Rafay Baloch

Last updated
Rafay Baloch
Rafay Baloch, in 2019.jpeg
Rafay Baloch at Tech Valley, in 2019
Born (1993-02-05) 5 February 1993 (age 31)
NationalityPakistani
Known forInformation Security Expert
Notable workEthical Hacking and Penetration Testing Guide
AwardsPride of Pakistan
HonoursChevening Scholar
Website www.rafaybaloch.com

Rafay Baloch (born 5 February 1993) is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications [1] [2] like Forbes, [3] BBC, [4] The Wall Street Journal, [5] The Express Tribune [1] and TechCrunch. [6] He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. [1] [7] Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" [8] and among "Top 25 Threat Seekers" [9] by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. [10] On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. [11] [12] [13] [14] [15] In 2021, Islamabad High court designated Baloch as an amicus curia for a case concerning social media regulations. [16] [17] [18]

Contents

Personal life

Rafay Baloch was born in 1993 in Karachi. [19] He attended Bahria University from which he obtained a bachelor's degree in computer science. Baloch is presently listed in the Hall of Fame at Bahria University. [20] In 2020, Rafay has also been awarded a Chevening Scholarship. [21]

Career

Baloch began his hacking career while he was still doing his bachelor's. He then wrote a book called "Ethical Hacking Penetration Testing Guide [22] ". His new book " Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting" is scheduled for release in August 2024. [23] [24] [25] [26] [27] [28] He is amongst the first Pakistani security researcher to be acknowledged by Google, Facebook, PayPal, Apple, Microsoft [29] and numerous other international organizations.

He has also written several papers on information security, namely "HTML5 Modern Day Attack Vectors", "Web Application Firewall Bypass", and "Bypassing Browser Security Policies for Fun and Profit". [30]

Rafay Baloch served the Pakistan Telecommunication Authority as Cyber Security Advisor. [31] [32]

Bug bounty programs

Baloch has been active into bug bounty programs and has reported several critical vulnerabilities [33] in several open-source web applications as well as in bug bounty programs. Baloch found critical vulnerabilities in PayPal in 2012: he hacked into PayPal servers by exploiting a remote code execution vulnerability. He was rewarded $10,000 and a job offer to work for them as a Security Researcher that he refused as he was still doing his bachelor's at that time. [34] HackRead, a news platform on InfoSec, listed him among “10 Famous Bug Bounty Hunters of All Time”. [35] Baloch has also been awarded $5000 by Google and Firefox for baring the vulnerability in their browsers. [36]

Security research

Baloch has actively reported several critical vulnerabilities in browsers. He started by finding Same Origin Policy (SOP) bypass in Android Stock browser which was initially rejected by Google; [37] however, this was later verified by Google after researchers from Rapid7 verified it. This was coined as CVE - 2014-6041. [38] Baloch followed by reporting several other SOP bypasses. Researchers at Trend Micro found this bug to be more widespread. [39] It was later reported that hackers had been actively using Baloch's SOP bypass exploits for hacking into Facebook accounts. The SOP bypass bug was elevated by Rapid7 researcher Joe Vennix for conducting a remote code execution. [40] [41] Baloch also found several vulnerabilities affecting WebView which allowed an attacker to read local files as well as steal cookies from the user device. [42] In October 2020, Baloch unveiled several address bar spoofing vulnerabilities affecting Apple Safari, Yandex, Opera Mini, UC Browser, Opera Touch, Bolt Browser and RITS browser. [43] [44] [45] The vulnerability disclosure was coordinated by Rapid7 who gave 60 days' timeline for patching vulnerabilities. Upon completion of 60 days, Baloch released the POC exploits of the affected browsers. [46] [47] [48] [49] [50] [51] [52] Rafay, along with another researcher, discovered numerous security vulnerabilities that impact PureVPN's Linux desktop client. [53]

Apple Safari address bar spoofing controversy

In 2018, Baloch unveiled a crack in both Safari and Microsoft's Edge browser that paved the way for the URL of a safe website to be shown in the address bar while users were actually being taken to a different, and possibly malicious, website. [54] Rafay Baloch identified the security issue and informed Apple and Microsoft in early June 2018. Microsoft fixed the issue within two months but Apple didn’t respond to Baloch's report despite the deadline given of 90 days grace period so he made the details public. [55] Rafay Baloch wrote in his article that an address bar can be used to easily breach someone’s privacy without them noticing it. [56] The reason this is possible is because an address bar is the only reliable indicator for security in new browsers, as it displays the site’s URL and other details related to the webpage one is on. [57] [58] [59] [60]

Google no-patch policy discovery

In 2014, after Rafay Baloch and Joe Vennix reported Google about a bug that could allow hackers to dodge the Android Open Source Platform (AOSP) browser’s Same-Origin Policy (SOP), [61] they discovered that Google had already terminated its support for WebView on Android devices running Android 4.3 or older versions, while putting the onus on OEMs and the open source security community to provide patches to users at the same time. [62] Whereas Google’s official stance on WebView for older pre-Android 4.4 devices was as follows: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.” [63] Unfortunately, older versions of Android having unpatched WebView bugs were mainly due to their poor upgraded path, leaving users exposed. [63] [64]

Google then released WebView as a stand-alone application that could be updated separately from the Android version of a device. Simply put, the re-architecting of the WebView would benefit the latest versions of Android, Lollipop 5.0 and Marshmallow 6.0. [63] But this option remains unavailable to anyone on an older version of the operating system. [55]

On Google’s no-patch policy, Baloch shared his views with Zimperium, stating that “Google’s decision to not patch critical security bugs (pre-KitKat) anymore would certainly impact the vast majority of users. Security firms are already seeing attacks in the wild where users are abusing Same Origin Policy (SOP) bypass bug to target Facebook users.” [65]

The Metasploit Framework, owned by Rapid7, contained 11 such WebView exploits that were need to be patched, most of which were contributions from Rafay Baloch and Joe Vennix. [66] [67]

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

<span class="mw-page-title-main">Safari (web browser)</span> Web browser by Apple

Safari is a web browser developed by Apple. It is built into several of Apple's operating systems, including macOS, iOS, iPadOS and visionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Favicon</span> Icon associated with a particular web site

A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons associated with a particular website or web page. A web designer can create such an icon and upload it to a website by several means, and graphical web browsers will then make use of it. Browsers that provide favicon support typically display a page's favicon in the browser's address bar and next to the page's name in a list of bookmarks. Browsers that support a tabbed document interface typically show a page's favicon next to the page's title on the tab, and site-specific browsers use the favicon as a desktop icon.

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

<span class="mw-page-title-main">Metasploit</span> Computer security testing tool

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

<span class="mw-page-title-main">UC Browser</span> Chinese web browser developed by UCWeb Inc

UC Browser is a web browser developed by mobile internet company UCWeb, a subsidiary of the Alibaba Group. It was the most popular mobile browser in India, Indonesia, and Mali, as well as the second-most popular one in China as of 2017. Its world-wide browser share as of May 2022 is 0.86% overall according to StatCounter.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

<span class="mw-page-title-main">H. D. Moore</span> American businessman (born 1981)

H. D. Moore is an American network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.

<span class="mw-page-title-main">Dolphin Browser</span> Web browser for Android and iOS

The Dolphin Browser is a web browser for the Android and iOS operating systems developed by MoboTap Inc. It was one of the first alternative browsers for the Android platform that introduced support for multi-touch gestures. Dolphin Browser uses its native platform's default browser engine.

WebRTC is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication and streaming to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.

This is a comparison of mobile operating systems. Only the latest versions are shown in the table below, even though older versions may still be marketed.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

Offensive Security is an American international company working in information security, penetration testing and digital forensics. Operating from around 2007, the company created open source projects, advanced security courses, the ExploitDB vulnerability database, and the Kali Linux distribution. The company was started by Mati Aharoni, and employs security professionals with experience in security penetration testing and system security evaluation. The company has provided security counseling and training to many technology companies.

<span class="mw-page-title-main">Firefox Focus</span> Open-source privacy-focused web browser by Mozilla

Firefox Focus is a free and open-source privacy-focused mobile browser by Mozilla, based on Firefox. It is available for Android and iOS smartphones and tablets. Its predecessor, Focus by Firefox, was released in December 2015 as a tracker-blocking application which worked only in conjunction with the Safari mobile browser on iOS. It was developed into a minimalist web browser in 2016 but retained this background blocking functionality. The Android version of the browser was first released in June 2017 and was downloaded over one million times in the first month. As of January 2017, it was available in 27 languages. The version released for German-speaking countries has telemetry disabled and is named Firefox Klar to avoid ambiguity with the German news magazine FOCUS.

NordVPN is a Lithuanian VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

Checkmarx is an enterprise application security company specializing in static application security testing (SAST) headquartered in Atlanta, Georgia in the United States.

Version history for TLS/SSL support in web browsers tracks the implementation of Transport Layer Security protocol versions in major web browsers.

ExploitDB, sometimes stylized as Exploit Database or Exploit-Database, is a public and open source vulnerability database maintained by Offensive Security. It is one of the largest and most popular exploit databases in existence. While the database is publicly available via their website, the database can also be used by utilizing the searchsploit command-line tool which is native to Kali Linux.

References

  1. 1 2 3 "The unsung achiever: Pakistani tops lists of ethical hackers of 2014 - The Express Tribune". The Express Tribune. 2015-01-03. Archived from the original on 2018-05-13. Retrieved 2018-05-06.
  2. "Rafay Baloch Recognized as One of the Top Ethical Hackers of 2014". propakistani.pk. Archived from the original on 2018-07-15. Retrieved 2018-05-06.
  3. Fox-Brewster, Thomas. "Widespread Android Vulnerability 'A Privacy Disaster', Claim Researchers". Forbes. Archived from the original on 2018-07-15. Retrieved 2018-05-06.
  4. "Android security shift exposes users". BBC News. 2015. Archived from the original on 2018-07-20. Retrieved 2018-05-06.
  5. Yadron, Danny (2015-01-12). "Google Isn't Fixing Some Old Android Bugs". WSJ. Archived from the original on 2018-07-15. Retrieved 2018-05-06.
  6. Whittaker, Zack (2020-10-20). "Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable". TechCrunch. Archived from the original on 2024-04-03. Retrieved 2024-04-07.
  7. Husain, Osman. "Rafay Baloch Recognized as One of the Top Ethical Hackers of 2014". Archived from the original on 2019-07-23. Retrieved 2019-10-27.
  8. "The 15 most successful ethical hackers worldwide". SC Media UK. 2016-04-06. Archived from the original on 2024-06-20. Retrieved 2018-06-04.
  9. "Reboot 25: Threat seekers". SC Media. 2014-12-08. Archived from the original on 2019-08-19. Retrieved 2019-10-27.
  10. "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021". Reflectiz. 2021-04-11. Archived from the original on 2021-04-12. Retrieved 2021-04-12.
  11. "دنیا میں نام بنانے والے پاکستانی ہیکر کے لیے 'فخر پاکستان' ایوارڈ". Independent Urdu (in Urdu). 2022-03-23. Archived from the original on 2022-03-25. Retrieved 2022-04-03.
  12. DG ISPR - رافع بلوچ دنیا کے بیسٹ ٹاپ فائیو ہیکرز میں اپنا..., archived from the original on 2022-04-03, retrieved 2022-04-03
  13. Pakistani ethical hacker to receive "Pride of Pakistan" award, archived from the original on 2022-04-03, retrieved 2022-04-03
  14. Rafay Baloch l 23 March l Pakistan Day l rafay baloch hacker l ISPR Award l KnowledgeTV, archived from the original on 2022-04-03, retrieved 2022-04-03
  15. Ayesha (2022-03-28). "ISPR awards Cyber Security Researcher Rafeh Baloch - Dicecamp Insights" . Retrieved 2024-04-08.
  16. "IHC decides to review new social media laws". The Express Tribune. 2021-11-22. Archived from the original on 2024-04-28. Retrieved 2024-04-03.
  17. Asad, Malik (2021-11-23). "IHC appoints aides in social media rules case". DAWN.COM. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  18. "Amicus curiae: IHC seeks opinion on new social media rules". www.thenews.com.pk. Archived from the original on 2024-04-06. Retrieved 2024-04-06.
  19. "دنیا میں پاکستان کا نام روشن کرنے والے سائبر سکیورٹی کے ماہر اور ایتھیکل ہیکر رافع بلوچ". akhbar-e-jehan.com. Archived from the original on 2023-03-21. Retrieved 2023-03-21.
  20. "SUCCESSFUL STORIES – BIC – Karachi Campus". Archived from the original on 2024-04-06. Retrieved 2024-04-06.
  21. Sharabi, Daniel (2021-05-12). "Digital Security for Websites: Exclusive Talk with Pakistani Ethical Hacker". Reflectiz. Archived from the original on 2024-04-04. Retrieved 2024-04-04.
  22. Baloch, Rafay (2017-09-30). Ethical Hacking and Penetration Testing Guide. New York: Auerbach Publications. doi:10.4324/9781315145891. ISBN   978-1-315-14589-1. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  23. Baloch, Rafay (2024-08-12). Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting (1st ed.). Boca Raton: CRC Press. ISBN   978-1-032-44719-3.
  24. "Web Hacking Arsenal". blackwells.co.uk. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  25. "Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting". Routledge & CRC Press. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  26. Baloch, Rafay (June 2024). Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting. CRC Press. ISBN   978-1-003-37356-8. Archived from the original on 2024-06-20. Retrieved 2024-04-04.
  27. ThriftBooks. "Web Hacking Arsenal: A Practical Guide... book by Rafay Baloch". ThriftBooks. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  28. Baloch, Rafay (2024-08-12). Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting. Boca Raton: CRC Press. doi:10.1201/9781003373568. ISBN   978-1-003-37356-8. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  29. "Security Update Guide - Microsoft Security Response Center". msrc.microsoft.com. Archived from the original on 2023-03-21. Retrieved 2023-03-21.
  30. "Black Hat Asia 2016". www.blackhat.com. Archived from the original on 2018-05-13. Retrieved 2018-05-06.
  31. "Rafay Baloch - Cyber Security Advisor - PTA".
  32. Ayesha (2022-03-28). "ISPR awards Cyber Security Researcher Rafeh Baloch - Dicecamp Insights" . Retrieved 2024-04-08.
  33. "Files from Rafay Baloch ≈ Packet Storm". packetstormsecurity.com. Archived from the original on 2019-01-05. Retrieved 2018-06-01.
  34. "Working a desk job: Young techie bags a million rupees using IT skills". The Express Tribune. 2012-12-30. Archived from the original on 2018-07-15. Retrieved 2018-05-06.
  35. "10 Famous Bug Bounty Hunters of All Time". HackRead. 2016-02-10. Archived from the original on 2020-10-30. Retrieved 2020-09-20.
  36. "Pakistani hacker awarded $5,000 for finding bug in Chrome, Firefox". The Express Tribune. 2016-08-18. Archived from the original on 2017-11-30. Retrieved 2020-09-20.
  37. "Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion". Archived from the original on 2015-01-13. Retrieved 2015-01-12.
  38. "CVE Website". www.cve.org. Archived from the original on 2024-06-05. Retrieved 2024-04-06.
  39. "Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought - Trendmicro". Trendmicro. 2014-09-29. Archived from the original on 2017-12-26. Retrieved 2018-06-01.
  40. "Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)". 2015-02-10. Archived from the original on 2019-01-05. Retrieved 2018-06-01.
  41. "(XFO) Gaps Enable Android Remote Code Execution (RCE)". Archived from the original on 2015-06-28. Retrieved 2018-06-01.
  42. "Bypassing-Browser-Security-Policies-For-Fun-And-Profit" (PDF). Archived (PDF) from the original on 2016-12-23. Retrieved 2018-06-01.
  43. "Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks". The Hacker News. Archived from the original on 2023-12-01. Retrieved 2024-04-03.
  44. "Researchers warn over mobile browser address bar spoofing vulnerabilities". The Daily Swig | Cybersecurity news and views. 2020-10-22. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  45. Whittaker, Zack (2020-10-20). "Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable". TechCrunch. Archived from the original on 2024-04-03. Retrieved 2024-04-03.
  46. "Mobile browser flaw exposes users to spoofing attacks". IT PRO. 21 October 2020. Archived from the original on 2020-10-31. Retrieved 2020-10-27.
  47. "[Vuln Disclosure] Mobile Browser Bar Spoofing Vulnerabilities". Rapid7 Blog. 2020-10-20. Archived from the original on 2020-10-24. Retrieved 2020-10-27.
  48. "Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks". The Hacker News. Archived from the original on 2020-10-27. Retrieved 2020-10-27.
  49. "Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable". news.yahoo.com. 20 October 2020. Archived from the original on 2024-06-20. Retrieved 2020-10-27.
  50. "Apple Safari, Opera and Yandex found with address bar spoof vulnerability, not all are fixed". Hindustan Times Tech. 20 October 2020. Archived from the original on 2024-06-20. Retrieved 2020-10-27.
  51. "Address Bar Vulnerabilities Revealed by Cyber Citadel Researcher". Cyber Citadel. 2020-10-20. Archived from the original on 2020-10-31. Retrieved 2020-10-28.
  52. "Address bar flaw exposes need for defences against Covid cyber attacks". South China Morning Post. 2020-10-24. Archived from the original on 2020-10-26. Retrieved 2020-10-28.
  53. "Multiple vulnerabilities found in PureVPN Linux app". Independent Advisor. Archived from the original on 2024-04-04. Retrieved 2024-04-04.
  54. "Security flaw left Safari and Edge users vulnerable to fake websites". Engadget. 12 September 2018. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  55. 1 2 Fox-Brewster, Thomas. "Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion". Forbes. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  56. "Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup". Miscellaneous Ramblings of A Ethical Hacker. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  57. Sameer, Sarmad. "Pakistani Researcher Discovers Address Bar Spoofing Vulnerability in Safari and Microsoft Edge" . Retrieved 2019-01-01.
  58. "Apple's Safari and Microsoft's Edge browsers contain spoofing bug". SC Media. 2018-09-12. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  59. Nichols, Shaun (11 September 2018). "Safari, Edge fans: Is that really the website you think you're visiting? URL spoof bug blabbed". The Register . Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  60. "Safari for iOS URL spoofing exploit revealed, with no documented fix". AppleInsider. 11 September 2018. Archived from the original on 2020-10-23. Retrieved 2020-09-20.
  61. "Reboot 25: Threat seekers". SC Media. 2014-12-08. Archived from the original on 2019-08-19. Retrieved 2019-08-19.
  62. "Google No Longer Provides Patches for WebView Jelly Bean and Prior | Rapid7 Blog". Rapid7. 2015-01-12. Archived from the original on 2023-04-07. Retrieved 2023-04-07.
  63. 1 2 3 Allen, Grant (2015-12-18). Beginning Android. Apress. ISBN   9781430246879. Archived from the original on 2023-02-22. Retrieved 2021-12-04.
  64. "Google Passes on Older Android Patches; 930 Million Devices Vulnerable". threatpost.com. 12 January 2015. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
  65. "No Patch to Same Origin Policy Bypass in Old Android Devices". Zimperium Mobile Security Blog. 2015-01-15. Archived from the original on 2019-04-12. Retrieved 2019-08-19.
  66. "Android security shift exposes users". 2015-01-13. Archived from the original on 2019-03-20. Retrieved 2019-08-19.
  67. "Online security: Pakistani helps Google avoid privacy disaster". The Express Tribune. 2014-09-20. Archived from the original on 2019-01-02. Retrieved 2019-01-01.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.