Rafay Baloch Explained

Rafay Baloch
Birth Date:1993 2, df=yes
Nationality:Pakistani
Known For:Information Security Expert
Notable Works:Ethical Hacking and Penetration Testing Guide
Awards:Pride of Pakistan
Honours:Chevening Scholar

Rafay Baloch (born 5 February 1993) is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications[1] like Forbes,[2] BBC,[3] The Wall Street Journal,[4] The Express Tribune[5] and TechCrunch.[6] He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx.[7] Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide"[8] and among "Top 25 Threat Seekers" [9] by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer.[10] On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.[11] [12] In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations. [13] [14] [15]

Personal life

Rafay Baloch was born in 1993 in Karachi.[16] He attended Bahria University from which he obtained a bachelor's degree in computer science. Baloch is presently listed in the Hall of Fame at Bahria University.[17] In 2020, Rafay has also been awarded a Chevening Scholarship.[18]

Career

Baloch began his hacking career while he was still doing his bachelor's. He then wrote a book called "Ethical Hacking Penetration Testing Guide[19] ". His new book " Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting" is scheduled for release in August 2024.[20] [21] [22] [23] [24] [25] He is amongst the first Pakistani security researcher to be acknowledged by Google, Facebook, PayPal, Apple, Microsoft[26] and numerous other international organizations.

He has also written several papers on information security, namely "HTML5 Modern Day Attack Vectors", "Web Application Firewall Bypass", and "Bypassing Browser Security Policies for Fun and Profit".[27]

Rafay Baloch served the Pakistan Telecommunication Authority as Cyber Security Advisor.[28] [29]

Bug bounty programs

Baloch has been active into bug bounty programs and has reported several critical vulnerabilities[30] in several open-source web applications as well as in bug bounty programs. Baloch found critical vulnerabilities in PayPal in 2012: he hacked into PayPal servers by exploiting a remote code execution vulnerability. He was rewarded $10,000 and a job offer to work for them as a Security Researcher that he refused as he was still doing his bachelor's at that time.[31] HackRead, a news platform on InfoSec, listed him among “10 Famous Bug Bounty Hunters of All Time”.[32] Baloch has also been awarded $5000 by Google and Firefox for baring the vulnerability in their browsers.[33]

Security research

Baloch has actively reported several critical vulnerabilities in browsers. He started by finding Same Origin Policy (SOP) bypass in Android Stock browser which was initially rejected by Google;[34] however, this was later verified by Google after researchers from Rapid7 verified it. This was coined as .[35] Baloch followed by reporting several other SOP bypasses. Researchers at Trend Micro found this bug to be more widespread.[36] It was later reported that hackers had been actively using Baloch's SOP bypass exploits for hacking into Facebook accounts. The SOP bypass bug was elevated by Rapid7 researcher Joe Vennix for conducting a remote code execution.[37] [38] Baloch also found several vulnerabilities affecting WebView which allowed an attacker to read local files as well as steal cookies from the user device.[39] In October 2020, Baloch unveiled several address bar spoofing vulnerabilities affecting Apple Safari, Yandex, Opera Mini, UC Browser, Opera Touch, Bolt Browser and RITS browser.[40] [41] [42] The vulnerability disclosure was coordinated by Rapid7 who gave 60 days' timeline for patching vulnerabilities. Upon completion of 60 days, Baloch released the POC exploits of the affected browsers.[43] [44] [45] [46] [47] [48] [49] Rafay, along with another researcher, discovered numerous security vulnerabilities that impact PureVPN's Linux desktop client.[50]

Apple Safari address bar spoofing controversy

In 2018, Baloch unveiled a crack in both Safari and Microsoft's Edge browser that paved the way for the URL of a safe website to be shown in the address bar while users were actually being taken to a different, and possibly malicious, website.[51] Rafay Baloch identified the security issue and informed Apple and Microsoft in early June 2018. Microsoft fixed the issue within two months but Apple didn’t respond to Baloch's report despite the deadline given of 90 days grace period so he made the details public.[52] Rafay Baloch wrote in his article that an address bar can be used to easily breach someone’s privacy without them noticing it.[53] The reason this is possible is because an address bar is the only reliable indicator for security in new browsers, as it displays the site’s URL and other details related to the webpage one is on.[54] [55] [56] [57]

