Soyam Arya | Offensive Security Researcher & 2× CVE Holder

Soyam Arya (aka honest_corrupt)

Offensive Security Researcher | Ethical Hacker | 2× CVE Holder | Mobile & Web Application Security

→ Identified vulnerabilities in real-world production applications
→ Specialized in Android & Web Application Security
→ Open to remote cybersecurity roles

๐Ÿ“ Remote (India)
๐Ÿ“ง soyamarya96ethical@gmail.com

๐Ÿ”— GitHub: https://github.com/honestcorrupt
๐Ÿ”— LinkedIn: https://linkedin.com/in/soyam-arya-a90356312

๐Ÿ’ผ Open to: Security Research | Penetration Testing | Application Security Roles (Remote / Global)

๐Ÿง  Professional Summary

Cybersecurity professional with hands-on experience in Vulnerability Assessment and Penetration Testing (VAPT), mobile application security, and web application security. Proven track record of identifying critical vulnerabilities in live systems, including sensitive data exposure, insecure storage, and authentication flaws.

Recognized as a 2× CVE holder, with practical experience in:

  • Exploit development
  • API security testing
  • Secure data analysis
  • Threat identification and risk assessment

Strong ability to simulate real-world attack scenarios and translate findings into actionable security insights.

๐Ÿ† Key Achievements

  • 2× CVE Holder
    • CVE-2025-5154 — Sensitive data exposure in Android application
    • CVE-2025-6748 — Security vulnerability identified and disclosed
  • Identified and reported vulnerabilities in large-scale applications:
    • Google Play Services
    • Flipkart
    • Canva
    • PhonePe
  • Active security researcher on:
    • HackerOne
    • Bugcrowd

๐Ÿ’ฃ Vulnerability Research & Security Findings

๐Ÿ”ด Android Application – Sensitive Data Exposure (CVE-2025-5154)

Target: PhonePe

Vulnerability: Insecure storage of sensitive user data within local SQLite database files

Impact:

  • Exposure of sensitive user data (tokens, personal information)
  • Risk of session hijacking and unauthorized account access
  • Potential privacy breach under device compromise

Technical Details:
Sensitive data stored in cleartext within /data/data/com.phonepe.app/databases/ directory, making it accessible under local attack conditions

๐Ÿ”— Proof (NVD):
https://nvd.nist.gov/vuln/detail/CVE-2025-5154

Tools & Techniques: MobSF, JADX, ADB, static & dynamic analysis

 

๐Ÿ”ด Android / Telecom Application – Cleartext Storage Vulnerability (CVE-2025-6748)

Target: Airtel Thanks App

Vulnerability: Cleartext storage of sensitive information in application files

Impact:

  • Sensitive data exposure on compromised or rooted devices
  • Increased attack surface for local exploitation
  • Potential misuse of stored user information

Technical Details:
Sensitive data stored in cleartext within application directory /Android/data/com.myairtelapp/files/, allowing local attackers to access it

๐Ÿ”— Proof (NVD):
https://nvd.nist.gov/vuln/detail/CVE-2025-6748

Additional Insight:

  • Classified under CWE-312 & CWE-313 (Cleartext Storage)
  • Exploit publicly disclosed and reproducible

Techniques Used: Manual testing, file system analysis, application reverse engineering

 

๐Ÿ”ด Mobile Application – Cleartext Data Transmission

Target: Flipkart
Vulnerability: Transmission of OTP and phone number over insecure channels
Impact: Man-in-the-Middle (MitM) attack leading to account compromise
Tools: Burp Suite, network interception

๐Ÿ”ด Web Application – API Key Exposure

Target: Canva
Vulnerability: Hardcoded API key exposed in frontend JavaScript
Impact: Unauthorized access to backend services and abuse of analytics/event systems
Tools: Browser DevTools, JavaScript analysis

๐Ÿ”ด Token & PII Exposure – Mobile Environment

Target: Google Photos (testing environment)
Vulnerability: Sensitive tokens and PII stored in local databases and blob files
Impact: Data exfiltration on compromised or rooted devices
Techniques: Local storage analysis, forensic inspection

๐Ÿงช Projects & Practical Experience

๐Ÿ”ฌ Android Security Testing Lab

  • Designed and implemented a custom lab for Android penetration testing
  • Conducted static and dynamic analysis of mobile applications
  • Tested authentication mechanisms, data storage, and network communication

๐Ÿ”ฌ API Security Assessment

  • Performed testing of authentication and authorization workflows
  • Identified vulnerabilities such as improper access control and token misuse

๐Ÿ”ฌ Network Traffic Analysis & Monitoring

  • Analyzed network traffic using Wireshark and Nmap
  • Detected anomalies and potential security threats
  • Performed basic threat detection and log analysis

๐Ÿ› ️ Technical Skills

๐Ÿ” Security Domains

  • Vulnerability Assessment & Penetration Testing (VAPT)
  • Web Application Security (OWASP Top 10)
  • Mobile Application Security (Android)
  • API Security Testing

⚙️ Tools & Technologies

  • Burp Suite
  • MobSF
  • JADX
  • Wireshark
  • Nmap
  • Kali Linux

๐Ÿ’ป Core Competencies

  • Networking Fundamentals
  • Linux Systems
  • Python (Basic Automation & Scripting)

๐Ÿ“œ Certifications

  • Android Bug Bounty Hunting
  • SQL Injection Attacks
  • Penetration Testing Lab Setup
  • Cybersecurity Job Simulations (APT, Incident Response, Risk Assessment) 

๐Ÿ“œ Certifications (With Verification Links)  :- https://drive.google.com/drive/folders/1eENsMpGtHTpKxjGV1H-gCatiMLX-S1dE?usp=sharing

๐ŸŽฏ Career Objective

To contribute as a Security Researcher or Penetration Tester in a forward-thinking organization, focusing on identifying vulnerabilities, strengthening application security, and enhancing overall system resilience against evolving threats.

๐Ÿ“ฌ Contact

๐Ÿ“ง Email: soyamarya96ethical@gmail.com
๐Ÿ“ Location: India (Remote)

๐Ÿ”— GitHub: https://github.com/honestcorrupt
๐Ÿ”— LinkedIn: https://linkedin.com/in/soyam-arya-a90356312

๐Ÿ’ผ Open to:

  • Junior Penetration Tester roles
  • Application Security roles
  • Security Researcher positions
  • Freelance vulnerability assessment projects
  • Remote cybersecurity opportunities

Comments

Post a Comment