Collaborate Disseminate
My Dev team creates high-load applications and wants to use Keycloak with OpenID authz. But they are complaining about delays for retrieving permissions from Authz server (Keycloak). So, they decided to define all permissions for each grou… Continue reading Authorization and permissions in backend
There is an Azure-based internal database server and is not public-facing. There is another front-end application. A specific user group can connect with a VPN. There is no encryption applied at the disk level. So what risk or specific ga… Continue reading Which kind of data breaches or risk can happen if there is no virtual/physical disk encryption
For the second time, I’ve had MDMs installed on my devices, Windows, IOS iPads iPhones and Android phone. Both following extended hospital stay. The previous time, I was able to find the vendor name by searching files, (including root), an… Continue reading How can you locate the “owner/issuer? A new MDM.exe file was just downloaded a [closed]
After running MobSF static analysis on an application, the scan detected google_api_key as a possible hardcoded secret. Should Google API keys be encrypted ? Or is it okay to have them exposed if you add necessary restrictions ? Same quest… Continue reading Is it okay to have exposed Google API key
From a forensics standpoint, is there any technical possibility that WITHOUT rooting the device the potential cybercriminal used a manipulated system phone app to have hidden functionalities like secret messaging, which he had modified via… Continue reading As long as an Android device does not get rooted, is it safe to assume that the main phone app has not been modified?
What checks (static analysis, dynamic analysis etc.) does Google, Apple, Amazon etc. do on their app stores with each app developer submit? Are they automatic or manual?
Does any app store review every single line of code?
Continue reading What security reviews are done on apps in mobile app stores? [closed]
As part of a project for school I’ve been tasked with designing a secure application that should be able to upload and download files from a database. I have very little experience in the area of security so I’m unsure of where to start so… Continue reading How to design a desktop application that has access to a database via LAN?
If I am shipping a program to my customers which is compiled with GCC, but I want to test the security of the program using Clang, is this generally okay, or will I miss certain security bugs because I am not testing the exact same output/… Continue reading Is switching my C/C++ compiler for security testing generally reliable?
Background
I moved from ios to Android so now can’t rely on Apple doing some checks on the apps.
I was told that Google does some automated checks and if you buy/download apps from large organisations, a.k.a. Microsoft, then you should be … Continue reading How does a non technical user/beginner vet Android apps to ensure they are safe?
So I understand the purpose of regenerating a session ID after a state change such as authenticating, i.e to prevent session fixation. What I’m not clear on is why this would be necessary after a password change (as recommended by OWASP).
… Continue reading Session regeneration after password change?