Google no-patch policy discovery

In 2014, after Rafay Baloch and Joe Vennix reported Google about a bug that could allow hackers to dodge the Android Open Source Platform (AOSP) browser’s Same-Origin Policy (SOP),[58] they discovered that Google had already terminated its support for WebView on Android devices running Android 4.3 or older versions, while putting the onus on OEMs and the open source security community to provide patches to users at the same time. [59] Whereas Google’s official stance on WebView for older pre-Android 4.4 devices was as follows: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.” [60] Unfortunately, older versions of Android having unpatched WebView bugs were mainly due to their poor upgraded path, leaving users exposed.[61]

Google then released WebView as a stand-alone application that could be updated separately from the Android version of a device. Simply put, the re-architecting of the WebView would benefit the latest versions of Android, Lollipop 5.0 and Marshmallow 6.0. But this option remains unavailable to anyone on an older version of the operating system.

On Google’s no-patch policy, Baloch shared his views with Zimperium, stating that “Google’s decision to not patch critical security bugs (pre-KitKat) anymore would certainly impact the vast majority of users. Security firms are already seeing attacks in the wild where users are abusing Same Origin Policy (SOP) bypass bug to target Facebook users.” [62]

The Metasploit Framework, owned by Rapid7, contained 11 such WebView exploits that were need to be patched, most of which were contributions from Rafay Baloch and Joe Vennix.[63] [64]

