Collaborate Disseminate
For a time homebrew was serving the vulnerable XZ Utils / liblzma versions 5.6.0 and 5.6.1. I observed on my own MacBook pro that I had the 5.6.1 installed via homebrew.
The current state of knowledge seems to suggest that macOS was so far… Continue reading Is macOS vulnerable to the XZ-vulnerability? [migrated]
With Collection #1 yet another large data set of email addresses and passwords was found out there. I happens that one of my frequently used email addresses shows up as ‘pwned’ when checked against the list. However (!), this… Continue reading Collection #1: Do we know the source of the leaks?
Our team is trying to secure a native Android mobile app.
Amongst other things we are using Dexguard for some checks such as tamper, root and emulator detection.
Long story short: some of these checks fail in our debug buil… Continue reading Android tamper resistance: BuildConfig.DEBUG spoofing?
Our team is trying to secure a native Android mobile app.
Amongst other things we are using Dexguard for some checks such as tamper, root and emulator detection.
Long story short: some of these checks fail in our debug buil… Continue reading Android tamper resistance: BuildConfig.DEBUG spoofing?
In the current OWASP MASVS (as of now v0.9.3) we can find the following requirement for MASVS-L2 in Security Verification Requirements:
MASVS 1.12:
“Remote endpoints verify that connecting clients use an up-to-date vers… Continue reading MASVS 1.12: "Endpoints verify that clients use up-to-date version"
In the current OWASP MASVS (as of now v0.9.3) we can find the following requirement for MASVS-L2 in Security Verification Requirements:
MASVS 1.12:
“Remote endpoints verify that connecting clients use an up-to-date vers… Continue reading MASVS 1.12: "Endpoints verify that clients use up-to-date version"
Lets say that on an Android app the user has to enter a 6-digit PIN on startup. Let’s also say that we have some sensitive data in this application that we’d like to encrypt.
The way I would to this is:
Using a key derivat… Continue reading Securing data on Android app using a 6 digit PIN
Lets say that on an Android app the user has to enter a 6-digit PIN on startup. Let’s also say that we have some sensitive data in this application that we’d like to encrypt.
The way I would to this is:
Using a key derivat… Continue reading Securing data on Android app using a 6 digit PIN
As certificates have expiration dates, the pinned certificate of the server will eventually have to be replaced. This process generally calls for some application/client side update to make the client aware of the new certificate ‘to pin’.
Are there best-practices on how this transition/change can be managed?
I’m thinking of something more sophisticated than two people pressing a button at the same time (i.e. the server cert being updated and the application forcing the user to update)… The organisational processes involved here can be non-trivial, especially since the release and maintenance cycles of client/server/operations might be running according to different schedules and priorities.
Maybe something like (I’m just writing down a rather naive approach here):
–> This would allow new ‘pinned’ certificates for a server to be delivered well in advance of actually switching certificates on the server.
Continue reading SSL Pinning: Managing changes in the pinned certification on client side