Greeting from FelixGreeting from Felix

Welcome to 2023 security challenges!

The new year brings new challenges. But in security, we don't run from risks and vulnerabilities, we face and mitigate them đŸ”«đŸ˜Ž So, whatever happens in this brave new year, let's do our best to make it better and more secure.

Felix from Cossack Labs

AppSec

Mobile app development frameworks—a security guide

Native apps, React-Native, Flutter, Xamarin, or HTML/CSS/JS inside WebView? If you’re looking for a mobile development framework that is ideal from a security perspective, search no more. It does not exist, each framework has its pros and cons.

But. You can find the best fit for your app by researching potential threats it has to mitigate and mapping these findings onto the specifics of mobile development frameworks. Vladimir Ivanov has put together a nice comparison of their security strengths and weaknesses, allowing you to skip the research phase and get right to the answers.

P.S. psss, delve deeper into React-Native app security here.

vvsevolodovich.dev

Cryptography

Go 1.20 cryptography

Get ready for Go 1.20, scheduled for February'23. Among all, it adds a new crypto/ecdh package to provide direct support for Elliptic Curve Diffie-Hellman key exchange over NIST curves and Curve25519. Filippo Valsorda uncovers release improvements to make code more maintainable and secure in the long run.

filippo.io

Specialized Zero-Knowledge Proof failures

Zero-knowledge (ZK) proofs allow proving something about the piece of info without revealing the secret itself. However, if a ZKP code contains bugs, this can cause serious problems. Trail of Bits reveals flaws in special-purpose ZKP code that could cause popular blockchain systems to accept invalid proofs of impossible statements.

trailofbits.com

SSDLC

There is no secure software supply-chain

Year after year, dependencies become more interlinked, resulting in compromises in the secure software supply chain. John McBride believes that open-source software is entitled to a lifecycle and no project is required to live forever. But what would you say if the maintainers of a popular open-source framework just archived it?

substack.com

Vulnerabilities

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

Let's take a look at vulnerabilities affecting the automotive industry. Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, Ferrari, Spireon, Ford, Reviver, Porsche, Toyota, Jaguar, Land Rover, SiriusXM Connected Vehicle Services—choose any name to get surprised with findings in the security of telematic systems, automotive APIs, and the infrastructure that supports it. Who would have thought it's all is sooo vulnerable...

samcurry.net

Turning Google smart speakers into wiretaps for $100k

Google Home controls over your smart home devices and a microphone, and until recently, it allowed an attacker within wireless proximity to install a “backdoor” account on the devices, allowing them to make arbitrary HTTP requests within the victim’s LAN. Read how Matt Kunze noticed seemingly obvious security flaws (and received $107,500 from Google for responsibly disclosing them).

downrightnifty.me

P.S.

Why stop there? A letter with the AI-produced report will also be written by ChatGPT ;)

Felix from Cossack Labs

No spam, ever. We'll never share your email address and you can opt out at any time.