Ilya Andr (@andrd3v)

Calling dlopen directly in a remote process by hijacking thread state on arm64 — no shellcode, no intermediate libraries. Built on top of remote_call.

Got my first CVE credited by Apple — a privacy issue in libxpc that allowed an app to enumerate installed apps and running processes. Patched across all platforms.

A sandboxed Mac App Store app can lock your entire screen with custom text and block all input — using Apple's own Classroom feature via unauthenticated XPC access to loginwindow. Apple says it's not a security issue.

Unauthenticated XPC access to macOS DFRHUD service — enabling the Touch Bar debug overlay from any unprivileged client.

End-to-end reverse engineering of Apple's DeviceCheck token generation flow on iOS — from DCDevice API through devicecheckd to the final AES-GCM encrypted payload.