PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....

This is a short blog post on how you can get root access on a Android 12 emulated device with Google services, using a tool (script) called rootAVD by newbit1. I also share a few recommendations which are helpful during mobile analysis. Android Studio For mobile analysis I generally use my Google Pixel 3a device. However, sometimes I will try to avoid it if I can, especially when I’m only curious about an app’s network traffic or API endpoints....

In this post I will go into technical details on what attackers could do with the stolen encrypted vaults, specifically how they could use tools like Hashcat to crack vault passwords and get access to sensitive log-in credentials. To simulate the stolen data, I will use my test Lastpass account to extract an encrypted vault from the Chrome Browser extension on macOS. Following this, I will use a wordlist attack to bruteforce the vault which has a weak and guessiable password....

A short blog on how to bypass certificate pinning on the ProtonVPN macOS app using Proxyman and Frida. ProtonVPN is a VPN service operated by the Swiss company Proton AG. The service features a cilent application that users can install on various platforms, such as Android TV and Chromebook. I’ve personally had a proton email account for a quite a while now, but never really looked into the VPN service. I was mainly curious at how the macOS app communicates with the backend, and what API end-points it talks to....

In this post I will be comparing root detection features on 24 UK mobile banking apps using the latest version of Magisk (v24.3) on a Google Pixel 3a. You can head straight to the comparisons table if you want to see the results. Test Device The device used was a Google Pixel 3a running Android 10. It had been rooted using the latest version of Magisk which was v24.3 (at the time of writing)....