Notes and References

  1. Web site: Rafay Baloch Recognized as One of the Top Ethical Hackers of 2014. propakistani.pk. en-US. 2018-05-06. 2018-07-15. https://web.archive.org/web/20180715123305/https://propakistani.pk/2015/01/05/rafay-baloch-recognized-one-top-ethical-hackers-2014/. live.
  2. News: Widespread Android Vulnerability 'A Privacy Disaster', Claim Researchers. Fox-Brewster. Thomas. Forbes. 2018-05-06. en. 2018-07-15. https://web.archive.org/web/20180715064814/https://www.forbes.com/sites/thomasbrewster/2014/09/16/widespread-android-vulnerability-a-privacy-disaster-claim-researchers/#a921bc27e5b5. live.
  3. News: Android security shift exposes users. 2015. BBC News. 2018-05-06. en-GB. 2018-07-20. https://web.archive.org/web/20180720094819/https://www.bbc.com/news/technology-30795253. live.
  4. Web site: Google Isn't Fixing Some Old Android Bugs. Yadron. Danny. 2015-01-12. WSJ. en-US. 2018-05-06. 2018-07-15. https://web.archive.org/web/20180715093719/https://blogs.wsj.com/digits/2015/01/12/google-not-fixing-some-old-android-bugs/. live.
  5. News: The unsung achiever: Pakistani tops lists of ethical hackers of 2014 - The Express Tribune. 2015-01-03. The Express Tribune. 2018-05-06. en-US. 2018-05-13. https://web.archive.org/web/20180513223641/https://tribune.com.pk/story/816479/the-unsung-achiever-pakistani-tops-lists-of-ethical-hackers-of-2014/. live.
  6. Web site: Whittaker . Zack . 2020-10-20 . Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable . 2024-04-07 . TechCrunch . en-US . 2024-04-03 . https://web.archive.org/web/20240403210936/https://techcrunch.com/2020/10/20/apple-opera-fix-browser-address-bar-spoofing/ . live .
  7. Web site: Rafay Baloch Recognized as One of the Top Ethical Hackers of 2014. Husain. Osman. en-US. 2019-10-27. 2019-07-23. https://web.archive.org/web/20190723181529/https://propakistani.pk/2015/01/05/rafay-baloch-recognized-one-top-ethical-hackers-2014/. live.
  8. News: The 15 most successful ethical hackers worldwide. 2016-04-06. SC Media UK. 2018-06-04. en. 2024-06-20. https://web.archive.org/web/20240620160411/https://insight.scmagazineuk.com/. live.
  9. Web site: Reboot 25: Threat seekers. 2014-12-08. SC Media. en-US. 2019-10-27. 2019-08-19. https://web.archive.org/web/20190819213634/https://www.scmagazine.com/home/security-news/features/reboot-25-threat-seekers/. live.
  10. Web site: 2021-04-11. Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021. 2021-04-12. Reflectiz. en-US. 2021-04-12. https://web.archive.org/web/20210412040925/https://www.reflectiz.com/top-cybersecurity-experts-to-follow/. live.
  11. Web site: 2022-03-23 . دنیا میں نام بنانے والے پاکستانی ہیکر کے لیے 'فخر پاکستان' ایوارڈ . 2022-04-03 . Independent Urdu . ur . 2022-03-25 . https://web.archive.org/web/20220325031459/https://www.independenturdu.com/node/97351 . live .
  12. Web site: Ayesha . 2022-03-28 . ISPR awards Cyber Security Researcher Rafeh Baloch - Dicecamp Insights . 2024-04-08 . en-US.
  13. Web site: 2021-11-22 . IHC decides to review new social media laws . 2024-04-03 . The Express Tribune . en . 2024-04-28 . https://web.archive.org/web/20240428132946/https://tribune.com.pk/story/2330527/ihc-decides-to-review-new-social-media-laws . live .
  14. Web site: Asad . Malik . 2021-11-23 . IHC appoints aides in social media rules case . 2024-04-03 . DAWN.COM . en . 2024-04-03 . https://web.archive.org/web/20240403210937/https://www.dawn.com/news/1659710 . live .
  15. Web site: Amicus curiae: IHC seeks opinion on new social media rules . 2024-04-06 . www.thenews.com.pk . en . 2024-04-06 . https://web.archive.org/web/20240406113556/https://www.thenews.com.pk/print/910950-amicus-curiae-ihc-seeks-opinion-on-new-social-media-rules . live .
  16. Web site: دنیا میں پاکستان کا نام روشن کرنے والے سائبر سکیورٹی کے ماہر اور ایتھیکل ہیکر رافع بلوچ. akhbar-e-jehan.com. 2023-03-21. 2023-03-21. https://web.archive.org/web/20230321034451/https://akhbar-e-jehan.com/detail/39929/rafi-baloch-cyber-security-expert-and-ethical-hacker-who-made-pakistan-famous-in-the-world. live.
