security

问题 I have a pre-existing iOS & Android app, that I'm making an update for that includes a RESTful services API and Facebook login for user authentication. The general flow of the app is: Users "logs in" to my app, via Facebook's SDKs, which return an access token to my app. App calls a RESTful service, including the Facebook access token as a parameter (using HTTPS and SSL) Service that is called, sends the received access token (and app secret stored only on my servers) to Facebook to verify

问题 I'm working on a C++ application which is keeping some user secret keys in the RAM. This secret keys are highly sensitive & I must minimize risk of any kind of attack against them. I'm using a character array to store these keys, I've read some contents about storing variables in CPU registers or even CPU cache (i.e using C++ register keyword), but seems there is not a guaranteed way to force application to store some of it's variables outside of RAM (I mean in CPU registers or cache). Can

问题 The recently exposed security vulnerabilities regarding serialization in .NET have ambiguous recommendations. What is the correct way to securely use JSON.NET? Detailed guidance for JSON.NET: https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf#page=5 Should TypeNameHandling.All be used or should TypeNameHandling.None be used? General Explanation: https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/

问题 I'm working on a C++ application which is keeping some user secret keys in the RAM. This secret keys are highly sensitive & I must minimize risk of any kind of attack against them. I'm using a character array to store these keys, I've read some contents about storing variables in CPU registers or even CPU cache (i.e using C++ register keyword), but seems there is not a guaranteed way to force application to store some of it's variables outside of RAM (I mean in CPU registers or cache). Can

问题 I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login. One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to

问题 I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login. One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to

问题 I just read this article http://android-developers.blogspot.in/2013/02/using-cryptography-to-store-credentials.html where I learnt to generate security key. I want to know how to save this generated key securely so hackers wont get this even phone is rooted. If we save this SharedPreference , Storage then hacker can get this. Thanks. 回答1: This is the overall problem with keeping access to the sensitive data. There is always a way to decrypt, then the encryption key might leak. You might use

问题 I am looking to implement web (angular) and iPhone apps using WebSockets to communicate with our server. In the past using HTTP requests we have used hashes using the request data, url, timestamp etc to authenticate and secure the requests. As far as I am aware we can't send headers with WebSockets requests therefore I am wondering how I can secure each request. Does anyone have any ideas or good practices? 回答1: Having secure communication with server includes authenticating both parties to

问题 Does anybody have a link to a documentation what exactly is randomized in what cases for latest Mac OS (10.7) and iOS (6.0)? I mean. I want to see a list (something like) Code segment (in a case A,B,C) Stack (always) Heap Data segment (never) Preferably with how many bits of randomization each thing has. All I can find is something like: "MacOS Lion implements full ASLR" and in other places "full ASLR is implemented different ways for different operation systems", which is obviously not very

问题 Does anybody have a link to a documentation what exactly is randomized in what cases for latest Mac OS (10.7) and iOS (6.0)? I mean. I want to see a list (something like) Code segment (in a case A,B,C) Stack (always) Heap Data segment (never) Preferably with how many bits of randomization each thing has. All I can find is something like: "MacOS Lion implements full ASLR" and in other places "full ASLR is implemented different ways for different operation systems", which is obviously not very