domingo, 27 de diciembre de 2015

Spoof Packages And Signatures



I always seemed a system of identification and verification of applications and signatures as that Fix Parse for me Google always do the best job, I always ask this is really good, but if it's so good, you may be hacked or breaking ?

Yes, everything in this world is hackable, no matter who write, as they pay for it, how many devs qualifications do they do this, or few thousand dollars cost them their study, everything is hackable, one must examine the problem and break it.

I think this is really dangerous, you can create fake applications that behave like the original, accessing tokens or keys which are validated by this kind of protection.

Really this protection sucks and is be used for large companies around the world, Google is only the tip of the iceberg.

Github: SpoofPackagesAndSignatures

sábado, 12 de diciembre de 2015

How To Hack 310 Billion Dollar Company


Well again big guys with bad security practices, this time Amazon AWS S3 service.

The problem is the following, Amazon implements since SDK 2.2.5 to 2.2.8 for Android the class CognitoCachingCredentialsProvider, this class was created for an type of authentication, but this authentication is very insecure, uses an context, to get the package name, identityPoolId and region; With this insecure authentication you can get, put, modify, delete and list bucket's and files in all S3; Only need extract the identityPoolId and create a fake app with the same package name of the original app, and ready !!!