  17. Web site: SUCCESSFUL STORIES – BIC – Karachi Campus . 2024-04-06 . en-US . 2024-04-06 . https://web.archive.org/web/20240406165701/https://www.bahria.edu.pk/bukc/bic/index.php/successful-stories/ . live .
  18. Web site: Sharabi . Daniel . 2021-05-12 . Digital Security for Websites: Exclusive Talk with Pakistani Ethical Hacker . 2024-04-04 . Reflectiz . en-US . 2024-04-04 . https://web.archive.org/web/20240404205516/https://www.reflectiz.com/blog/rafay-baloch-interview-digital-security-for-websites/ . live .
  19. Book: Baloch, Rafay . Ethical Hacking and Penetration Testing Guide . 2017-09-30 . Auerbach Publications . 978-1-315-14589-1 . New York . 10.4324/9781315145891 . 2024-04-03 . 2024-04-03 . https://web.archive.org/web/20240403174926/https://www.taylorfrancis.com/books/mono/10.4324/9781315145891/ethical-hacking-penetration-testing-guide-rafay-baloch . live .
  20. Book: Baloch, Rafay . Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting . 2024-08-12 . CRC Press . 978-1-032-44719-3 . 1st . Boca Raton . English.
  21. Web site: Web Hacking Arsenal . 2024-04-03 . blackwells.co.uk . en . 2024-04-03 . https://web.archive.org/web/20240403210942/https://blackwells.co.uk/bookshop/product/Web-Hacking-Arsenal-by-Rafay-Baloch/9781032447179 . live .
  22. Web site: Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting . 2024-04-03 . Routledge & CRC Press . en . 2024-04-03 . https://web.archive.org/web/20240403210939/https://www.routledge.com/Web-Hacking-Arsenal-A-Practical-Guide-to-Modern-Web-Pentesting/Baloch/p/book/9781032447193 . live .
  23. Book: Baloch, Rafay . Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting . June 2024 . CRC Press . 978-1-003-37356-8 . en . 2024-04-04 . 2024-06-20 . https://web.archive.org/web/20240620160445/https://books.google.com/books?id=Ry2o0AEACAAJ . live .
  24. Web site: ThriftBooks . Web Hacking Arsenal: A Practical Guide... book by Rafay Baloch . 2024-04-03 . ThriftBooks . en . 2024-04-03 . https://web.archive.org/web/20240403210936/https://www.thriftbooks.com/w/web-hacking-arsenal-a-practical-guide-to-modern-web-pentesting_rafay-baloch/52334433/ . live .
  25. Book: Baloch, Rafay . Web Hacking Arsenal: A Practical Guide to Modern Web Pentesting . 2024-08-12 . CRC Press . 978-1-003-37356-8 . Boca Raton . 10.1201/9781003373568/web-hacking-arsenal-rafay-baloch . 2024-04-04 . 2024-04-03 . 2024-04-03 . https://web.archive.org/web/20240403174925/https://www.taylorfrancis.com/books/mono/10.1201/9781003373568/web-hacking-arsenal-rafay-baloch . live .
  26. Web site: Security Update Guide - Microsoft Security Response Center. msrc.microsoft.com. 2023-03-21. 2023-03-21. https://web.archive.org/web/20230321034736/https://msrc.microsoft.com/update-guide/acknowledgement/online?rtc=1. live.
  27. Web site: Black Hat Asia 2016. www.blackhat.com. 2018-05-06. 2018-05-13. https://web.archive.org/web/20180513011456/https://www.blackhat.com/asia-16/speakers/Rafay-Baloch.html. live.
  28. Web site: Rafay Baloch - Cyber Security Advisor - PTA.
  29. Web site: Ayesha . 2022-03-28 . ISPR awards Cyber Security Researcher Rafeh Baloch - Dicecamp Insights . 2024-04-08 . en-US.
  30. Web site: Files from Rafay Baloch ≈ Packet Storm. packetstormsecurity.com. 2018-06-01. 2019-01-05. https://web.archive.org/web/20190105042902/https://packetstormsecurity.com/files/author/10264/. live.
  31. News: Working a desk job: Young techie bags a million rupees using IT skills. 2012-12-30. The Express Tribune. 2018-05-06. en-US. 2018-07-15. https://web.archive.org/web/20180715095858/https://tribune.com.pk/story/486506/working-a-desk-job-young-techie-bags-a-million-rupees-using-it-skills/. live.
  32. Web site: 2016-02-10. 10 Famous Bug Bounty Hunters of All Time. 2020-09-20. HackRead. en-US. 2020-10-30. https://web.archive.org/web/20201030084913/https://www.hackread.com/10-famous-bug-bounty-hunters-of-all-time/. live.
  33. Web site: 2016-08-18. Pakistani hacker awarded $5,000 for finding bug in Chrome, Firefox. 2020-09-20. The Express Tribune. en. 2017-11-30. https://web.archive.org/web/20171130124023/https://tribune.com.pk/story/1165157/pakistani-hacker-awarded-5000-finding-bug-chrome-firefox/. live.
