Android M and the war on cleartext traffic

A week ago, during WWDC, Apple announced App Transport Security (ATS) for iOS 9. This feature will allow app developers to specify which domains their app needs to communicate with over HTTPS. In principle, for those domains, cleartext traffic will be automatically blocked by the system. What about Android? Google has not yet announced it officially, but the next Android version (codenamed Android M) has a “similar” feature. The code that includes this has actually been around for a while before Apple’s WWDC conference, but no-one seems to have picked it up. »

Substrate - hooking C on Android

Substrate is one of the best dynamic instrumentation frameworks. It is very flexible and allows you to easily hook various Java, Objective-C or native C/C++ of your Android or iOS apps. It can even hook non-exported functions, but that’s a matter for another blog post. I use Substrate quite a lot during mobile app security testing, along with various other tools. This post is the second of a two part walkthrough on hooking C code on iOS and Android platforms using Substrate. »

Same Origin Policy and the Android WebView

First of all, let me say that all that follows is public knowledge and is somewhat described in the Android docs. However, I haven’t seen much discussion, so I thought it’s a good idea to write a blog post. ####Same Origin Policy When a page is loaded into a WebView to be displayed, all code in this page runs “in the context” of that page (its origin). The Same Origin Policy (SOP) is a mechanism that restricts javascript running in the context of one origin to access objects from another origin. »