Account Share

Discover and Read the Best of Twitter Threads by @fs0c131y

Profile picture
Share this page
All Threads
Profile picture
Found in the #WeChat source code:

"setUin REBUILD data now ! DO NOT FUCKING TELL ME DB BROKEN !!!"
One of their guy like the f word:

"fucking samsung"
He managed to use fuck 3 times in the same sentence
Read 7 tweets
Profile picture
Hi @FoxNews and @realDonaldTrump supporters,

You should not use this app. In 5 minutes, I managed to get:
- the list of all the people registered
- name
- Photo
- personal messages
- token to steal their session

Thread ⬇️
This is a small subset of the profile pictures
Currently there are 1607 users in the application and 128 rooms
Read 10 tweets
Profile picture
Reverse engineering of a Huawei P20 from China - Episode 2

Thread ⬇️
I intercepted the communications made by the Huawei P20 and this is not good...
The phone sends a request to all these websites. The 1st observation, we can do is that almost all communications are unencrypted.
Read 16 tweets
Did Thread Reader help you today?
Support us: We are indie developers! Read more about the story
Become a 💎 Premium member ($30.00/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy us a coffee ($5) or help for the server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Profile picture
THREAD: I'm looking at a Huawei P20 from China, let see what can I found
The 1st app I reversed is an app called Decision
Look at the name of the files contains in the assets folder:
- airport_china.txt
- city_china.txt
- cityinfo.db
- parkinglot_china.txt
- railwayinfo.db
- trainInfo.db
- trainstation.db

Interesting, no?
Read 24 tweets
Profile picture
Let's see how #WhatsApp is encrypting your attachments 1/n
In a #WhatsApp conversation, I sent a TTF file 2/n
In my phone, this TTF file is stored in the sdcard. To be precise here: /sdcard/WhatsApp/Media/WhatsApp Documents/Action_Man.enc 3/n
Read 10 tweets
Profile picture
The phone number linked to this #Aadhaar number is 9958587977
According to an official @nicmeity circular, this phone number is the number of your secretary documents.doptcirculars.nic.in/D3/D03ppw/PPWE….
Is it really your #Aadhaar number @rssharma3?
Read 13 tweets
Profile picture
Hi @KamalAditi,

Challenge accepted!

Please find below the first flaw of #Kimbho app 2.0 aka how to get the online status of #Bolo users
First thing first, we are talking about this app "Bolo Messenger - Secure Chat, Voice & Video Calls" which is the new version of the #Kimbho app play.google.com/store/apps/det…
When you send a message with the #Bolo app, it is checking if your contact is online with this request. The endpoint is taking the "contact userId" (the 1st black rectangle in the picture)
Read 10 tweets
Profile picture
People are stupid... A Youtube account called "DIGISEVA CENTER" showed how to bypass ECMP software in this video
Of course if you like the video you can donate to the Paytm account 7041704604
Thanks to his Paytm account you can find his Facebook page
Read 6 tweets
Profile picture
Time for a new thread. The #android #application called @moinsbete is one of the most downloaded applications in France. This app is sending without your consent your personal data to @mopub:
- location
- operator
- mcc
- mnc
- country
- screen size
Yes, all these requests to @mopub are HTTP requests... Welcome to 2018...
This is a very good example of data abuse. Every time you open the @moinsbete #android #app with location on, your location is send without your consent to an US based server owned by @mopub
Read 9 tweets
Profile picture
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
blog.alyac.co.kr/1587
Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
Read 13 tweets
Profile picture
Yesterday, I spent part of my day learning about Martin Luther King Jr's life, John Lewis, activists around them, about the 60's America, the Selma March. Following this, I have thousands of questions about America today, my country France and more generally about the world today
When I think about the current situation, the political landscape of my country, France, I do not see any equivalent to these extraordinary people, to these heroes. These women, these men, of all races and all religions have marked History by their pacifist fight.
They did it because the time had come. It was time to shake the unjust status quo. This fight was dangerous, deadly, insurmountable, but they did it. These "ordinary" people have outdone themselves for the common good, the good of their people and their nation.
Read 8 tweets
Profile picture
Last time I checked this website, on Jan 7, 291 #android #apps were available. @GoDaddy is it possible to shutdown this website?
Several occurrences of the website jikutate.com can be found in the apps. Jikutate means shaft in Japanese.
An "iPhone spin” can be found on lp.jikutate.com/it/iphonespin/…
Read 8 tweets
Profile picture
Tutorial: How to capture network packets and record them on your #Android phone

