Hacker Public Radio

This show has been flagged as Explicit by the host.


WARNING AI GENERATED NOTES AHEAD YMMW








Here is a summary of the recorded training session regarding Android hacking from Hacker Public Radio, including web references for the main topics discussed.








Overview




The recording features a security consultant performing a live assessment of an Android application. The consultant uses a custom tool suite called "Jamboree" and various other utilities to test a location-sharing and vehicle management app. The session highlights the increasing complexity of mobile app security, specifically dealing with SSL pinning, encrypted traffic, and anti-tampering mechanisms

1

.




Environment and Tools




The assessment is conducted on a rooted Android emulator. The speaker utilizes several tools to set up the environment and intercept traffic:







Jamboree

: A custom automation tool developed by the speaker over six years to handle rooting, proxy setup, and app installation within minutes

1

.





Burp Suite

: The primary interception proxy used to analyze traffic between the app and the production server

1

.





Frida

: Used to bypass anti-root detection and SSL pinning

1

.





Ghidra

: A decompiler used to analyze the app's code, specifically helpful for patching the Flutter-based application

1

.





Android Debug Bridge (ADB)

: Used for troubleshooting, debugging, and analyzing logs (

logcat

) to extract user IDs and location data

1

.






Technical Challenges: SSL Pinning and Flutter




The target application is built using Flutter and implements rigorous security controls, including SSL pinning, which prevents standard Man-in-the-Middle (MitM) attacks. The app's HTTP client ignores system and user-installed certificates, and it does not respect device Wi-Fi proxy settings

1

.




To overcome this:







Traffic Redirection

: The speaker uses

iptables

commands to force all HTTP and HTTPS traffic through the proxy's IP address at the network layer, bypassing the app's proxy ignorance

1

.





Patching with AI

: The speaker leverages AI (specifically mentioning Claude and access to "Kuro") to assist in patching the APK. The AI helped navigate Ghidra and generate Python scripts to bypass the app's protections, allowing the modified APK to trust the auditor's certificate

1

.





Frida Scripts

: "Frida anti-root SSL pinning" scripts are executed to further mitigate detection mechanisms

1

.






Key Vulnerabilities Identified





1. Geolocation Spoofing





The consultant successfully spoofed the device's GPS location using emulator settings (e.g., setting the location to Puerto Rico or Costa Rica). The application accepted this falsified location data as valid, indicating a lack of server-side verification for location origin

1

.





2. Insecure Direct Object Reference (IDOR) / Broken Access Control





The most critical finding involves the app's user tracking feature.






The consultant discovered that the API allows querying a user's location via a

user_id

.




By intercepting traffic and analyzing

adb logcat

logs, the consultant extracted their own

user_id

and the

user_id

of a second test account

1

.




While authenticated as one user, the consultant was able to send a request substituting the

user_id

with the target's ID. The server responded with the target's GPS coordinates. This confirms that an authenticated user can track any other user's real-time location if they possess the target's ID

1

.




Proof of concept was created by copying the request as a

curl

command to demonstrate the exploit

1

.







3. Potential Information Disclosure





The consultant began testing a feature that allows users to add vehicles by license plate. The concern is that querying a license plate might return excessive PII (Personally Identifiable Information), such as VIN numbers or registration details, beyond what the UI strictly requires (least privilege issue)

1

.





4. Access Control (Calendar Feature)





The consultant tested whether calendar events could be accessed by switching

user_id

parameters. This test resulted in a "401 Unauthorized" error, indicating that this specific endpoint had proper access control in place

1

.




Web References and Resources




Below are references for the main tools and concepts discussed in the training:







Hacker Public Radio

:

https://hackerpublicradio.org/






Burp Suite (Web Security Testing)

:

https://portswigger.net/burp






Frida (Dynamic Instrumentation Toolkit)

:

https://frida.re/






Ghidra (Software Reverse Engineering)

:

https://ghidra-sre.org/






Android Debug Bridge (ADB)

:

https://developer.android.com/tools/adb






OWASP Mobile Top 10

:

https://owasp.org/www-project-mobile-top-10/






OWASP Testing for Insecure Direct Object References (IDOR)

:

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authorization_Testing/04.1-Testing_for_Insecure_Direct_Object_References






Flutter (UI Toolkit)

:

https://flutter.dev/








Provide feedback on this episode.

