Are you unable to implement SSL pinning in your Mobile Applications because you are leveraging ACM for automated certificate management? Let’s talk about a possible workaround to help us protect the data in transit while having the managed services in place to avoid the overhead of manual certificate management.

Introduction

One of the key aspects of securing data is protecting data in transit i.e the data that flows to/from mobile applications and backend must be sufficiently protected in order to prevent an adversary to perform Man In The Middle attacks.

Isn’t Securely Implemented TLS Enough?

When correctly implemented(for example, only allowing secure cipher suites, latest…


CVE-2021–21136: Insufficient policy enforcement in WebView

Sometime back, while analyzing a security issue I thought of learning the behavior of few Webview APIs. During the research, I discovered that in a specific scenario Android webviews may leak sensitive data such as user’s auth tokens, API secrets, etc. to the third-party. …


Are you an Android developer who is inclined towards security or an application security guy who’s keen to connect multiple dots to identify a cool security bug? Were you oblivious that OkHttp, the Friend of Android developers retains auth headers during redirection? If yes, then this story would be interesting…


I remember the early days of my application security journey where we used to identify hardcoded secrets in the backend code, in almost every source code review engagement and at that time I used to struggle a lot to come up with the best remediation considering the cost and overall…


Reconnaissance is indeed the most critical and time-consuming phase of a penetration test. In this phase, we collect as much information as possible about the target. The more information we have, the more are the chances of successful exploitation.

Over the past few years, I have had multiple experiences where…


Introduction

AWS is indeed a leading cloud platform and is widely used for various types of cloud services by tech giants such as Netflix, Airbnb, Lyft, Deliveroo, etc. In this story, I would be talking about the automated detection of AWS NS Takeover, a security issue related to the misconfiguration in…


Ever wondered the deep links that you have in your application is one of the doors for an attacker to crack your application?

In the current era of hybrid mobile architecture, the Webviews and Deep Links are extensively used hand in hand. The former one is used to deliver dynamic web content while the latter one is used to make the applications more interactive.

In this story, we would be discussing the common…


For the people who say we are on the cloud and it is implicitly secure :P

I hope you would have heard of a conventional subdomain takeover because of a dangling CNAME entry. Recently while going through these amazing blogs( Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean and Subdomain Takeover: Going beyond CNAME) I got to know…


Are you still unsure regarding the security of your user’s device?

Android Leading Market Share

Android is leading the current era of mobility with more than 75% of the market share. Nowadays, mobile applications are not only used leisure purposes but are also used for the business critical operations wherein there is a huge flow of sensitive data.

Although, Android supports the beautiful concept of…

Shiv Sahni

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store