10 October 2018

Swedish digital Bank-ID "hacked" again

It was last year when I managed to "hack" Swedish digital Bank-ID,  which is the most widespread digital identification and signing/certifying method in Scandinavia and other European countries.

Platform was Android 4.x Samsung Note 4 rooted.

Titanium Backup was used for hacking.

I cooperated with the Swedish company Finansiell Bank-ID AB, the developer and maintainer of the product.

The backdoor was corrected by eliminating Android 4.x as accepted OS, demanding at least Android 5.x and using TPM.

Well, it was sufficient for almost 1 year, until now.

Test platform was Android 6.x Samsung Note 4 rooted and Android 8.x Motorola G6 Plus rooted.

Swedbank latest version Android app and Finansiell Bank-ID latest version Android app. 

Test was done today 2018-10-10, against Finansiell Bank-ID auth server.

A special modified TWRP recovery was the "tool".


It seems that new security demands must be asked and following the actual trend:

- SuperSU sold to bogus "chinese" company in USA and abandoned developing

- SuperSU totally eliminated from Google Play

- Huawei no-longer giving bootloader unlocking codes

It seems that it will be a harsh race between Rooting a device and using that device for banking operations or digital authentication.

01 October 2018

AppListo App Cloner 1.5.5 activated via same backdoor in DexProtector

Again same test done with AppListo App Cloner 1.5.5.

Using same backdoor in DexProtector.

Red dot indicates New Premium options available.


Commercial use


Bundle app data

Custom certificate 

Headphones events

Power events

Red dot General Premium options

Red dot Launching Premium options

Remove launcher icon shortcuts

S-Pen events

Show Bring up to front notification

27 September 2018

DexProtector for Android bypassed

One of the most known anti-tampering solutions for Android developers is DexProtector.
Used by well-known Applisto App Cloner developer from Switzerland.
Until now DexProtector was unhackable, alike DexGuard.
Well...not anymore.
I tested DexProtector bypassing on latest version of Applisto App Cloner 1.5.4.
And I underline: not hacked, but ... bypassed.
Which is worse.
A backdoor in DexProtector made this possible.
I managed to activate with "custom made license"   the latest version 1.5.4 to Premium Commercial  License.
The original installed apk is intact. But a suitable license was artificially created using the backdoor in DexProtector.

Commercial use


Build props

Custom certificate

Custom package name

Disable USB events

Flush Logcat buffer on exit

Headphones events

Power events

Remove launcher icon shortcuts

S-Pen events

Stealth mode fingerprint

WebView safe browsing


03 December 2017

171203 - Famous Softwares Shame-list and spying

171203 - Famous Softwares Shame-list and spying

Just few coments on new-old trends of spying via softwares which shamelessly pretend to defend your privacy.
Despite contacting the authors few years ago and promises, nothing yet.
But on contrary, new spying methods introduced, under the umbrella of improvements, new features, bug updates, and so on.
In reality, the old issues were totally ignored.

1. Mozilla Firefox.
- years ago asked for local import of bookmarks (html file)in Android.
- nothing yet

- recent blacklist and coming future block of MHT plugins, allowing only third-part cloud solutions for it
- from now on, all your saved files will be reported to U.S. authorities

- WebRTC introduced in recent versions of almost all browsers, bypasses VPN proxy solutions, revealing your real IP
- Mozilla Firefox, Chrome,...list is long...
- same in Android
- however still exist browsers in which WebRTC can be disabled

2. Siber Systems AI RoboForm
- years ago asked for local import of bookmarks (RFP files)in Android.
- nothing yet
- all your data is in cloud, at disposal of U.S. authorities