DEV Community: TECNO Security

Security Vulnerability in Hidden Parameters: IDOR Attack on Mighty App Payment Page

TECNO Security — Fri, 09 May 2025 08:30:25 +0000

Today, Rashedul from Bangladesh will share an IDOR vulnerability found on the Bxxxxxxx Web App. The impact of that issue was, it prevented victims from running music promotion campaigns that may lead to direct revenue loss of Bxxxxxxx.

Here You’ll see how an IDOR can directly affect business.
● IDOR Overview
● Vulnerability Discovery Process
● Vulnerability Impacts
● Mitigation Steps
● Best Practices for Developers
● Tip for Hackers

As a bonus, He’ll share a tool for the automation of this task for a bigger project/web application.
● About the Burp Suite App Store
● Installation Process
● How the Tool Works
● Configuring the Tool

Click here to know more details: Security Vulnerability in Hidden Parameters: IDOR Attack on Mighty App Payment Page

[Vulnerability Campaign] Protect TECNO devices

TECNO Security — Mon, 21 Apr 2025 06:49:43 +0000

Are you a white hat who is good at finding Android phone security vulnerabilities?

Submit valid critical & high-risk ones, and the reward will be doubled!

Activity time: April 20 to May 31, 2025

Activity Reward: Double bonus for device security vulnerabilities

Submission channel: Submit your reports!

Rule description: Divice rules

Come and challenge us. Your submission may be a big "surprise".

(Ⅱ)【Report Review】2024 OWASP Mobile Top 10 Risks

TECNO Security — Fri, 11 Apr 2025 08:34:19 +0000

In the previous article, (Ⅰ)【Report Review】2024 OWASP Mobile Top 10 Risks, we provided a detailed analysis of the first five security risks: Improper Credential Usage, Inadequate Supply Chain Security, Insecure Authentication/Authorization, Insufficient Input/Output Validation, and Insecure Communication.

Today, let us dive into the remaining five critical security risks: Insufficient Privacy Controls, Inadequate Binary Protections, Misconfiguration Issues, Insecure Data Storage, and Weak Cryptographic Measures. By understanding these risks, we can better protect mobile applications and enhance overall security practices.

Click here to know the details: (Ⅱ)【Report Review】2024 OWASP Mobile Top 10 Risks

(Ⅰ)【Report Review】2024 OWASP Mobile Top 10 Risks

TECNO Security — Thu, 10 Apr 2025 07:49:15 +0000

The rapid expansion of mobile applications has brought about security risks such as data collection violations, malicious data misuse, unlawful data acquisition, and malicious data dissemination. These security risks are prevalent in the current mainstream mobile application systems, posing serious threats to data security and personal information safety.

In 2024, OWASP (Open Web Application Security Project) released the latest version of its top ten security risks report for mobile application systems, marking the first update on mobile application system-related risks since 2016. This update places a particular emphasis on risks related to supply chain security and privacy protection.

The report covers ten major risks in mobile application systems and provides detailed descriptions of security weaknesses, business impacts, risk scenarios, and preventive measures, offering a comprehensive security reference for mobile application developers and security professionals. Let's delve into the relevant risks and protective measures together.

M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication

Click here to know the details: (Ⅰ)【Report Review】2024 OWASP Mobile Top 10 Risks

(Ⅱ) Android Identity Authentication

TECNO Security — Wed, 26 Mar 2025 06:51:57 +0000

In the previous sharing, we learned about some misunderstandings and security risks related to identity authentication and also gained some understanding of blind spots related to Activity identity authentication and Broadcast identity authentication. Click to read the details: "(Ⅰ) Android Identity Authentication: A Cat and Mouse Game between Developers and Hackers"

This article will focus on identity authentication-related topics within applications and system services, while also proposing some effective security practices. These practices aim to help developers resist related security risks during the development process and enhance the security of product services.

5. The "Trap" of Service Identity Authentication

5.1 Cat-and-Mouse Game: How Hackers Attack Services
5.2 Barking Up the Wrong Tree: Authentication on the Client Side
5.3 Carving a Boat to Find a Sword: Authentication in onBind
5.4 Setting Your Own Trap: Misuse of clearCallingIdentity
5.5 Passing Off as Genuine: Package Name Forgery
5.6 Going in the Wrong Direction: Misuse of Authentication APIs
5.7 Self-Destruction: Missing Permissions for Special Interfaces

6. Summary: How to Win in This Cat-and-Mouse Game
① Ensure the authenticity and validity of the counterpart's identity, and beware of identity authentication "illusions" and "blind spots."
② Authenticate all interfaces on the server side, except in special cases.
③ Use system APIs correctly and appropriately, paying attention to special cases.
④ Ensure permission matching in class inheritance relationships.
⑤ Treat all inputs as untrusted; package name verification must ensure the authenticity of inputs.

Click here to know the details: (Ⅱ) Android Identity Authentication: A Game of Cat and Mouse between Developers and "Hackers"

(Ⅰ) Android Identity Authentication: A Game of Cat and Mouse between Developers and "Hackers"

TECNO Security — Mon, 24 Mar 2025 07:11:04 +0000

In Android development, caller identity authentication is like a cat-and-mouse game between developers and "black hats." Developers play the role of the "cat," trying every means to protect the "cheese," while "hackers" are the "mice," constantly searching for vulnerabilities to breach defenses.