1/ Install Packet Capture #android app

play.google.com/store/apps/det…
2/ Follow the setup wizard of Packet Capture
3/ Give the read external storage permission to Packet Capture
Read 12 tweets
Profile picture
1/ People asked me if this tweet is true or not. Let's talk about this app.
2/ Every time, I open the app I have this pop up: "Internet speed is too slow". As a consequence, I was unable to make a dynamic analysis and so confirm the tweet above.
3/ I decompiled the app and found this code in the registration method. During the registration, the name, phone number, date of birth, gender of the user is send to citizenoutreachapp.in/api/register_u….
Read 8 tweets
Profile picture
1/ In this request, the @narendramodi's #Android #application sends silently and without the user's consent, his IP address and a unique identifier of his phone.
This personal data is sent to the website api.narendramodi.in which is located in the US.
2/ As the application is available in Europe, it must comply with the European regulation called #GDPR. Since an IP address is considered as a personal data, the user must give his consent and must be able to opt out from this data collection.
3/ The @narendramodi's #Android #application does not meet these requirements and so is breaking this European regulation.
Read 6 tweets
Profile picture
When you apply for membership in the official @INCIndia #android #app, your personal data are send encoded through a HTTP request to membership.inc.in.
Come on! HTTP?! I'm sure you are able to rectify this and use HTTPS instead.
Moreover, the personal data are encoding with base 64. This is not encryption! Decode this data is very easy as shown in the example.
Read 4 tweets
Profile picture
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called in.wzrkt.com.
This domain is classified as a phishing link by the company G-Data. This website is hosted by @GoDaddy and the whois info are hidden.
After a quick search, this domain belongs to an American company called @CleverTap. According to their description, “#CleverTap is the next generation app engagement platform. It enables marketers to identify, engage and retain users and provides developers"
Read 7 tweets
Profile picture
<Thread> China spies on fellow citizens with the help of private enterprise. Here is an example. 1/18
In July, 2017, @mashable and @fossbytes14 published an article explaining that the Chinese authorities are forcing its Muslim minority population in Xinjiang to install spyware on their smartphones. 2/18
mashable.com/2017/07/21/chi…
Fossbytes based his article on Twitter user comments including @o66071443. @o66071443 who was very active on Twitter, with +8K tweets and +32K followers, does not publish anything since October 3, 2017. 3/18
Read 19 tweets
Profile picture
The @OnePlus #clipboard app contains a strange file called badword.txt 🤔

In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, ...

pastebin.com/kfvJWKJB
This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files:
- badword.txt
- brackets.txt
- end.txt
- follow.txt
- key.txt
- start.txt
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile
Read 15 tweets
Profile picture
The official #Aadhaar #android app is sending an SMS to authenticate the user. In general, to avoid abuses, you add a sending rate limit. The user has to wait 2 minutes before resend the SMS. @UIDAI did not implement this kind of limit in the app. What are the consequences?
An attacker can extract the authentication HTTPS request made by the official #Aadhaar #android app. After that he just has to write a small script which will try all the possible #Aadhaar numbers.
The attacker will be able to flood the all #India population and @UIDAI will lose a lot of money.

.@UDAI don't be stupid, remove the official #Aadhaar #android app from the PlayStore, this is the best move you have.
Read 3 tweets
Profile picture
1. I'm tweeting a lot these last days, let make a quick recap
2. @Gioneeglobal, a Chinese phone maker who sell his phone in the US under the name @BLU_Product, made a phone for #NorthKorea. Afaik, they didn't make a public statement.

3. @OnePlus removed the #angela backdoor I found last November from his products

Read 18 tweets
Profile picture
Bug in the official #Aadhaar #android app. By default, the application asks for the password for each action. In the settings, you can deactivate this password protection.

By force quitting the app when you deactivate this mechanism you don't need to enter the password.
.@UIDAI You clearly have not tested your application...
unroll
Read 3 tweets
Profile picture
Hi @UIDAI 👋! Do I have to explain you how real #Android developers are working?

On his official #Playstore account. @UDAI published today an app called "NewTest" with blank screenshot and testingtestingtesting[...] as description 🤦‍♂️

#AadhaarFail
They also have a 3rd app called "testBeta (Unreleased)" 🤦‍♂️. Yes, they called an "Unreleased" an app released on the PlayStore 🤦‍♂️...

@UIDAI maybe your interns can read this link support.google.com/googleplay/and… to know how to set up an alpha/beta tests...
Regarding how they used their #PlayStore account, I'm pretty sure they are unable to update the official #Aadhaar #android app because they lost the release key. Please @UIDAI, show me I'm wrong
Read 6 tweets
Profile picture
The @KhoslaLabs and @UIDAI developers don't know how to generate a #android app certificate correctly 🤦‍♂️

They keep the default owner and issuer: Google. This is funny, technically, Google is the owner and issuer of #Aadhaar 😂😬🤦‍♂️
As stated by the official documentation, developer.android.com/studio/publish…
"A public-key certificate, also known as a digital certificate or an identity certificate, contains the public key of a public/private key pair, as well as some other metadata identifying the owner of the key"
Moreover, "Every app must use the same certificate throughout its lifespan"
So, @KhoslaLabs and @UIDAI cannot change it. They need to reupload another app with a different package name if they really want to change it.
Read 10 tweets
Load more
Did Thread Reader help you today?
Support us: We are indie developers! Read more about the story
Become a 💎 Premium member ($30.00/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy us a coffee ($5) or help for the server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com