DEV Community: Mohammad Shams

I Built an Android App to Audit Third-Party Permissions — Here's What I Found

Mohammad Shams — Tue, 01 Jul 2025 16:50:05 +0000

Hey everyone 👋

As part of my personal shift from Android development into cybersecurity, I wanted to better understand how apps handle user privacy — especially when it comes to granted permissions.

So, I built a simple Android tool that scans installed third-party apps and displays which permissions they’ve actually been granted.

🔍 What the App Does

This app:

Lists only third-party apps (no system clutter)
Shows granted permissions only — not requested
Categorizes apps based on access types (Camera, Location, etc.)
Has a built-in search barr to quickly find suspicious apps
Uses Material Design with a clean UI

📱 Why I Built It

I was surprised by how many apps quietly hold permissions I forgot I gave them — especially older ones I rarely open.

Some apps had:

Full access to contacts ☎️
Camera permission without photo features 📷
Location access while never showing a map 🧭

That felt… wrong.

So this tool was my way to expplore how user-granted permissions really work in practice — and how little visibility Android gives you out of the box.

🛠️ Tech Used

Java + Android SDK (no external libs)
PackageManager API
RecyclerView with live filtering
Target SDK 33 (privacy-safe, modern)

🔗 GitHub Repo:

👉 Check out the code here

Feel free to fork, test, or suggest improvements!

🤔 What I Learned

Android permission handling is more fragmented than I thought
Some “granted” permissions are inherited silently from package updates
Categorizing apps by permision type actually helps understand risk

🙌 Final Thoughts

This was my way of applying old Android skills to a new path in mobile privacy and scurity. If you're curious about app behavior or want to audit your own phone, this might be a fun project to try or contribute to.

If you have suggestions (or want to break it 😅), let me know!

Cheers,

Mohammad

I Built a Simple SQL Injection Test Tool (and Broke My Own Site in the Process 😅)

Mohammad Shams — Sun, 29 Jun 2025 05:28:00 +0000

Hey folks 👋

As part of my self-learning journey into cybersecurity, I wanted to better understand SQL injection — not just by reading, but by testing. So I built a small command-line tool to help simulate and detect potential SQLi patterns in GET parameters.

🛠️ The Tool

It’s nothing fancy — just a simple PHP script that:

Takes a URL with query parameters
Injects common SQLi payloads (like ' OR 1=1 --)
Sends requests and checks for keyword-based anomalies in responses

🔗 GitHub repo: SQL Injection Tester

🤯 What I Broke (and Fixed)

At one point, I tested this against a test WordPress site I set up... and accidentally messed with a plugin’s query.

Nothing crashed, but I got a good scare. Lesson learned: always test safely 😅

🧠 What I Learned

The difference between reflective vs blind injection
How servers react differently to invalid queries
Why pattern matching alone isn't enough for real detection

📌 What’s Next?

I’m thinking of:

Adding POST support
Highlighting response diffs
Maybe integrating with Burp logs later?

If you’re learning security too, check it out. It’s raw and beginner-level, but I’m proud of it!

Cheers,

Mohammad

Trying Out PowerShell for Process Logging — Finally Something That Feels Like Real Scripting 😅

Mohammad Shams — Sat, 28 Jun 2025 07:11:00 +0000

Hey Dev.to friends 👋

After doing some basic process logging in Windows using a Batch file (and then exploring Task Manager + Sysinternals), I decided it was time to level up a bit and try... PowerShell.

I’ll admit: at first, PowerShell felt like “Windows trying to be Linux.” But after writing my first sript? It started making sense. Sort of.

⚙️ What I Wanted to Build

A simple script that:

Lists running processes
Adds a timestamp
Saves the info into a log file that I can revisit later

🧠 What I Wrote

$date = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"--- $date ---" | Out-File -Append process_log.txt
Get-Process | Sort-Object CPU -Descending | Out-File -Append process_log.txt
"`n" | Out-File -Append process_log.txt

This logs all running processes sorted by CPU usage, with a timestamp, into a process_log.txt file. Prettiy clean, right?

🤔 What I Learned

PowerShell is actually kind of elegant once you get past the weird syntax

Out-File -Append is your best friend

Sorting and filtering are much easier than in Batch

Debugging PowerShell errors feels like reading Shakespeare sometimes 😅

🧪 Bonus Experiment

I left the script running with Task Scheduler every 10 minutes and then compared the logs manually.

I noticed some weird spikes in RuntimeBroker.exe and a random instance of wscript.exe I didn’t expect. Mighgt be nothing... or maybe the beginning of a rabbit hole 🐇
🎯 What’s Next

I want to:

Add filters (only show user-initiated processes)

Log changes only (diff between snapshots)

Maybe try sending logs via email for remote monitoring?

Still figuring things out, but this script was a big leap from the Batch stuff.

🙌 Final Thoughts

If you're new to PowerShell like I was, don’t stress — just build small stuff. Forget the theory at first, just write something dumb that does one thing. Then make it smarter later.

And if you know any cool tricks for process logging or filtering in PowerShell, I’d love to hear them!

Cheers,
Mohammad

My First Dive into Windows Process Analysis: Task Manager, Sysinternals & Mild Confusion 😅

Mohammad Shams — Fri, 27 Jun 2025 05:23:00 +0000

Hey again 👋

After playing with my tiny Batch script for logging Windows processes (see my last post), I wanted to see how the pros do it.

So, I explored the native Task Manager... and then fell into the rabbit hole of Sysinternals.

