2,940

  • CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction
    • $250

  • Periscope android app deeplink leads to CSRF in follow action

Path Traversal

  • Path Traversal в iOS приложении

  • Path traversal in ZIP extract routine on LINE Android
    • Bounty: $475

  • Path traversal allows tricking the Talk Android app into writing files into it's root directory

  • Path traversal allows tricking the Talk Android app into writing files into it's root directory

  • Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app
    • Bounty: $250

  • Download attachments with traversal path into any sdcard directory (incomplete fix 106097)

Improper Access Control

  • Default Nextcloud Server and Android Client leak sharee searches to Nextcloud
    • Bounty: $750

  • Webview in LINE client for iOS will render application/octet-stream files as HTML
    • Bounty: $500

  • Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

  • Theft of arbitrary files in LINE Lite client for Android

  • 1 click Account takeover via deeplink in []

  • Sensitive files/ data exists post deletion of user account
    • Bounty: $150

IDOR (Insecure Direct Object Reference)

  • read new emails from any inbox IOS APP in notification center

  • IDOR for changing privacy settings on any memories

  • Business Suite "Get Leads" Resulting in Revealing User Email & Phone

Improper Authentication

  • Bypass of biometrics security functionality is possible in Android application (
    • Bounty: $500

  • Weak user aunthentication on mobile application - I just broken userKey secret password
    • Bounty: $5,000

  • App pin of the Android app can be bypassed via 3rdparty apps generating deep links
    • Bounty: $150

  • Able to steal bearer token from deep link
    • Bounty: $6,337

  • Two-factor authentication bypass on Grab Android App

  • Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

  • Bypassing lock protection
    • Bounty: $50

  • Vine - overwrite account associated with email via android application

Privilege Escalation

  • Android MailRu Email: Thirdparty can access private data files with small user interaction

Information Disclosure

  • AWS bucket leading to iOS test build code and configuration exposure
    • Bounty: $1,500

  • Possible to steal any protected files on Android
    • Bounty: $750

  • Android content provider exposes password-protected share password hashes
    • Bounty: $75

  • Notification implicit PendingIntent in com.nextcloud.client allows to access contacts
    • Bounty: $250

  • [Quora Android] Possible to steal arbitrary files from mobile device

  • Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

Information Exposure Through Debug Information

  • Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields)

  • Stealing Private Information in VK Android App through PlayerProxy Port Remotely

Use of Hard-coded Credentials

  • [█████████] Hardcoded credentials in Android App
    • Bounty: $500

  • Hardcoded credentials in Android App

  • Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app

Improper Export of Android Application Components

  • Launch Any Activity in MyMail App


  • url that twitter mobile site can not load
    • Bounty: $1,120

  • iOS group chat denial of service
    • Bounty: $300

  • DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f)

  • iOS app crashed by specially crafted direct message reactions
    • Bounty: $560

  • DoS in Brave browser for iOS
    • Bounty: $80

Privacy Violation

  • Changing email address on Twitter for Android unsets "Protect your Tweets"
    • Bounty: $2,940

  • for Android - Theft of sensitive data

  • [IRCCloud Android] Theft of arbitrary files leading to token leakage

Cryptographic Issues

  • Twitter iOS fails to validate server certificate and sends oauth token
    • Bounty: $2,100

  • Insecure Data Storage in Vine Android App
    • Bounty: $140

Violation of Secure Design Principles

  • Phishing/Malware site blocking on Brave iOS can be bypassed with trailing dot in hostname
    • Bounty: $250

  • ByPassing the email Validation Email on Sign up process in mobile apps
    • Bounty: $100

4. その他






  • Advanced Android Bug Bounty skills - Ben Actis, Bugcrowd's LevelUp 2017



  • OWASP Mobile Application Security Testing Guide (MASTG)

  • OWASP Mobile Application Security Testing Guide ja

  • Androidアプリのセキュア設計・セキュアコーディングガイド


参考ドキュメント (おすすめ系)



5. 終わりに