My Java skills are really rusty, I’ve even got bitten by the classic == vs. String,equals() mistake. But slowly I’m getting somewhere, using #Soot framework to rewrite APKs and get debugging output from them.
For reference, I succeeded adding instrumentation to an existing release APK. So I’m no longer flying blind. Will document things in a blog post soon.
Now I’m back to figuring out how to exploit the vulnerabilities, it’s less straightforward than I thought.
A Mastodon instance for info/cyber security-minded people.