🧪 What I tried:

Task Manager

_ Good for quick views. But too friendly. I wanted more raw info._
Process Explorer (from Sysinternals)

And this is where things got juicy.

Realtime tree view? ✔️
Parent/child process chains? ✔️
Tons of columns I had no clue about? ✔️✔️✔️

Process Monitor I don’t fully understand it yet, but watching file + registry access live? Felt like Wireshark but for the OS.

🤔 Key Moments:

I killed a process and saw the tree adjust in real time. Felt like I was performiing surgery on the OS 😄
I learned about svchost.exe — still not sure how many of them are “normal”
I noticed Chrome runs like 20+ processes for reasons I still don’t get. Is it hungry or paranoid?

💡 What I learned:

Tools matter. Even visuual ones like ProcExp can teach a lot.
Observing is half the battle. The more I watch, the more patterns I start to see.
Security isn't always about breaking — sometimes it's about noticing.

🧭 Next Plan:

I’m thinking of combining my Batch logger with fltered data from Process Explorer (via CLI or logs?) — or maybe switching to PowerShell for more power and less pain 😅

Any tips from folks who’ve worked with Windows internals are welcome!

Thanks again for following this clunky but fun journey into cybersecurity from the ground up 🧠

– Mohammad

My First Attempt at Writing a Windows Process Logger in Batch (Yes, It’s Ugly, but It Works)

Mohammad Shams — Thu, 26 Jun 2025 04:24:00 +0000

Hey folks 👋

As promised in my first post, I’m learning cybersecurity by building small, real-world tools — even if they’re weird, ugly, or incomplete.

This time I decided to tackle something basic but useful: logging running processes in Windows usng a plain old .bat script. Why Batch? Because I wanted to start from zero, from the most available thing on any machine.

🎯 The Goal

Create a script that:

Lists all active processes
Logs them into a .txt file with a timestamp
Appends, not replaces, data (to monitor changes over time)

⚙️ The Code (bare bones version)

@echo off
set "logfile=process_log.txt"
echo ---- %date% %time% ---- >> %logfile%
tasklist >> %logfile%
echo. >> %logfile%

Yep. That’s it.

It took me a lot more time than I’m willing to admit to understand how >> really works vs >, but hey — that’s part of the learning curve. 😅
🤔 Why This Matters (for me at least)

In Android or backend work, you usually have libraries or services doing this kind of monetoring. But in cybersecurity, you’re often the one building the tool from scratch — even if it’s just to test a theory.

This script helped me understand:

Basic I/O in CMD

How malware might hide or fake processes

Why log integrity is such a huge deal

I even manually killed and restarted some processes just to see how things change across logs — nothing fancy, but it gave me ideas.
📌 Next Steps

Here’s what I’m planning to add next:

Filter out system processes

Log new processes only (maybe with PowerShell?)

Send alerts (even if just a beep for now 😄)

🧪 What I Learned

Even small scripts can teach you a lot

Debugging in CMD is... a unique experience 😅

I should’ve learned about findstr sooner

🙌 Final Thoughts

If you’re also learning cybersecurity from scratch, don’t be afraid to build basic stuff. Forget funcy UIs or frameworks — just solve a tiny problem and move on.

I’ll keep sharing small tools like this as I go, and I’d love to hear what kind of beginner-friendly ideas you’ve tried too.

Thanks for reading,
Mohammad 🧠

From Android Developer to Cybersecurity Beginner: A Public Journey, Not a Hero Story

Mohammad Shams — Wed, 25 Jun 2025 05:03:17 +0000

👋 Hey there, fellow devs!

So... I'm one of those developers who spent years in Android and backend development (mostly Java/Kotlin, PHP, WordPress). And now — surprise — I’m walking straight into cybersecurity. 🎯

No, it’s not because of a hack in a Hollywood movie (though I might have seen Mr. Robot more than twice 😅). It’s more like: I wanted a challenge again. Something deeper. Something that feels closer to the system, and honestly? Something that makes me nervous in a good way.

💻 Where I’m coming from

I've been coding professionally for 7–8 years, mainly working on Android apps, WordPress sites, and backend integrations. I’ve dealt with messy APIs, debugging nightmares, and way too many coffee-driven bug hunts.

But one thing I’ve alwayss avoided? Security. I just assumed the tools “take care of it” — which now I know is a terrible assumption. 😅

🔐 Where I’m heading

A few months ago, I started reading up on basic infosec topics: Bash scripting, Linux permissions, vulnerabilities in WordPress (yeah, ironic), and even how malware hides in plain sight.

I'm not here pretending to be an expert. I’m just trying to learn in public, build tiny tools (even if they’re a bit ugly), and maybe help other devs who are also curious abuot security but don't know where to begin.

🛠️ What I'm doing now

Rewriting my GitHub to show simple but real projects
Publishing notes as I learn (even the dumb mistakes — I’ve made a few!)
Writing here on Dev.to to track my journey and stay accountable

I’m also building a few tools like:

a batch script that logs suspicious processes in Windows
a basic log parser to track weird activity
and my favorite so far: breaking my own WordPress installs just to see what happens 🧨

🤝 Let's connect

If you're in the same boat — transitioning into security, doing self-study, or just into weird litle experiments — I'd love to connect.

Also, if you’re a hiring manager or migration officer reading this (hey 👀), this is my honest attempt to share publicly what I’m learning as I go. This stuff is not easy, but it’s exciting.

Thanks for reading — I’ll post something real and code-y next time.

Cheers,

Mohammad 👨‍💻