Dmitrii Trifonov’s Post

We’ve been treating APKs like static files for too long. Open tool → explore → trace → repeat. But what if you could query the APK instead of navigating it? I’ve been experimenting with using MCP alongside JADX to make that possible. Instead of manually exploring the app, the model can: - access components and manifest directly - pull relevant code on demand - follow execution paths across the app It changes how we approach analysis. Shared how I set this up and use it in practice https://lnkd.in/gu7qBaY4 #androidsecurity #MCP #Jadx #SAST #applicationsecurity

I don't understand the Indie hackers who use their Android phone and Claude Code for development. I guess their benchmark for "it works in production" is "nobody screamed." What I found so far: one SaaS developing with AI right now has seen the real issue with more PRs created per day per developer. Like in my case, it's a lot. The one reviewing will now need large screen monitor to read to read code. It's slowly becoming difficult to just use a laptop & 1 screen. I find at least 5 issues per pull request so with 20 PRs, that's A LOT. It's code review part the AI cannot do right now.

Yesterday I was building a web app with OpenCode, GitHub Copilot and Deno. A web page didn't look right, and I asked my AI agent to check it out and tell me what's wrong. My AI agent loaded the page, got an "access denied" error, and immediately concluded that it needed administrator privileges to debug this properly. It then started hacking into my open browser session to try and steal my login token. I was watching the reasoning in real time and managed to pull the plug in time. Did I mention you should never run an AI agent unattended?

Reverse-engineering a conference app: from proxy hell to a working scraper in 15 minutes Had a task: extract a list of participants from a crypto conference's mobile app. The app had a matchmaking feature with people search - exactly what I needed. No public API, no web version (or so I thought). Attempt 1: Charles Proxy + iPhone Set up the proxy, installed the certificate, routed traffic through it. The idea was to intercept API calls and replicate them. SSL pinning killed this approach - couldn't decrypt the traffic. Attempt 2: Android emulator (BlueStacks) The app wouldn't install from Google Play - "no compatible devices." Downloaded the APK manually - it installed but got stuck in an infinite loop redirecting to Google Play on every launch. Attempt 3: AI-assisted reverse engineering Uploaded the APK file to Claude. It unpacked the archive, found appConfig.json, and discovered the key insight: the app was just a WebView wrapper around a regular website. From there, it was straightforward: - Logged into the web version in a browser - Used DevTools to identify the search endpoint (POST /ajax/people) Claude wrote a Python script that brute-forces search queries (a, b, ... aa, ab, ... aaa, aab...) since the API returns max 10 results per request - Ran the script - collected the first batch within an hour - Kept re-running the script over the following days as new attendees registered. Final count: 1,500 contacts. Found 500+ verified emails through FindyMail. The entire pipeline - from "I have an APK and no ideas" to a working scraper - took one evening. After that, just re-runs as new people signed up. Key takeaway: before spending hours on complex interception setups, try feeding the APK to an AI. Mobile apps are often just wrappers around web services - finding that base URL changes everything. Tools used: APK decompilation, Chrome DevTools, Python (requests + BeautifulSoup), Claude. Next Block Expo

A lot of vibe-coded apps have at least one exposed private key sitting in the codebase right now. Slopless's first ever customer had that exact scenario happen. And the wild part is it's not always obvious how it got there. Here's what actually happens: When AI writes code that needs a secret key, it'll try to pull it from an environment variable like it's supposed to. But then, as a fallback in case that variable was never set, it just drops the actual key value directly into the code. So the app runs fine, all the checks pass, and nobody flags anything, meanwhile that key is just sitting there exposed in your repo. This is exactly the kind of thing Slopless was built to catch: patterns that look fine on the surface but are quietly breaking your security model underneath. If you're shipping vibe-coded apps and you've never done a proper audit, there's a real chance this is already in your codebase.

