marius@mdpsecure:~$ ./research --target modern-apps

Security research,
beyond the surface.

I reverse engineer Android apps, trace trust into their APIs and infrastructure, and find the logic flaws that automated testing cannot reason about.

androidweb_apideep_linkswebviewscloudbusiness_logic
mdpsecure — zsh — 92×24

$ whoami

Marius du Preez // security researcher

$ cat focus.json

{
"mobile": "Android internals",
"backend": "Web & APIs",
"method": "Manual + adversarial",
"impact": true
}

$ ./status

● READY FOR TARGET

$

reports.submitted203documented vulnerabilities
severity.critical70highest-impact findings
severity.high64high severity findings
infra.experience8yproduction cloud work

// CAPABILITY_MAP

One researcher.
The complete attack chain.

Most high-impact findings live between layers. The testing follows the data and trust boundaries wherever they lead.
01APK
ENTRY POINT

Android internals

Decompilation and runtime analysis uncover exported components, unsafe deep links, privileged WebViews, hardcoded secrets and client-side trust.

02API
TRUST BOUNDARY

Web and API logic

Authentication, authorization and multi-step product flows are tested manually for IDOR, account takeover, injection and logic abuse.

03IAM
IMPACT LAYER

Cloud infrastructure

Eight years of infrastructure experience helps turn weak assumptions into concrete impact across identity, storage and internal services.

research_method/
  • ├── reverse_engineering/active
  • ├── attack_surface_mapping/active
  • ├── business_logic/active
  • ├── exploit_chaining/active
  • └── impact_validation/active

// HUMAN-LED TESTING

Scanners find patterns.
I investigate assumptions.

Production systems rarely fail in isolation. The interesting bugs emerge when mobile clients, APIs, identity, cloud services and business rules interact in ways nobody planned for.

My background in infrastructure and building businesses provides the technical and commercial context to recognize those failures.

open full research archive
if (product.needsDeeperLook) {
  contact("[email protected]");
}

Let's test the assumptions.

Available for focused Android and web penetration testing, security consulting and independent research engagements.

send_message()