MHL Post Board

Challenge Description Welcome to the Android Insecure WebView Challenge! This challenge is designed to delve into the complexities of Android’s WebView component, exploiting a Cross-Site Scripting (XSS) vulnerability to achieve Remote Code Execution (RCE). It’s an immersive opportunity for participants to engage with Android application security, particularly focusing on WebView security issues. postboard.apk Solution As usual, I started by performing static analysis to get some understanding of the application. Static Analysis I started out by reading the AndroidManifest.xml code after decompiling using jadx-gui. ...

April 4, 2025 · 6 min · 1206 words

MHL Food Store

Challenge Description Welcome to the Android App Security Lab: SQL Injection Challenge! Dive into the world of cybersecurity with our hands-on lab. This challenge is centered around a fictitious “Food Store” app, highlighting the critical security flaw of SQL Injection (SQLi) within the app’s framework. foodstore.apk Solution As usual, static analysis to understand first. Static Analysis I started out by reading the AndroidManifest.xml code first. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 <activity android:name="com.mobilehackinglab.foodstore.Signup" android:exported="false"/> <activity android:name="com.mobilehackinglab.foodstore.MainActivity" android:exported="true"/> <activity android:name="com.mobilehackinglab.foodstore.LoginActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> </activity> There is a Signup, MainActivity and LoginActivity activity but only Signup activity is not exported. Reading the objective provided, this challenge will be focused in the signup function. ...

April 3, 2025 · 4 min · 770 words

MHL Guess Me

Challenge Description Welcome to the “Guess Me” Deep Link Exploitation Challenge! Immerse yourself in the world of cybersecurity with this hands-on lab. This challenge revolves around a fictitious “Guess Me” app, shedding light on a critical security flaw related to deep links that can lead to remote code execution within the app’s framework. guessme.apk Solution I started out by performing static analysis. Static Analysis As usual, jadx-gui for reading the code. ...

April 1, 2025 · 5 min · 1061 words