  34. News: Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion. 2015-01-12. en. 2015-01-13. https://web.archive.org/web/20150113130255/http://www.forbes.com/sites/thomasbrewster/2015/01/12/google-webview-updates-quietly-killed-for-most-androids/#1eeb68f44845. live.
  35. Web site: CVE Website . 2024-04-06 . www.cve.org . 2024-06-05 . https://web.archive.org/web/20240605190205/https://www.cve.org/CVERecord?id=CVE-2014-6041 . live .
  36. News: Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought - Trendmicro. 2014-09-29. Trendmicro. en-US. 2018-06-01. 2017-12-26. https://web.archive.org/web/20171226152809/http://blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/. live.
  37. News: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE). 2015-02-10. en-US. 2018-06-01. 2019-01-05. https://web.archive.org/web/20190105042801/https://blog.rapid7.com/2015/02/10/r7-2015-02-google-play-store-x-frame-options-xfo-gaps-enable-android-remote-code-execution-rce/. live.
  38. News: (XFO) Gaps Enable Android Remote Code Execution (RCE). en-US. 2018-06-01. 2015-06-28. https://web.archive.org/web/20150628234528/http://www.bleepingcomputer.com/forums/t/566711/xfo-gaps-enable-android-remote-code-execution-rce/. live.
  39. News: Bypassing-Browser-Security-Policies-For-Fun-And-Profit. en-US. 2018-06-01. 2016-12-23. https://web.archive.org/web/20161223135111/https://www.blackhat.com/docs/asia-16/materials/asia-16-Baloch-Bypassing-Browser-Security-Policies-For-Fun-And-Profit.pdf. live.
  40. Web site: Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks . 2024-04-03 . The Hacker News . en . 2023-12-01 . https://web.archive.org/web/20231201223809/https://thehackernews.com/2020/10/browser-address-spoofing-vulnerability.html . live .
  41. Web site: 2020-10-22 . Researchers warn over mobile browser address bar spoofing vulnerabilities . 2024-04-03 . The Daily Swig Cybersecurity news and views . en . 2024-04-03 . https://web.archive.org/web/20240403210937/https://portswigger.net/daily-swig/researchers-warn-over-mobile-browser-address-bar-spoofing-vulnerabilities . live .
  42. Web site: Whittaker . Zack . 2020-10-20 . Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable . 2024-04-03 . TechCrunch . en-US . 2024-04-03 . https://web.archive.org/web/20240403210936/https://techcrunch.com/2020/10/20/apple-opera-fix-browser-address-bar-spoofing/ . live .
  43. Web site: Mobile browser flaw exposes users to spoofing attacks. 2020-10-27. IT PRO. 21 October 2020. en. 2020-10-31. https://web.archive.org/web/20201031011852/https://www.itpro.co.uk/security/357496/mobile-browser-address-bar-spoofing-flaw. live.
  44. Web site: 2020-10-20. [Vuln Disclosure] Mobile Browser Bar Spoofing Vulnerabilities]. 2020-10-27. Rapid7 Blog. en. 2020-10-24. https://web.archive.org/web/20201024224656/https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/. live.
  45. Web site: Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks. 2020-10-27. The Hacker News. en. 2020-10-27. https://web.archive.org/web/20201027185808/https://thehackernews.com/2020/10/browser-address-spoofing-vulnerability.html. live.
  46. Web site: Apple, Opera and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable. 2020-10-27. news.yahoo.com. 20 October 2020. en-US. 2024-06-20. https://web.archive.org/web/20240620160422/https://www.yahoo.com/news/apple-opera-yandex-fix-browser-130042932.html. live.
  47. Web site: Apple Safari, Opera and Yandex found with address bar spoof vulnerability, not all are fixed. 2020-10-27. Hindustan Times Tech. 20 October 2020. en. 2024-06-20. https://web.archive.org/web/20240620160419/https://tech.hindustantimes.com/tech/news/apple-safari-opera-and-yandex-found-with-address-bar-spoof-vulnerability-not-all-are-fixed-71603207340258.html. live.
  48. Web site: 2020-10-20. Address Bar Vulnerabilities Revealed by Cyber Citadel Researcher. 2020-10-28. Cyber Citadel. en. 2020-10-31. https://web.archive.org/web/20201031045434/https://www.cybercitadel.com/address-bar-vulnerabilities-revealed-by-cyber-citadel-researcher/. live.
  49. Web site: 2020-10-24. Address bar flaw exposes need for defences against Covid cyber attacks. 2020-10-28. South China Morning Post. en. 2020-10-26. https://web.archive.org/web/20201026173543/https://www.scmp.com/tech/big-tech/article/3106669/address-bar-flaw-and-big-rise-spear-phishing-shows-why-better. live.
