Mastodawn

NERDS.xyz – Real Tech News for Real Nerds 19h ago

Google clamps down on Android developers with mandatory verification

https://fed.brid.gy/r/https://nerds.xyz/2026/03/android-developer-verification/

Built a local web tool that does static security analysis of Android APKs — upload an APK and get a report covering permissions, hardcoded secrets, SDK fingerprinting, cert pinning, and crypto posture.

The interesting part: the methodology came from reverse-engineering the WhiteHouse app teardown that went viral last week. Applied the same five-gate analysis framework to a real banking app.

Found an expired certificate pin (silently disables TLS pinning for all users), a session replay SDK with no confirmed masking rules, and four Adobe tracking SDKs doing cross-device user stitching.

The tool runs entirely locally. No data leaves your machine. APK deleted after analysis.

Stack: Python · Flask · androguard · 380 lines

📝 Blog: mrdee.in
https://mrdee.in/writing/vibecoding-day010-offline-apk-security-analyzer/

💻 GitHub Repo: https://github.com/mr-dinesh/Offline-APK-Analyzer

#VibeCoding #AppSec #AndroidSecurity #MobileSecurity #Python #Flask #DFIR #InfoSec #ReverseEngineering #CyberSecurity

Vibecoding-Day010-Create offline web tool for static security analysis of Android APK files

Building an Offline APK Security Analyzer in Flask Project #10 of the 100 Vibe Coding Projects challenge I’ve been doing APK security analysis manually for years — pulling the file, running jadx, grepping through decompiled source, eyeballing the manifest. It works, but it’s slow and the output lives in a terminal window that disappears the moment you close it. This week’s project: wrap that entire methodology into a local web tool. Upload an APK, get a structured risk report in your browser. No internet required, nothing stored, APK deleted the moment analysis completes.

Dee's Digest

TechnoTenshi

11h ago

Sam Bent reports the White House app v47.0.1 requests 26 Android permissions, including precise location, biometric authentication, storage changes, startup, overlay, and Wi-Fi access, and embeds 3 trackers including Huawei Mobile Services Core. The piece also says the app includes an ICE tip line link and a "Text the President" feature that prefills "Greatest President Ever!" while collecting contact details. More broadly, the article compares permissions and trackers across U.S. government apps including FEMA, myFBI Dashboard, IRS2Go, and CBP Mobile Passport Control and argues many functions could be delivered via the web instead of mobile apps.

https://www.sambent.com/the-white-house-app-has-huawei-spyware-and-an-ice-tip-line/

#InfoSec #Privacy #MobileSecurity

Fedware: 13 Government Apps That Spy Harder Than the Apps They Ban

The White House app ships with a sanctioned Chinese tracking SDK, the FBI app serves ads, and FEMA wants 28 permissions to show you weather alerts.

Sam Bent

Zevonix 3d ago

📶 Cyber Tip: Turn off Bluetooth when not in use.

Disabling it reduces the risk of unauthorized connections and device based attacks.

https://zurl.co/GFrTK

#Zevonix #CyberSecurity #MobileSecurity #Jacksonville

BSidesLuxembourg 4d ago

Just Announced for BSides Luxembourg 2026!

Lightning Talk ⚡ 𝗨𝗡𝗗𝗘𝗥𝗦𝗧𝗔𝗡𝗗𝗜𝗡𝗚 𝗠𝗢𝗕𝗜𝗟𝗘 𝗦𝗧𝗔𝗟𝗞𝗘𝗥𝗪𝗔𝗥𝗘 - 𝗘𝗟𝗢𝗨𝗔𝗡 𝗥𝗜𝗚𝗔𝗨𝗧

Elouan Rigaut https://linkedin.com/in/elouan-rigaut is a security researcher focused on mobile threats and surveillance technologies. His work examines stalkerware, attacker behavior, and detection challenges, with an emphasis on real-world impact and emerging research gaps.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https:// 2026.bsides.lu/tickets/
📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

#BsidesLuxembourg #CyberSecurity #MobileSecurity #Privacy #Stalkerware #InfoSec

Zevonix 6d ago

🔐 Cyber Tip: Enable biometric logins on mobile devices.

Fingerprint or facial recognition adds an extra layer of protection if your device is lost or stolen.

https://zurl.co/FwMj6

#Zevonix #CyberSecurity #MobileSecurity #StAugustine

OWASP Foundation 6d ago

For the first time ever, OWASP MAScon hits OWASP Global AppSec EU 2026 in Vienna! Join top experts for cutting-edge mobile security talks, live demos & real-world insights.

🎟 Tickets: https://owasp.glueup.com/event/owasp-global-appsec-eu-2026-vienna-austria-162243/tickets.html
📖 Details: https://owaspglobalappseceuvienna20.sched.com/overview/type/MobileAppSecCon

#OWASP #MobileSecurity #AppSec #MAScon #CyberSecurity

knoppix 6d ago

The DarkSword iOS exploit, targeting Safari and WebKit, has leaked publicly on GitHub. ⚠️
Apple patched affected devices with iOS 26.3, 18.7.3, 16.7.15, and 15.8.7, but unpatched devices remain at risk. 🔒

🔗 https://appleinsider.com/articles/26/03/23/you-are-out-of-time-to-update-severe-ios-hack-code-leaks-to-everyone

#TechNews #iOS #MobileSecurity #Privacy #FOSS #OpenSource #UserControl #SoftwareUpdate #CyberSecurity #Exploit #Patch #UpdateNow #iPhone #iPad #SecurityAlert #DarkSword #Hacking #Safari #WebKit #GitHub

You are out of time to update: Severe iOS hack code leaks to everyone

The DarkSword exploit, which primarily targets devices running older iOS versions, has unfortunately made its way to GitHub. It has been patched, so update now.

AppleInsider

TechNadu Mar 24

Surfshark launches HeyPolo 📍
• No always-on tracking
• Share exact / approx / none
• Granular visibility controls
Privacy-first location sharing.

https://www.technadu.com/surfshark-introduces-privacy-focused-location-app-heypolo/624213/

#Privacy #InfoSec #MobileSecurity

TechNadu Mar 24

FriendlyDealer scam abusing PWAs:
• 1,500+ fake app store domains
• Browser-based installs bypass OS checks
• Apps appear legit
• Fake MrBeast affiliations used
Shift to stealth mobile delivery.

https://www.technadu.com/friendlydealer-scam-mimics-app-stores-to-push-gambling-platforms-some-impersonate-mr-beast-affiliations/624237/

#InfoSec #MobileSecurity #ScamAlert