This show has been flagged as Clean by the host.


Hi this is your host, Archer72 for Hacker Public Radio.






In this episode I share some of my findings about a problem with
the Newsboat naming of the HPR feeds,


which was brought up in comments about my Newsboat show, HPR4424.







hpr4424: How I use Newsboat for Podcasts: comment #6 :
download-filename-format for HPR podcasts






Ken already had some findings of his own about the
ccdn.php extension in the feed.







hpr4424: comment #10 : Summary of findings






I thought that this might be able to be fixed on an invididual
basis, and set out to ask Claude.ai a few questions.






But first, some colaboration from Dave Morriss about a good
renaming format. This was definitely more on Dave’s side than
mine, but came up with this.


You can tell Dave’s handywork from the short variable names, which
stems from his extensive experience on Unix type machines in the
University days.






exif-rename-hpr-dave.sh





#!/bin/bash

URL="$(cat /tmp/hpr-url.txt)"
echo "DEBUG URL: $URL" >> /tmp/hpr-debug.log

AUDIO_URL="$(curl -s "$URL" | grep -Eo 'https?://[^"]*\.(ogg|mp3)' | head -1)"
echo "DEBUG AUDIO: $AUDIO_URL" >> /tmp/hpr-debug.log

if [[ -z "$AUDIO_URL" ]]; then
echo "ERROR: Could not find audio URL from: $URL" >> /tmp/hpr-debug.log
exit 1
fi

# Changed destination to HPR-queue
DEST=~/podcasts/hub.hackerpublicradio.org/HPR-queue/

# Record files present before download
BEFORE="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"

wget -nc --content-disposition -P "$DEST" "$AUDIO_URL"

cd "$DEST"

# Record filename just downloaded (new file not in BEFORE)
AFTER="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"
DOWNLOADED="$(comm -13 <(echo "$BEFORE") <(echo "$AFTER"))"
echo "DEBUG DOWNLOADED: $DOWNLOADED" >> /tmp/hpr-debug.log

~/bin/exif-rename-hpr-dave.sh

# Find renamed file — newest file that wasn't in BEFORE
AFTER_RENAME="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"
RENAMED="$(comm -13 <(echo "$BEFORE") <(echo "$AFTER_RENAME"))"
echo "DEBUG RENAMED: $RENAMED" >> /tmp/hpr-debug.log

if [[ -n "$RENAMED" ]]; then
echo "\"$AUDIO_URL\" \"$RENAMED\" downloaded" >> ~/.local/share/newsboat/queue
else
echo "WARN: Could not determine renamed file" >> /tmp/hpr-debug.log
echo "\"$AUDIO_URL\" \"$DOWNLOADED\" downloaded" >> ~/.local/share/newsboat/queue
fi





At first the question was about something simple. The input was a
query on one of the lines from Kevie’s







hpr4398 :: Command line fun: downloading a podcast






Particularly, the section on To get the latest episode of TuxJam






wget
curl https://tuxjam.otherside.network/feed/podcast/ | grep -o
'https*://[^"]*ogg' | head -1






Which I re-wrote to:





wget -nc -P ~/podcasts/TuxJam $(curl https://tuxjam.otherside.network/feed/ogg | grep -Eo 'https*://[^"]*ogg' | sort -u | xargs | head -1)





The reason for $() instead of backticks to enclose a command was
that the former was being deprecated.







GNU Bash Reference Manual - 3.5.4 Command Substitution






-nc –no-clobber is to not re-download a podcast -P specifies
download directory






I went on a different direction than downloading TuxJam and asked
to download the last 2 hpr shows, but
head -2 did not work as expected. This turned out to be
an issue with the placement of
xargs joining all URLs and passing them to
wget all at once.






