Skip to main content

Posts

Showing posts from February 29, 2020

Google Suggesting Android Developers to Encrypt App Data On Device!!

Google has published a blog post recommending mobile app developers to encrypt data that their apps generate on the users' devices, especially when they use unprotected external storage that's prone to hijacking. Moreover, considering that there are not many reference frameworks available for the same, Google also advised using an easy-to-implement  security library  available as part of its Jetpack software suite. The open-sourced  Jetpack Security  (aka JetSec) library lets Android app developers easily read and write encrypted files by following  best security practices , including storing cryptographic keys and protecting files that may contain sensitive data, API keys, OAuth tokens. To give a bit of context, Android offers developers  two different ways  to save app data. The first one is app-specific storage, also known as internal storage, where the files are stored in a sandboxed folder meant for a specific app's use and inaccessible t...

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it. Yes, that's possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) ' file read and inclusion bug '—which can be exploited in the default configuration. But it's more concerning because several proof-of-concept exploits ( 1 ,  2 ,  3 ,  4  and  more ) for this vulnerability have also been surfaced on the Internet, making it easy for anyone to hack into publicly accessible vulnerable web servers. Dubbed ' Ghostcat ' and tracked as  CVE-2020-1938 , the flaw could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows fil...