Alexander Fadeev's Blog

CI/CD+ SAST: Expectation vs Reality

CI/CD+ SAST: Expectation vs Reality

There are a number of challenges on the way to the perfect state of things: it's often hard to deliver scan results in a synchronous way. Security scan is usually needed at the moment of commit verification. You don't want to pass the vulnerable code to the release.

Learn From Machines To Learn

Learn From Machines To Learn

My approach to exam preparation is like a machine learning approach.

The Shadow of CSSLP

The Shadow of CSSLP

or "How I Passed CSSLP". My detailed feedback about preparation for CSSLP, study materials, training process, and passing CSSLP examination.

Cheat Sheet: Legal, Regulations, Compliance in Security

Cheat Sheet: Legal, Regulations, Compliance in Security

My cheat sheet I used to prepare for CISSP about how I understand and memorize legal and regulations in cybersecurity. I publish it because I use it, and you can use it too.

How I Passed CISSP

How I Passed CISSP

I have been awarded the CISSP certification! Here is how.

💉 Decrypt iOS Applications: 3 Methods

💉 Decrypt iOS Applications: 3 Methods

You will learn how to decrypt and dump an iOS application with 3 different tools. As a bonus: how to jailbreak iPhone (see in the annex).

Half Full or Half Empty Glass of Cybersecurity

Half Full or Half Empty Glass of Cybersecurity

And what is your glass of cybersecurity? (Image)

💉 Quick Start with Frida to Reverse-Engineer Any iOS Application

💉 Quick Start with Frida to Reverse-Engineer Any iOS Application

How to start with reverse-engineering of iOS application using the Frida toolkit. Tracing network communication and filesystem requests of a third-party iOS application. Tips and tricks.

💉 Frida's Gadget Injection on Android: No Root, 2 Methods

💉 Frida's Gadget Injection on Android: No Root, 2 Methods

You will learn how to inject Frida's Gadget into Android application (APK) using 2 different methods without having to root your Android device.

Mobile App Security Testing: Tips, Notes, iOS/Android

Mobile App Security Testing: Tips, Notes, iOS/Android

Mobile application threat model. Tools to conduct a security analysis: mitmproxy, frida, jadx-gui, mobsf, apktool, r2, etc.

18 Lines of the Powerful Request Generator with Python (asyncio/aiohttp)

18 Lines of the Powerful Request Generator with Python (asyncio/aiohttp)

A simple script to generate a huge amount of requests. Python 3.7 + asyncio + aiohttp.

5 Myths About Android Security: VPN, Antivirus, Password Managers, Rooting

5 Myths About Android Security: VPN, Antivirus, Password Managers, Rooting

Dawn of indisputable trust to the magic of security software.

How to Setup QEMU Output to Console and Automate Using Shell Script

How to Setup QEMU Output to Console and Automate Using Shell Script

SSH. Expect. Named pipe. Input/output to the host terminal. Early boot messages.

Perforce (p4) Command Line: Tips and Tricks

Perforce (p4) Command Line: Tips and Tricks

p4 is your friend

Build Android Kernel and Run on QEMU with Minimal Environment: Step by Step

Build Android Kernel and Run on QEMU with Minimal Environment: Step by Step

Get the Android Linux kernel named "Goldfish". Build. Get initrd or ext4 device image. Run QEMU.

Application Security with OWASP ASVS

Application Security with OWASP ASVS

OWASP ASVS is a comprehensive check list of application security. You go through the check list, assess a software, report to stakeholders, improve security. OWASP ASVS is a superset of PCI DSS and OWASP Top 10.

AI and Machine Learning in Cybersecurity: Simply Explained

AI and Machine Learning in Cybersecurity: Simply Explained

AI/ML in security = misbehave detection. If you ever suffered to get through the forest of buzzwords around the artificial intelligence, then I believe I managed to help you enough with the formula above. However, let's peek under the cover a little bit more.

Shared Library Injection on Android 8.0

Shared Library Injection on Android 8.0

Full solution: https://github.com/fadeevab/TinyInjector One of the ways to carry out the shared library injection is to use ptrace system call (syscall). One process (a tracer) attaches to a tracee and calls dlopen inside tracee's virtual memory space. Superuser privileges (root) are required to attach to any

Bypassing the Android Linker Namespace

Bypassing the Android Linker Namespace

The Android's linker (bionic) disallows loading most of the shared libraries from /system when a request is going from the executable code belonging to "classloader-namespace". (Source code is updated for Android 11).

Android Linker Namespace: Security Flaws

Android Linker Namespace: Security Flaws

Linker namespaces are the feature of Android's dynamic linker "bionic". I'm going to show the linker namespace engine, security issues, security flaws, in detail from a security perspective. (Updated in 2021).