Original:





wget -nc --content-disposition -P ~/podcasts/hub.hackerpublicradio.org/HPR-newsboat-test/ $(curl [http://hackerpublicradio.org/hpr\_ogg\_rss.php](http://hackerpublicradio.org/hpr_ogg_rss.php) | grep -Eo 'https\*://\[^"\]\*ogg' | sort -u | xargs | head -2)





New:





curl http://hackerpublicradio.org/hpr_ogg_rss.php | grep -Eo 'https?://[^"]*\.ogg' | sort -u | head -2 | xargs wget -nc --content-disposition -P ~/podcasts/hub.hackerpublicradio.org/HPR-newsboat-test/


Key fixes:







Removed the premature
xargs before
head -2
, so
head actually limits the list to 2 URLs



Moved
xargs wget ... to the end, after the list is already
trimmed



Cleaned up
https* →
https? (the original would also match
httpssss
, etc.)







Now I wanted the downloaded file to go the the queue file, located
in
~/.local/share/newsboat/queue



After several iterations in
Claude
, it was determined that the audio URL was not being expanded by
the
%u in the download macro.






The solution was to add a /tmp file to hold the actual audio URL





macro d set browser "echo %u > /tmp/hpr-url.txt && ~/bin/download-and-rename-hpr.sh"; open-in-browser ; set browser "your-normal-browser"





A few Claude questions later… After asking to add a function to
the macro in order to add the resulting downloaded file to the
queue, the file name hpr1234.ogg was being added to the queue
instead of the renamed file.






Two things to fix:







The renamed file isn’t being found because
ls -t runs before the rename has fully settled, or the
glob isn’t matching the new filename format (which includes
spaces and semicolons)



The existing queue entries show the correct format:
"url" "path" downloaded — we need to match that, with
downloaded status and the full renamed path including
extension







Exif rename script





#!/bin/bash
# ~/bin/download-and-rename-hpr.sh

URL="$(cat /tmp/hpr-url.txt)"
echo "DEBUG URL: $URL" >> /tmp/hpr-debug.log

AUDIO_URL="$(curl -s "$URL" | grep -Eo 'https?://[^"]*\.(ogg|mp3)' | head -1)"
echo "DEBUG AUDIO: $AUDIO_URL" >> /tmp/hpr-debug.log

if [[ -z "$AUDIO_URL" ]]; then
echo "ERROR: Could not find audio URL from: $URL" >> /tmp/hpr-debug.log
exit 1
fi

DEST=~/podcasts/hub.hackerpublicradio.org/HPR-newsboat-test/

# Record files present before download
BEFORE="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"

wget -nc --content-disposition -P "$DEST" "$AUDIO_URL"

cd "$DEST"

# Record filename just downloaded (new file not in BEFORE)
AFTER="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"
DOWNLOADED="$(comm -13 <(echo "$BEFORE") <(echo "$AFTER"))"
echo "DEBUG DOWNLOADED: $DOWNLOADED" >> /tmp/hpr-debug.log

~/bin/exif-rename-hpr-dave.sh

# Find renamed file — newest file that wasn't in BEFORE
AFTER_RENAME="$(ls "$DEST"*.{ogg,mp3} 2>/dev/null | sort)"
RENAMED="$(comm -13 <(echo "$BEFORE") <(echo "$AFTER_RENAME"))"
echo "DEBUG RENAMED: $RENAMED" >> /tmp/hpr-debug.log

if [[ -n "$RENAMED" ]]; then
echo "\"$AUDIO_URL\" \"$RENAMED\" downloaded" >> ~/.local/share/newsboat/queue
else
echo "WARN: Could not determine renamed file" >> /tmp/hpr-debug.log
echo "\"$AUDIO_URL\" \"$DOWNLOADED\" downloaded" >> ~/.local/share/newsboat/queue
fi





Using
comm -13 on sorted before/after file lists is more
reliable than
ls -t — it finds exactly which file is new regardless of
timing. Check
/tmp/hpr-debug.log after the next run to see what
DOWNLOADED and
RENAMED show.







