Friday, September 16, 2016

Xiaomi’s Analytics Application Security & Privacy Concern

You might have heard about the recent blogspot of Reverse Engineering Xiaomi’s Analytics app at  https://www.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered/
Summary - Basically there is an application called Analystics which is there by default on every MIUI user's phone. This application runs in background 24*7 and it also re appears without user interaction even if you delete it.

Wednesday, September 7, 2016

Android Application Security - Using hmacSHA256 Encryption For Tamper Proof Request & Response

It was all started from SSL pinning implementation. I implemented SSL pinning in our application using 3 different method as mentioned below.However I failed to implement using all 3 mechanism for obvious reasons that there are open source tools available to bypass SSL pinning.

For android there are Justtrustme, Android-SSL-TrustKiller. In iOS there is ios-SSL-Killswitch. I posted question over stackoverflow in order to find the concrete solution for the ssl pinning. However, I ended up getting nothing. Link for the stackoverflow is mentioned below.

http://security.stackexchange.com/questions/136017/is-it-possible-to-implement-secure-ssl-pinning-implementation-for-without-server

Below are the methods I tried to implement for ssl pinning.

Saturday, July 23, 2016

iOS Application Security - xCON Switch - Enable/Disable Detection without removing xCON Application from Cydia

I was searching for the xCon switch in order to enable/disable injecting xCon file to each application that is launched under iOS device. However, I was unable to find any such resource. So I decided to digg little into that.

Monday, May 2, 2016

Hack Banking Infrastructure Like Pro - Part 3

In last part of this article if you can recall the network diagram, we have compromised gateway 192.168.101.6. In this article I am going to compromise ssh and terminal system which has IPs respectively 172.16.0.6 and 192.167.0.2.

Sunday, April 10, 2016

Hack Banking Infrastructure Like Pro - Part 2

If you have not seen the part 1 of this series then kindly refer that first. You must have seen that how I compromised site(172.16.0.1). Now it is time to attach the cabinet system which has IP 172.16.0.2.

Friday, April 8, 2016

Hack Banking Infrastructure Like Pro - Part 1

Test Lab is an online penetration testing lab which has total 12 system/servers/network devices. Those are purposely mis configured. Upon hacking each single node, you will get token, which needs to be submitted on the website for the verification that will tell whether you have hacked that server successfully or not. Lets dive into.

Wednesday, April 6, 2016

Data Center Security/Safety Review & Audit Checklist

Your data center hosts critical data and contains your core assets, including customer information, intellectual property and other business-critical data. And with emerging trends such as Big Data, bring-your-own-device (BYOD) mobility and global online collaboration sparking an explosion of data, the data center will only become more important to your organization and will continue to be the target of advanced malware and other cyber attacks.

Sunday, November 15, 2015

Bugbounty - Password returned in the response in cleartext

Another interesting bug, that I found in www.tagged.com. As you know www.tagged.com & www.hi5.com are pretty famous and old social media. Design and functionality of these two domains are pretty similar.