WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.
A short summary of bitcoin
Electronic money is all about ledger (transactions) which tells who sent money to whom, in standard financial system, central/federal/reserve bank (different nations have different names for these) and by extension, financial institutions are “trusted” to maintain that ledger. Any work which requires a “trusted” party can in principle, be done using cryptography without requiring a “trusted” party and bitcoin is manifestation of that applied to ledger. For more thorough treatment have a look at original paper or this blog post.
A security company reverse engineered Snapchat’s android client and found all the api endpoints (source).
Bigger issue: The published proof of concept of using “find friends” feature to find whether a phone number is registered on Snapchat or not, and if it is, then its associated username and location of the user.
Their claim was that despite informing Snapchat about the hole, Snapchat did nothing about it.
As expected, someone published data of 4.6M registered users (source) using the proof of concept provided. Snapchat responded saying that soon users will be able to opt-out of find friends feature.
A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis, and reverse engineering of android apps. An updated list of the tools can be seen at https://github.com/ashishb/android-security-awesome.
Just completed reading “The Tangled web: A guide to securing modern applications” by Michael Zalewski.
The book is surprisingly small given the amount of information it covers about interaction of web browsers, web sites and client-side web technologies.
The book starts with the discussion of what a valid URL could look like (http://yahoo.com:email@example.com/microsoft.com – think which site is being connected to here) and then discusses several fundamental building blocks of the modern web (like cookies) as well as standard technologies (like Flash) in depth. The issue of same-origin policy and how it differs from DOM to cookie to pseudo-urls is explained with amazing clarity.
One of the best things about this book is that it makes regular references to RFCs for authoritative answers and the corresponding deviant [and undefined] behavior implemented by the browsers.
The book also covers new (HTML5) security features in detail.
While reading the book, occasionally I felt information overload but I think the “Tangled web” and not the book “Tangled web” is responsible for that.
I would strongly recommend this book for anyone who deals with web[site] security as well as parsing HTML.
Disclosure: We both work for [different teams under] Google Security.
Came across a few interesting posts like this on my wall today.
As the world moves towards cloud-based storage and computing, the task of storing our data on a PC hard disk is being replaced with cloud-based storage providers. This includes our emails, social data, professional data, and financial data. Accessing this data requires authentication, despite its various limitations, username and password are still the standard way of authentication [though OpenID is slowly becoming popular]. One thing which is crucial in this case is how web services store user’s password.
If you have been already a victim of this, then change your password and unlike the page as soon as possible.
A malicious app called “aprilfoolsprank” which likes a page on user’s behalf and tries to phish user into disclosing his/her facebook login and password is taking its toll on facebook users.
If you are looking for how to avoid or recover: read this one instead.
In the past few weeks, a lot of Facebook users have received the following (or similar) messages posted by their friends
Hi Friends see Face-book images rotate 360* see here >> http://SHADYCLOUDS.TK/
Really cool Facebook revolving images. MUST SEE http://rotatingimage2.tk/.
Following are observations and analysis of the same.