How I Exploited a Vulnerability in Olvid Android App

Hello everyone,

I want to share a story from a few years back, specifically from 2018, when I came across an interesting security issue in the Olvid Android application.

Olvid is known for its strong focus on privacy and secure communications. It offers end-to-end encrypted messaging and positions itself as a solution that protects users from surveillance.

While analyzing the app, I identified a vulnerability using Frida, and I could inject scripts at runtime and bypass the fingerprint and passcode authentication mechanisms.

Impact

This granted unauthorized access to sensitive features within the application, completely bypassing authentication. In the wrong hands, such as surveillance firms like NSO or Cellebrite, this kind of exploit could compromise a device that’s already been physically accessed or “prepared.”

This vulnerability shows how even security-focused platforms can sometimes ignore runtime manipulation vectors, reinforcing the importance of layered protection and runtime integrity checks.

Proof of Concept