Intro OAuth: The key points Approach: Reviewing security of OAuth implementation in mobile app Understanding app authentication Intricate workflow behind app-based OAuth login Handling redirects back to the mobile app OAuth security improvement with PKCE CSRF attacks mitigation with “state” parameter Automation, automation, more automation Checklist: Security assessment of OAuth implementation Conclusion Intro # Security requires managing risks with smart and controllable solutions. This OAuth security guide provides mobile developers and security engineers practical advice for mastering key s ..read more

Designed for securing online accounts, FIDO U2F as a protocol and YubiKey as a hardware tool are not silver bullets. If not used wisely, this powerful combo becomes an attractive target in the hands of skilful attackers. In this post, we will explore some of the hidden pitfalls, typical mistakes, and concerns that system architects and software developers should be aware of when building authentication systems using YubiKeys. Why use YubiKey YubiKeys as MFA: User identification and phishing prevention Yubikey: Architecture and capabilities YubiKey: Supported applets YubiKey: Supported cryptogr ..read more

Fast and easy cross-platform application frameworks are promising, yet vulnerable to attacks. Is it possible to make the cross-platform mobile application development safe while avoiding security gaps? In this post we will focus on pros and cons of Flutter, compare it with other approaches to mobile app development, go deep into platform-specific security risks that developers are to be aware of, and finally offer fundamental mobile security recommendations to make your Flutter projects more secure ..read more

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting threats. How to build a reliable user-friendly product that meets user needs and effectively protects their assets? This blogpost is part of the “Making a fancy digital wallet secure” series. Read the articles How to prevent digital wallet fraud and Exploring security vulnerabilities in NFC digital wallets; stay tuned to read more ..read more

Custodial or non-custodial cryptocurrency wallets, money transfer platforms, or mobile applications — regardless of their forms, digital wallets are expected to provide secure storage of users’ financial assets. Having gained popularity, digital wallets became a target of malicious actors, bringing financial losses and reputational damage to many companies and their users. Yet the system is as strong as its weakest link — and it’s often human behaviour that becomes the first victim to adversaries ..read more

In recent years, we have been reviewing and improving the security of small near-field communication (NFC) devices: smart contactless cards, mobile digital wallets, specialised authentication devices, among others. Some of them are used to sign financial transactions, store secrets, activate other hardware in specialised industrial systems, or verify the user’s identity. This time, we’ll explore NFC security issues linked to device storage and communication between mobile / web applications. Such devices are versatile and widely used wherever secrets need to be removed from systems ..read more

Smart contracts occupy a separate niche in software development. They are small, immutable, visible to everyone, run on decentralised nodes and, on top of that, transfer user funds. The smart contracts ecosystem is evolving rapidly, obtaining new development tools, practices, and vulnerabilities. The latter often costs a lot, as security weaknesses in smart contracts result in immediate financial losses. That’s why the space of smart contracts security also evolves rapidly ..read more

Recently, we released a new version of the Acra database security suite. Acra allows encrypting sensitive data fully transparently for the app and the database without any application code changes. In this article, we explain details of how transparent data encryption works, what actually makes it “transparent”, and what features of SQL protocol Acra encapsulates under the hood for a comforting user experience. Acra transparent data encryption is available as part of Acra Community Edition (free on GitHub, checkout ready-to-use engineering examples ..read more

Dangerous security bugs can sit in a code until someone finds them and turns into vulnerabilities that cost a piece of mind, budget or lives. To avoid a disaster, security engineers and DevSecOps engineers do their best to find and prevent weaknesses in software in the earlier stages of development. Separate security testing tools and processes ensure that new commits and builds don’t introduce new security problems or bring back old ones as security regressions ..read more

Bear with us! ? # The latest release of a popular note-taking app Bear contains a new feature — end-to-end encryption of user notes. Cossack Labs team worked closely with the amazing Bear team to help deliver this feature. We are rarely allowed to disclose the details of our custom engineering work, but Bear team was awesome enough to let us highlight some important aspects of work done for them ..read more