Paulo Renato articles - 27 total
Ask me Anything About Certificate Pinning
I am Paulo Renato, a Developer Advocate for Mobile and API Security and author of a series of articles on Mobile and API security.
Approov Serverless Reverse Proxy in the AWS API Gateway
Rather than securing an API key, wouldn’t it be better not to have it in the app or at least to make sure that if it is extracted then it can’t be used?
Using a Reverse Proxy to Protect Third Party APIs
Don't access Third Party APIs directly from a mobile app. Learn how to do it securely with a Reverse Proxy between the mobile app and the Third Party APIs.
How to Protect Against Certificate Pinning Bypassing
"Bypassing certificate pinning is easier than many people think. This article describes how to defend your mobile business against such attacks."
Bypassing Certificate Pinning
Learn how to repackage a mobile app in order to make it trust in custom SSL certificates. This will enable us to bypass certificate pinning.
Securing HTTPS with Certificate Pinning on Android
Learn what certificate pinning is, when to use it, how to implement it in Android, and how it can prevent a MitM attack.
Steal That Api Key With A Man In The Middle Attack
Learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal that API key. Finally, you will see at a high level how MitM attacks can be mitigated.
Google and Samsung Fix Android Flaw that Allowed to Hijack your Camera and Audio to Spy on You
Flaw in Android allows apps to capture video and audio without requiring the necessary permissions.
Bypassing GitHub's OAuth flow
Abusing HTTP HEAD request to bypass Github OAuth flow.
How to Extract an API Key from a Mobile App by Static Binary Analysis
Discover how easy is to grab an API key by reverse engineering the binary of a mobile app, through the use of an open source tool, even by non-developers.
Hackers are using a bug in PHP7 to remotely hijack web servers
A new recently patched remote code execution bug in PHP7 lets hackers hijack the websites running on some NGINX and php-fpm configurations.
Why Does Your Mobile App Need An Api Key?
The lesson to be learned here is that releasing a mobile app without a way of identifying itself to the API server is like leaving your car with the doors closed but not locked, and the keys in the ignition.
I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything
Have a question about Mobile API Security? Try me!
Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted
The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the sudoers configuration explicitly disallows the root access.
Millions of Phones Leaking Information Via Tor
Researchers claim 30% of all Android devices, and 5% of iOS devices, are transmitting data that could be used to track and profile users
Vulnerable Twitter API Leaves Tens of Thousands of iOS Apps Open to Attacks
Millions of iOS users could be vulnerable to man-in-the-middle attacks that trace back to flawed Twitter code used in popular iPhone apps.
This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes
Cyber attackers infected 800,000 users with banking information stealing malware – but mistakes have allowed researchers to look behind the scenes of a successful hacking campaign.
The Top 6 Mobile API Protection Techniques - Are They Enough?
Using techniques like Https, API Keys, User Agents, Captchas, IP Blocking and Rate Limiting, User Authentication and Access Tokens may seem more than enough to protect an API, but we will see how they are not enough to stop the API from being abused by bots, hackers or just users with bad intentions.
Attackers exploit 0day vulnerability that gives full control of Android phones
Zero day vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.
The iOS Checkm8 jailbreak is hugely significant, but not for you
A hacker has revealed an iOS exploit that's unpatchable and could impact millions of iOS devices. But, it's 2019. A jailbreak is only really useful for security researchers. Do you agree?
Is your Mobile App Leaking Secrets?
With the increasing use of mobile apps, APIs became popular and mobile app secrets became the way to access the APIs. Putting secrets the source code of mobile apps is a huge cause of concern in terms of security because they can be extracted and reused for unauthorized API access.
Android Devices Being Shipped with TCP Port 5555 Enabled
Some Mobile devices are shipped from factory with ADB enabled. Is yours one of them?
Browser Based Cyber Threats
Is your browser hacking you? It may be easier than what yout think!!!
Do you know that DNS queries do not protect your privacy?
Even when using a VPN, like Open VPN you can have DNS leaks, that will allow for example your ISP to know what your are doing.
Raising security awareness with a CTF competition... did you already participate in one, how it was?
"CTF or Capture the Flag is a competition aimed to raise awareness around security in an organization of any size."
Revenge Hacking Is Hitting the Big Time
Companies are hacking back against cybercriminals to try to prevent—or at least limit the damage of—Equifax-style disasters. One problem: It’s not all that legal.