CARF - Hacking the Android Settings App - Anton Helin
Disobey 2026 · Main Stage
In this insightful talk, Anton Helin, a security engineer at Oversecured, dissects a sophisticated vulnerability he uncovered within the fundamental Android Settings application. Titled "CARF - Hacking the Android Settings App," the presentation details a **Cross-Application Request Forgery (CARF)** vulnerability that allowed for the remote deletion of a user's private space or even a full factory reset of the device with minimal user interaction. Helin's research highlights critical flaws in how Android applications, particularly privileged system components, process incoming data from **Intents** and deep links.
AI review
Helin presents original, self-discovered research with a clean exploit chain against a privileged Android system component — exactly the kind of work that earns a conference slot. The $8K bounty undersells the technical elegance here: lifecycle bypass + selector abuse + fragment injection is a well-constructed three-stage chain, not a one-trick CVE.