![]() ![]() UPDATE : Luigi Rosa pointed out that the JavaScript is a compiled version of zxcvbn, a Dropbox project on GitHub meant to serve as a “realistic password strength estimator.” Not only has Dropbox implemented a script to enforce strong passwords for their users, but THEY’VE PUBLISHED THE CODE ON GITHUB SO OTHER MOBILE DEVELOPERS CAN USE IT. Whatever the reason, I’m glad to see them doing it. I have a hunch that Dropbox may have started paying a little more attention to enforcing password security after their 2014 security incident. I’ve used mobile and web apps that allow for single-character passwords, which is a blatant disregard for the security of the users and of any data they might store in the app.) (Seriously, I want to give Dropbox props for enforcing this control. The purpose of that script? To make sure that Dropbox users who are registering their accounts from within the mobile app choose a strong password. If you open that HTML file, you’ll find an elegant bit of JavaScript that’s all of 52 lines long. If you’ve worked in infosec for more than 3 minutes, those two letters (pw) should instantly trigger one word in your mind: password. In the assets folder, you’ll find a subfolder named js (JavaScript?), and in that folder you’ll find a single file named pw.html. In the Dropbox app / zip-file, you’ll find a folder named assets. When you unzip one of these apps and start examining the contents with your text editor, you can learn a lot about how the app was put together, including some of the security tricks used by the developers. ![]() apk file you download from Google Play is just a zip file by another name. ipa file you download from iTunes and every. It’s amazing what you can learn about a mobile app using a zip utility and a text editor.Īs someone who has spent years working in the mobile app security space, my two favorite Windows tools are 7-zip and Notepad++.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |