My thoughts on COVIDSafe app

Australia has released a new app to help fighting off Covid-19. Even before this app was released it sparked lots of discussions and now many people, myself included, are reverse engineering the app and trying to understand its shortcomings and risks.

COVIDSafe logo

Path Traversal on Retrofit

Update: CVE created CVE-2018-1000850. For some reason, the wording on the CVE is quite confusing. That is not what I submitted. Hope they fix it soon.

Retrofit is a type-safe HTTP client for Android and Java developed by Square, Inc. It is a very popular library with over 30k starts in Github and more than 120 contributors.

I found a path traversal vulnerability when using encoded=true on @Path parameters. Below is an unit test reproducing the issue. This test was added on RequestFactoryTest class (it is not upstream though).

AppSecDay reflections

Last week, I had the opportunity to attend the awesome AppSecDay. It was such an incredible event where I could present a little of what I know about AppSec and watch many other great talks too. I was so glad to see developers with different levels of security expertise to showing up to improve their security skills. Great shout out to all AppSec organisers!

Gif of a baby putting both hands to the sky as if celebrating something

It was a very inspiring event that made me reflect on many things regarding AppSec and security in general. I didn’t know what kinda of public would attend AppSecDay. In my mind it would be an event attended mostly by security professionals. I was very surprised to see that around 60% in the audience were developers like me!

There were some great talks at the event and I managed to watch a few of them. All of them were recorded, I believe, and will be made available at some point. In this blogspot I want to talk what AppSecDay (and the great talks I’ve watched) made me reflect upon.

Investigating a Phishing Attack

A friend of mine has received this message recently:

SMS with a message to re-verify your suncorp details at<phonenumber>

It was obviously phishing. This friend never had a Suncorp account and the domain name is not even similar to the actual domain. Also, part of the URL contained the phone number (which is redacted on the print) and no bank would ever do that! Most people would discard a message like that. Well, I got interested to understand how this phishing attack work so I started to investigate!


Why i hack to protect was born so it can live as notes of my research around Application Security. The word hack here is not meant to be pejorative or synonym to do illegal things. Here the word hack is related to passion, cleverness and the love to build and share things for the common good. Everything I research or build is with the goal of making web a safer place.