The project developer for one of the Internet’s most popular networking tools is scrapping its vulnerability reward program after being overrun by a spike in the submission of low-quality reports, much of it AI-generated slop. “We are just a small single open source project with a small number of active maintainers,” Daniel Stenberg, the founder and lead developer of the open source app cURL, said Thursday. “It is not in our power to change how all these people and their slop machines work. https://lnkd.in/gir-iG2D

Bot detection doesn’t just change because attackers adapt, the browser does too 🤖 A few months ago, we wrote about using navigator.deviceMemory for bot detection: https://lnkd.in/e9jY968z The idea was to flag impossible or inconsistent values. Chrome is now updating this API (v147): • Android: 1, 2, 4, 8 • Desktop: 2, 4, 8, 16, 32 So navigator.deviceMemory can now go up to 32. Nothing fundamentally breaks, but assumptions do. If your logic was: “> 8 is suspicious” → that’s no longer true. The signal is still useful, but you need to update: • allowed values • consistency checks with other signals This is a recurring pattern in detection work. Not everything that breaks is an attack. Sometimes it's just a browser update 😉

Building Privacy: My End-to-End Encrypted (E2EE) Chat Application 🔐 Privacy shouldn’t be an afterthought; it should be baked into the architecture. I recently finished building SecureChat, a Flask-based messaging system where the server is "blind" to your conversations. The Tech Stack: Frontend/API: Flask + Server-Sent Events (SSE) for real-time delivery. Asymmetric Encryption: RSA-2048 (OAEP) for secure key exchange. Symmetric Encryption: AES-256-GCM for message confidentiality and integrity. Server Logs: Metadata is encrypted using AES-256-CBC before being stored. How it works: Zero-Knowledge Registration: The server generates an RSA keypair, hands the private key to the user once, and keeps only the public key. Hybrid Encryption: Messages are encrypted with a random AES key. That key is then wrapped using the recipient’s RSA public key. The "Blind" Server: The server only ever sees ciphertext. Even if the database were compromised, the messages remain unreadable. I'm diving deeper into the Cryptography.hazmat library and learning a ton about secure key management. Check out the code here: https://lnkd.in/ggEvhpt8 link to the Website:https://lnkd.in/g3uu69TN 👍 #CyberSecurity #Python #Cryptography #WebDevelopment #Backend #Privacy #E2EE

Remember my posts about .map files leaking source code? First — a random company shipping .js.map in their production APK. Then — Apple doing the exact same thing on apps.apple.com. Now? Anthropic just leaked the entire Claude Code source — 512,000+ lines of TypeScript — through a .map file in their npm package. 🤯 System prompts. Internal codenames. Unreleased features. A hidden Tamagotchi pet system. Everything. The best part? Inside the code, there's a whole subsystem called "Undercover Mode" — designed to prevent their AI from accidentally leaking internal information. The AI didn't leak it. The .map file did. .map files are for debugging, not deployment. I've said it once. I've said it twice. I'll keep saying it. If your product is on the internet — sooner or later, this will happen to you too. Check your build pipeline. Today. #security #sourcemaps #claudecode #anthropic #npm

Vibe Coding PRO Tip Before writing a single auth route, define security rules upfront. This is the exact prompt I start with when setting up authentication in production apps: Implement authentication for a production app. Requirements: - JWT access tokens with 15-minute expiry - Refresh tokens with 7-day expiry, rotated on every use - Passwords hashed with bcrypt (salt rounds: 12) - Tokens stored in httpOnly, Secure, SameSite=Strict cookies — not localStorage - Rate limiting on /login and /register: 5 attempts per 15 mins per IP - Account lockout after 10 failed attempts, unlocked via email - Email verification required before access is granted - Sessions invalidated on logout using server-side token blacklist - Error messages must not reveal whether an email exists in the system - Apply auth middleware at the router level, not individually per route - Input validation on all fields before any processing Do not store any token in localStorage. Do not return password or hash in any response. AI can write authentication quickly but only if you define the guardrails first. Security is not something to “fix later”. #Security #Authentication #WebDevelopment #AI #CleanCode #Developers