GNU Coreutils - Comm invocation






Newsboat config snippet






key changes





download-filename-format "%t.%e"
macro d set browser "echo %u > /tmp/hpr-url.txt && ~/bin/download-and-rename-hpr.sh"; open-in-browser ; set browser lynx



Provide feedback on this episode.

This show has been flagged as Clean by the host.

Dave and Kevie continue the Beer Garden series with a look at a relatively new style of IPA known as a Triple. Dave samples
Triple Hazy Jane by Brewdog
, whilst Kevie tries out
Glory Triple IPA
by
Northern Monk
.













Connect with the guys on Untappd:











Dave






Kevie




Provide feedback on this episode.

This show has been flagged as Explicit by the host.


PFSense









https://www.pfsense.org/









Chromebook









https://www.google.com/chromebook/discover-chromebook/









AMD Sempron 140









https://www.techpowerup.com/cpu-specs/sempron-140.c820









Trinity









https://www.trinitydesktop.org/









XFCE









https://www.xfce.org/













Chrome OS









https://chromeos.google/









SSH









https://www.ssh.com/









Onshape









https://www.onshape.com/en/









TinkerCAD









https://www.tinkercad.com/









Thorium OS









https://thorium.rocks/thoriumos









Tech And Coffee









https://techandcoffee.info/









Panera









https://www.panerabread.com/en-us/home.html









IHOP









https://www.panerabread.com/en-us/home.html









Waffle House









https://www.wafflehouse.com/









In And Out Burger









https://www.in-n-out.com/









Economies Of Scale









https://www.investopedia.com/terms/e/economiesofscale.asp









Dunkin Donuts









https://www.dunkindonuts.com/en









F-Droid









https://f-droid.org/en/









Cheap Yellow Display









https://blog.decryption.net.au/posts/cyd-for-beginners.html









NTP Server









https://www.ntppool.org/en/









Beagle (Dog)









https://www.akc.org/dog-breeds/beagle/









Siamese Cat









https://www.life-with-siamese-cats.com/









Bsides InfoSec Conference - Knoxville, TN









https://www.papercall.io/bsides-knoxville-2026









CI/CD Pipeline









https://circleci.com/blog/what-is-a-ci-cd-pipeline/









Strace Command









https://www.geeksforgeeks.org/linux-unix/strace-command-in-linux-with-examples/









High Pass Filter









https://www.izotope.com/en/learn/6-ways-to-use-a-high-pass-filter-when-mixing









Waters & Stanton - Radio Shop









https://www.hamradiostore.co.uk/









Home Assistant









https://www.home-assistant.io/









ESP 32









https://www.espressif.com/en/products/socs/esp32









EMF Camp









https://www.emfcamp.org/









YAML









https://yaml.org/









ChatGPT









https://chatgpt.com/









TOR









https://www.torproject.org/









IPTables









https://linux.die.net/man/8/iptables










https://ccrma.stanford.edu/planetccrma/man/man8/ipchains.8.html









RSYNC









https://linux.die.net/man/1/rsync









SYM Link









https://stackoverflow.com/questions/1951742/how-can-i-symlink-a-file-in-linux









CDN (Content Delivery Network)









