Systems Security Hall of Fame
The final project in my Systems Security course requires students to perform a non-invasive security analysis of a real-world system, typically an Android mobile application.
This Hall of Fame recognizes the projects that produced security analysis and successful vulnerability disclosures that led to meaningful improvements in real-world systems.
Successful Disclosures, 2025 edition
| Students | Application / System | Findings |
|---|---|---|
| Lars Schmidt Hansen | Unnamed work tracking app | - Insufficient authentication relying on hardcoded credentials - Hardcoded keys for encrypting sensitive data on device - API access allows private data enumeration |
| Rasmus Østerskov Gammelgaard Alexander Nørgaard Henriksen Luccas Ruben Joshua Constantin-Sukul |
Unnamed hotel booking app | - Hardcoded API keys - Insufficient access control for backend database access - No 2FA, weak password policy - Deprecated algorithms in public key certificates |
| Flaviu Catalin Florea Iacob Ilinca-Maria |
Unnamed fitness app | - Hardcoded secrets and cleartext communication allowed in the app’s Manifest - Weak password policy and session management issues - Privacy concerns (lack of clarity in the policy; invasive trackers permissions and access to user’s location) - The door opening mechanism is vulnerable to spoofing and replay attacks |
| Kasper Mølholm Holck | Unnamed community app | - Privilege escalation by any registered user |
| Niels Viggo Stark Madsen Ask Holmboe Vorting |
Unnamed shopping app | - Reimbursement mechanism vulnerable to spoofed items - Coupon feature vulnerable to forgery |
| Jonas Ahlers Kasper Hebsgaard Rasmus Vestergaard Knudsen |
Unnamed shopping app | - No 2FA, weak password policy - Lack of e-mail verification for new accounts - Publicly available cloud storage of user-provided data - QR code for successful purchases is handled client-side only |
| Nicolai Landkildehus Lisle | Unnamed transport app | - Session management issues - Account hijack under some circumstances - Risk of account enumeration - Lack of certificate pinning |
| Asger Song Høøck Poulsen Kristian Dueholm Hill Nikolaj Kühne Jakobsen |
Unnamed shopping app | - Harcoded secrets (API keys and credentials) - Spoofing of payment transactions - Bypass of basket check process - Enumeration of private user data |
| Mikkel Katholm Magnus Wind Emil Mors |
Unnamed social network | - Exposure of private user data in bulk through API - Susceptibility to MITM attacks - Lack of rate-limiting and expiry of password reset |