  50. Web site: Multiple vulnerabilities found in PureVPN Linux app . 2024-04-04 . Independent Advisor . en-GB . 2024-04-04 . https://web.archive.org/web/20240404205515/https://www.independent.co.uk/advisor/vpn/vulnerabilities-found-in-purevpn-linux-app . live .
  51. Web site: Security flaw left Safari and Edge users vulnerable to fake websites. Engadget. 12 September 2018. en. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102002317/https://www.engadget.com/2018/09/12/security-flaw-safari-edge-vulnerable-spoofing/. live.
  52. Web site: Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion. Fox-Brewster. Thomas. Forbes. en. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102050516/https://www.forbes.com/sites/thomasbrewster/2015/01/12/google-webview-updates-quietly-killed-for-most-androids/. live.
  53. Web site: Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup. Miscellaneous Ramblings of A Ethical Hacker. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102051210/https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html. live.
  54. Web site: Pakistani Researcher Discovers Address Bar Spoofing Vulnerability in Safari and Microsoft Edge. Sameer. Sarmad. en-US. 2019-01-01.
  55. Web site: Apple's Safari and Microsoft's Edge browsers contain spoofing bug. 2018-09-12. SC Media. en-US. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102050706/https://www.scmagazine.com/home/security-news/apples-safari-and-microsofts-edge-browsers-contain-spoofing-bug/. live.
  56. Web site: Safari, Edge fans: Is that really the website you think you're visiting? URL spoof bug blabbed. Shaun. Nichols. 11 September 2018. The Register. en. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102050608/https://www.theregister.co.uk/2018/09/11/safari_edge_spoofing/. live.
  57. Web site: Safari for iOS URL spoofing exploit revealed, with no documented fix. 2020-09-20. AppleInsider. 11 September 2018. en. 2020-10-23. https://web.archive.org/web/20201023023902/https://appleinsider.com/articles/18/09/11/safari-for-ios-url-spoofing-exploit-discovered-with-no-documented-fix. live.
  58. Web site: Reboot 25: Threat seekers. 2014-12-08. SC Media. en-US. 2019-08-19. 2019-08-19. https://web.archive.org/web/20190819213634/https://www.scmagazine.com/home/security-news/features/reboot-25-threat-seekers/. live.
  59. Web site: 2015-01-12 . Google No Longer Provides Patches for WebView Jelly Bean and Prior Rapid7 Blog . 2023-04-07 . Rapid7 . en . 2023-04-07 . https://web.archive.org/web/20230407055614/https://www.rapid7.com/blog/post/2015/01/12/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior/ . live .
  60. Book: Allen, Grant. Beginning Android. 2015-12-18. Apress. 9781430246879. en. 2021-12-04. 2023-02-22. https://web.archive.org/web/20230222071416/https://books.google.com/books?id=HVQ-CwAAQBAJ&dq=Google+had+released+WebView+as+a+stand-alone+application+that+could+be+updated+separately+from+the+Android+version+of+a+device&pg=PA262. live.
  61. Web site: Google Passes on Older Android Patches; 930 Million Devices Vulnerable. threatpost.com. 12 January 2015. en. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102002306/https://threatpost.com/google-passes-on-older-android-patches-930-million-devices-vulnerable/110342/. live.
  62. Web site: No Patch to Same Origin Policy Bypass in Old Android Devices. 2015-01-15. Zimperium Mobile Security Blog. en-US. 2019-08-19. 2019-04-12. https://web.archive.org/web/20190412081657/https://blog.zimperium.com/no-patch-sop-bypass-android/. live.
  63. News: Android security shift exposes users. 2015-01-13. 2019-08-19. en-GB. 2019-03-20. https://web.archive.org/web/20190320015942/https://www.bbc.com/news/technology-30795253. live.
  64. Web site: Online security: Pakistani helps Google avoid privacy disaster. 2014-09-20. The Express Tribune. en-US. 2019-01-01. 2019-01-02. https://web.archive.org/web/20190102003848/https://tribune.com.pk/story/764713/online-security-pakistani-helps-google-avoid-privacy-disaster/. live.