https://www.cloudflare.com/learning/cdn/what-is-a-cdn/









Mastadon









https://joinmastodon.org/









DuoLingo









https://www.duolingo.com/









Fedora









https://en.wikipedia.org/wiki/Fedora









Pea Coat









https://www.artofmanliness.com/style/clothing/mans-guide-pea-coat/









Haiku









https://www.haiku-os.org/









Hunt Brothers Pizza









https://www.huntbrotherspizza.com/









Papa Johns Pizza









https://www.papajohns.com/omni/en









PIzza Hut









https://www.pizzahut.com/









Dominos Pizza









https://www.dominos.com/









Marcos Pizza









https://www.marcos.com/









Little Ceasars Pizza









https://littlecaesars.com/en-us/









Hungry Howies Pizza









https://www.hungryhowies.com/









MOD Pizza









https://modpizza.com/









Papa Murphys Pizza









https://www.papamurphys.com/









Wolfman Pizza









https://wolfmanpizza.com/









Fuel Pizza









https://www.fuelpizza.com/









Shallow Hal









https://www.rottentomatoes.com/m/shallow_hal









South Coast Pizza









https://southcoastpizza.com/









Casa Dora









https://www.casadoraitaliancusinepizzeria.com/









National Pizza Day









https://www.nationaldaycalendar.com/national-day/national-pizza-day-february-9









Sagitarius









https://www.zodiacsign.com/zodiac-signs/sagittarius/









Alexa









https://alexa.amazon.com/userProfile?redirectTo=%2F









Gemini









https://gemini.google.com/app









Netscape









https://isp.netscape.com/









Seamonkey









https://www.seamonkey-project.org/









Thunderbird









https://www.thunderbird.net/en-US/









ULC Minister









https://www.ulc.org/









Church Of Spiritual Humanism









https://spiritualhumanism.org/









Oberon Zelle Ravenheart









https://en.wikipedia.org/wiki/Oberon_Zell-Ravenheart









Temple of Wicca









https://www.wiccanfamilytemple.org/









Church Of All Worlds









https://caw.org/









Progressive Universal Life Church









https://www.thepulc.com/









Pine Time









https://pine64.org/devices/pinetime/









AmazFit Watch









https://us.amazfit.com/









Zepp App









https://play.google.com/store/apps/details?id=com.huami.watch.hmwatchmanager&hl=en_US&pli=1









Pegasus Mail









https://www.pmail.com/









Eudora









https://en.wikipedia.org/wiki/Eudora_(email_client)









Proton Mail









https://proton.me/mail









AOL









https://www.aol.com/









OpenSuse









https://www.opensuse.org/









Mandrake Linux









https://www.mandrakelinux.org/









Virtualbox









https://www.virtualbox.org/









Bitcoin









https://bitcoin.org/en/









Norway









https://www.visitnorway.com/









XFCE









https://www.xfce.org/






Provide feedback on this episode.

This show has been flagged as Clean by the host.

Technical Dutch Open Source Event (T-DOSE)

Ken interviews Peter van Ginneken who is chair of the
Technical Dutch Open Source Event (T-DOSE)
.

It is a free conference to promote the use and development of Open Source software. This event has is organized yearly since 2006 in the Brainport region, near Eindhoven, The Netherlands. During this event, Open Source projects, developers and visitors can exchange ideas and knowledge.

T-DOSE wil take place on
6 and 7 June 2026
at
the Weeffabriek
in Geldrop (near Eindhoven).

https://t-dose.org/2026/

Contact Information

Peertube

Libera.chat
IRC, #t-dose

Mastodon

LinkedIn

Facebook

Instagram

Travel Times



Country
Typical Travel Method
Example Destination
Approx Duration
Typical Budget Cost (One Way)




Belgium
Train / Flixbus
Antwerp
1–1.5h
€10–25


Germany
Train / Flixbus
Cologne
1.5–2h
€20–40


United Kingdom
Ryanair flight
London Stansted
1h05
€20–70


Ireland
Ryanair flight
Dublin
1h40
€25–80


Denmark
Transavia flight
Copenhagen
1h25
€40–100


Austria
Ryanair flight
Vienna
1h40
€30–90


Czech Republic
Transavia flight
Prague
1h20
€35–90


Poland
Ryanair / Wizz Air
Kraków
1h50
€25–80


Hungary
Wizz Air
Budapest
1h55
€30–90


Italy
Ryanair flight
Milan Bergamo
1h35
€25–85


Spain
Ryanair / Transavia
Barcelona
2h05
€35–120


Portugal
Ryanair / Transavia
Porto
2h40
€45–130


Croatia
Ryanair flight
Zagreb
1h50
€35–90


Slovakia
Ryanair flight
Bratislava
1h40
€25–70


Romania
Wizz Air
Cluj-Napoca
2h20
€40–110


Bulgaria
Ryanair / Wizz Air
Sofia
2h35
€35–100


Albania
Ryanair / Wizz Air
Tirana
2h30
€35–110



Provide feedback on this episode.