Android-Reports-and-Resources Disclosure of all uploads via hardcoded api secret https://hackerone.com/reports/351555
Sensitive information disclosure https://hackerone.com/reports/401793
RCE in TinyCards for Android https://hackerone.com/reports/281605 - TinyCards made this report private.
SQL Injection in Content Provider https://hackerone.com/reports/291764
https://hackerone.com/reports/328486
Vulnerable to local file steal, Javascript injection, Open redirect https://hackerone.com/reports/499348
Token leakage due to stolen files via unprotected Activity https://hackerone.com/reports/288955
Steal files due to exported services https://hackerone.com/reports/258460
Steal files due to unprotected exported Activity https://hackerone.com/reports/161710
Steal files due to insecure data storage https://hackerone.com/reports/44727
Insecure local data storage, makes it easy to steal files https://hackerone.com/reports/57918
Golden techniques to bypass host validations https://hackerone.com/reports/431002
Two-factor authentication bypass due to vuln endpoint https://hackerone.com/reports/202425
Another endpoint Auth bypass https://hackerone.com/reports/205000
Bypass PIN/Fingerprint lock https://hackerone.com/reports/331489
https://hackerone.com/reports/490946
Bypass of biometrics security functionality https://hackerone.com/reports/637194
HTML Injection in BatterySaveArticleRenderer WebView https://hackerone.com/reports/176065
https://hackerone.com/reports/283058
XSS in ImageViewerActivity https://hackerone.com/reports/283063
XSS via start ContentActivity https://hackerone.com/reports/189793
https://hackerone.com/reports/87835
https://hackerone.com/reports/97295
Access of some not exported content providers https://hackerone.com/reports/272044
Access protected components via intent https://hackerone.com/reports/200427
https://hackerone.com/reports/43988
https://hackerone.com/reports/54631
Deeplink leads to CSRF in follow action https://hackerone.com/reports/583987
Case sensitive account collisions overwrite account associated with email via android application https://hackerone.com/reports/187714
Possible to intercept broadcasts about file uploads https://hackerone.com/reports/167481
Vulnerable exported broadcast reciever https://hackerone.com/reports/289000
View every network request response's information https://hackerone.com/reports/56002
A vulnerable Android application with ctf examples based on bug bounty findings, exploitation concepts, and pure creativity.
Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
Damn Insecure and Vulnerable app Damn Insecure and vulnerable App for Android
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security
Sieve is a small Password Manager app created to showcase some of the common vulnerabilities found in Android applications.
OWASP top 10 2016
OWASP mobile testing guide
Android Reversing 101
Detect secret leaks in Android apps online
Android Security Guidelines
Attacking vulnerable Broadcast Recievers
Android Webview Vulnerabilities
Android reverse engineering recon
Webview addjavascriptinterface RCE
Install PLayStore On Android Emulator
Android Bug Bounty Tips