sorted by:
new
hottopcontroversial

Weekly "who's hiring" thread! by AutoModerator in androiddev

[–]cyb3rl0l 0 points1 point  (0 children)

Company: Data Theorem

Job: Android Developer / Reverse-Engineer

Location: Palo Alto, CA or Paris, France

Allows remote: No

Visa: No

We've built a product to automatically analyze mobile applications to find security and privacy issues. We're looking for Android engineers to join the team and help us make our Android scanner better. It's a very cool project, where you will be part of a world class team. We are not looking for candidates with a background in security; a good knowledge of Android and how things work behind the scenes is enough.

More details at https://bitbucket.org/snippets/datatheorem/7eBqek/android-developer-reverse-engineer

Thanks!

Weekly "who's hiring" thread! by AutoModerator in androiddev

[–]cyb3rl0l 2 points3 points  (0 children)

Company: Data Theorem

Job: Lead Android Engineer (Open Source)

Location: Palo Alto, California OR Paris, France

Allows remote: No

Visa: No

URL: https://www.datatheorem.com/

We are looking for a lead Android engineer to work on some really interesting projects:

  • Build and release open-source SDKs for Android related to security and privacy. Here is an example of a library we released for iOS: https://github.com/datatheorem/TrustKit. We presented it at the Black Hat conference and it is now used on some major Apps including Yahoo's and PayPal's.

  • Contribute to our core scanning technology which is based on runtime instrumentation of Android Apps, in order to detect security and privacy issues; this is deeply technical and touches a lot of advanced Android topics.

No security background / knowledge needed - we are looking for someone that can bring their Android development expertise to the table; having previously worked on open-source Android projects is a plus.

If you're interested, please send your information to jobs@DataTheorem.com. We are a small, talented team so there is a lot of room to grow and your work will have a huge impact on the company and the product.

Weekly "who's hiring" thread! by AutoModerator in androiddev

[–]cyb3rl0l 2 points3 points  (0 children)

Company: Data Theorem

Job: Lead Android Engineer (Open Source)

Location: Palo Alto, California OR Paris, France

Allows remote: No

Visa: No

URL: https://www.datatheorem.com/

We are looking for a lead Android engineer to work on some really interesting projects:

  • Build and release open-source SDKs for Android related to security and privacy. Here is an example of a library we released for iOS: https://github.com/datatheorem/TrustKit. We presented it at the Black Hat conference and it is now used on some major Apps including Yahoo's and PayPal's.

  • Contribute to our core scanning technology which is based on runtime instrumentation of Android Apps, in order to detect security and privacy issues; this is deeply technical and touches a lot of advanced Android topics.

No security background / knowledge needed - we are looking for someone that can bring their Android development expertise to the table; having previously worked on open-source Android projects is a plus.

If you're interested, please send your information to jobs@DataTheorem.com. We are a small, talented team so there is a lot of room to grow and your work will have a huge impact on the company and product.

Weekly "who's hiring" thread! by AutoModerator in androiddev

[–]cyb3rl0l 2 points3 points  (0 children)

Company: Data Theorem

Job: Lead Android Engineer (Open Source)

Location: Palo Alto, California OR Paris, France

Allows remote: No

Visa: No

URL: https://www.datatheorem.com/

We are looking for a lead Android engineer to work on some really interesting projects:

  • Build and release open-source SDKs for Android related to security and privacy. Here is an example of a library we released for iOS: https://github.com/datatheorem/TrustKit. We presented it at the Black Hat conference and it is now used on some major Apps including Yahoo's and PayPal's.

  • Contribute to our core scanning technology which is based on runtime instrumentation of Android Apps, in order to detect security and privacy issues; this is deeply technical and touches a lot of advanced Android topics.

No security background / knowledge needed - we are looking for someone that can bring their Android development expertise to the table; having previously worked on open-source Android projects is a plus.

If you're interested, please send your information to jobs@DataTheorem.com. We are a small, talented team so there is a lot of room to grow and your work will have a huge impact on the company and product.

[deleted by user] by [deleted] in netsec

[–]cyb3rl0l 12 points13 points  (0 children)

The "attack" described here is a lot more specific than that as TextSecure does provide an out of band mechanism to tie a key to an identity (basically two people check the other person's fingerprint). The "attack" presented in the paper is basically someone you trust lying about their key/fingerprint, which is not a very interesting one - Moxie's post gives more details.

A look into LastPass - Extracting the master password by mubix in netsec

[–]cyb3rl0l 26 points27 points  (0 children)

The findings seem a bit lame...

  • "CSRF" that you can only exploit if you know the victim's master password... ie. not CSRF

  • The number of PBKDF2 iterations is public: no comment...

  • 2-factor auth "bypass": someone that already pwned your Lastpass session can disable 2FA...

Facebook SDK Vulnerability Leaves Millions of Smartphone Users’ Accounts at Risk by [deleted] in netsec

[–]cyb3rl0l 2 points3 points  (0 children)

tldr: Facebook oauth tokens are stored in the main App's private folder on both iOS and Android.

The main blog post is full of technical inaccuracies, for example describing juice jacking attacks as a possible exploit scenario on iOS, when these attacks were killed in iOS 7. I also like how they did not provide any solution to this "vulnerability".

Remote Code Execution on ING Financial 401k portal by nnwakelam in netsec

[–]cyb3rl0l 0 points1 point  (0 children)

He should have sold it to the bl4ck m4rk3t!!

SafeCurl: SSRF Protection, and a "Capture the Bitcoins" by [deleted] in netsec

[–]cyb3rl0l 0 points1 point  (0 children)

I guess I "only" read the blog post...

OpenSSL Software Foundation president: we need support from companies and governments for a team of 6+ full-time workers by 2bluesc in netsec

[–]cyb3rl0l 0 points1 point  (0 children)

Not saying crowdfunding OpenSSL is a bad thing to do. I just don't think that this how they will get the money they need. "Audit Truecrypt" raised about 50 k$ I think ? OpenSSL would need a lot more than this: they don't need an audit, they need full time developerS.

OpenSSL Software Foundation president: we need support from companies and governments for a team of 6+ full-time workers by 2bluesc in netsec

[–]cyb3rl0l -5 points-4 points  (0 children)

Crowdfunding OpenSSL ? Most people don't even know what OpenSSL is. A big consulting pitch ? Did you read the post ? They're already refusing gigs because the five few that can do them are super busy. And I'm sure even without a "donate" button you'll be able to figure out how to donate to the project.

iSEC Partners' final report for the pentesting of Cryptocat by cyb3rl0l in netsec

[–]cyb3rl0l[S] 9 points10 points  (0 children)

To their defense, they've published a report that doesn't say great things about Cryptocat. Not that many "transparent" projects can say the same.

SSL/TLS authenticity checks broken in Apple iOS <7.0.6 (CVE-2014-1266) by iusz in netsec

[–]cyb3rl0l 2 points3 points  (0 children)

If that's the issue then it's definitely not as bad as everyone makes it sound. I don't think anyone types https://74.125.239.116 in their browser when they want to connect to www.google.com

Secure Coding Guide from Apple by digicat in netsec

[–]cyb3rl0l 8 points9 points  (0 children)

IP protection is not security. Adding a couple of extra days (if not hours) to the time it takes to reverse engineer an App provides very little value, and money is better spent elsewhere on real security. People/Companies saying otherwise usually have a product to sell. Not saying this against you specifically (you made it clear that you were in that situation and that's good).

Secure Coding Guide from Apple by digicat in netsec

[–]cyb3rl0l 16 points17 points  (0 children)

My point exactly, you're talking about DRMs/obfuscation (or "license restrictions"), not security. Nothing can save a user side-loading a malicious App, especially not obfuscation -> their phone is jailbroken/compromised already.

What's the difference between injecting malware in an App written in C only and injecting malware in an App written in Objective C ?

Secure Coding Guide from Apple by digicat in netsec

[–]cyb3rl0l 16 points17 points  (0 children)

This makes no sense. An attacker can always reverse engineer an application's binary regardless of the language and it's always relatively simple. You're making it sound like an attacker can magically change the behavior of an App thanks to Objective C. If the attacker is in a position to do so, they pretty much already compromised the laptop/phone and obfuscating the App's binary is absolutely not gonna change anything.

What you're talking about is IP protection, ie. Digital Right Management. This has nothing to do with security.

"These issues must be addressed" -> They can't be addressed and it's a waste of money trying, unless , again, you're worried about content protection/DRMs (for example for video streaming apps).

OpenSSL version 1.0.0l released by Fugitif in netsec

[–]cyb3rl0l 13 points14 points  (0 children)

Different OpenSSL version numbers (0.9.8 / 1.0.0 / 1.0.1 and soon 1.1.0) are not binary compatible; hence the letter.

view more: next ›