The Yahoo! Fantasy Football Application for iPhone and Android does not utilize a NONCE (number used once) or private token to sign requests, which may allow a context-dependent attacker to conduct a CSRF attack.
Instagram for Android contains a flaw that is triggered when a user issues a like or delete command from the application. This will cause the cyrptographic signature of partial requests to be concatenated with a JSON string, which may allow the attacker to more easily crash the program or potentially execute arbitrary code.
Instagram contains a flaw that is due to the program storing static cryptographic signature key information in an obfuscated fashion that combines native and Java code. This may allow a remote attacker to more easily gain access to signature key information and delete all the user's pictures or like and unlike any pictures he chooses.
Cerberus for Android contains a flaw that is due to the program generating tokens in a predictable manner. When a user authenticates for the first time, a token is set based on the phone's IMEI. Subsequent requests are made using the token, not the user's credentials. With knowledge of a phone's IMEI, or via a trivial brute force attack, a remote attacker can send authenticated requests as the user.
By default, My Satis Application for Android installs with a hardcoded Bluetooth PIN. The application has a PIN of '000', which is publicly known and documented. This allows physically proximate attackers to trivially access the program and cause a user's toilet to open or close the lid, activate the bidet, enable the air-dry functions, or continually flush the toilet. While not life-threatening, this could pose a problem for harassment or discomfort.
Skype for Android contains a flaw that is triggered when a call is first accept from the attacker then dropped. This may allow the attacker to bypass the screen lock feature until the device is rebooted.