Azure Cloud Root Keys (Insecure Storage) – Responsible Disclosure

Back in February I found an Android application which is used by the emergency services, that had exposed Azure API keys within the application leading to potential compromise of sensitive incident reports, attachments, and infrastructure server “.vhd” files with the access level to spin up new instances or delete them. I immediately reported this to the application developer and it’s respective organisation under responsible disclosure, which resulted in an instant and prompt response, which I give huge kudos for.

OWASP Defines this class of vulnerability as “Insecure Data Storage”:

Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data [1].

(more…)

MASPTv2 – Mobile Application Security and Penetration Testing Course

So about three weeks ago I won an “Elite” edition of the new mobile penetration testing course from eLearnSecurity by watching their webinar and being randomly selected. I’m really excited about this course and have been getting started now that it’s been released. I really did not expect to win either!

maspt

This really helps being on a student budget, and will be relevant to the mobile development module at Abertay University next semester, I’ll be posting a review once I finish and pass the course. However so far, the course looks pretty solid with plenty of videos, slides and virtual labs with real world vulnerable applications.

Having completed eCPPT from eLearnSecurity in 2014, I know for sure that this would be another excellent course.

Will keep the blog up to date with more information, stay tuned!