A slight oversight can allow the "mice" to slip in silently, steal data, escalate privileges, or even crash the system. This article will explore strategies in this cat-and-mouse game—how to perform reasonable and correct identity authentication. We will start with some real-world cases to help everyone recognize and understand some misconceptions about identity calls, reducing the security risks associated with improper operations and leaving the "mice" with nowhere to hide.

2. Common Hazards: Crises Behind the Defense Line

3. The "Illusion" of Activity Identity Authentication
3.1 Accurate Targeting: Using Reflection on mReferrer to Obtain Caller Package Name
3.2 Accurate Targeting: Using Reflection on getLaunchedFromPackage to Obtain Caller Package Name

4. The "Blind Spot" of Broadcast Identity Authentication

Click here to know more details: https://security.tecno.com/SRC/blogdetail/399?lang=en_US

CVE Exclusive Activity

TECNO Security — Wed, 19 Mar 2025 02:18:39 +0000

On March 19th, 2025, TECNO Security Response Center officially obtained authorization from the CVE program and became the first anniversary of the CVE Numbering Agency (CNA). In this year, we issued 12 CVE vulnerability numbers. Today, let's review these CVE reports together and start our exclusive anniversary activity.

Activity Rewards:
① During the activity, submit valid mobile applications or terminal vulnerabilities of medium risk or higher that meet CVE allocation requirements to receive priority CVE allocation qualification and a CVE Honor Badge.

② During the activity, each researcher can earn additional security points for their first valid report at different risk levels, as follows:
● First valid low-risk vulnerability report: 200 security credits
● First valid medium-risk vulnerability report: 500 security credits
● First valid high-risk vulnerability report: 1000 security credits
● First valid critical vulnerability report: 1800 security credits

Click here to know more about the CVE ID reports and the activity: [CVE Exclusive Activity] Celebrating the first anniversary of TECNO Security Response Center becoming CNA!

[Best of February - M3Di] From Forest to Code: Transformational Security Researcher Growth Notes

TECNO Security — Mon, 17 Mar 2025 06:40:00 +0000

He is from Yunnan, China, and has four years of experience in security bug mining. Over the past two years, he has dedicated himself wholeheartedly to security bug research. He is a security researcher who has successfully transitioned and grown rapidly. His name is M3Di. Today, let's explore his journey in security research together.

Following Your Inner Choice: From Interests to Careers

If we were to describe M3Di's learning and work experience in one sentence, it would probably be 'a fantastic drift from the forest to the firewall.' Why describe it this way? Because his college major was in forestry, primarily focused on the study of forests, but now he hunts for vulnerabilities in the code jungle and has become a white hat hero in the cybersecurity world.

Safeguarding Aafety Achievements: From Persistence To Communication

Accepting Industry Challenges: From Learning to Mastery

Click here to know more about him: [Best of February - M3Di] From Forest to Code: Transformational Security Researcher Growth Notes

Secure Coding Practices for TEE Applications: A Guide for CA and TA Developers

TECNO Security — Mon, 10 Mar 2025 06:12:16 +0000

Trusted Execution Environments (TEEs) have become an essential component in modern secure computing architectures. TEEs provide a isolated and secure area within a device's processor, offering a higher level of security for sensitive operations and data storage. As developers working on Client Applications (CAs) in the normal world and Trusted Applications (TAs) in the secure world, it's crucial to understand and implement robust security practices.

This article aims to guide developers through the intricacies of secure coding for TEE applications, focusing on best practices, common vulnerabilities, and effective mitigation strategies.

Article difficulty: ⭐⭐⭐
Chapter content preview ↓↓↓
2. Secure Coding Practices for Trusted Applications (TAs)
3. Common Vulnerabilities and Mitigation Strategies
4. Testing and Validation
5. Performance Considerations
6. Keeping Up-to-Date
7. Conclusion

Click here to know the details: Secure Coding Practices for TEE Applications: A Guide for CA and TA Developers

【Recognition】Excellent Security Researcher in January 2025 iiiiiinv

TECNO Security — Fri, 21 Feb 2025 03:44:04 +0000

The monthly star of TECNO Security Response Center has been announced! In January, iiiiiinv from China won this honor. We also conducted some simple interviews with him. Below is his security research story. Let's get to know him together!

iiiiiinv is from China and works primarily as a software development engineer. He has been engaged in security research for about a year, dedicating his spare time to exploring security issues and discovering vulnerabilities.

This marks his third month on this platform, and he feels deeply honored to have achieved such recognition so swiftly.

He possesses a wealth of insights and recommendations on security research. If you wish to delve deeper, click to read the original article.

【Recognition】Excellent Security Researcher in January 2025 → iiiiiinv

Beginner’s Guide: Basic Methods for Finding Android Application Vulnerabilities

TECNO Security — Wed, 19 Feb 2025 07:06:53 +0000

Phyo WaThone Win from Myanmar shared with us a guide to common Android application vulnerabilities.

Article type: Bug bounty practice

Article difficulty: ⭐⭐⭐

Chapter content preview ↓↓↓

Summary Introduction
SSL Pinning Bypass using Frida, Objection
Insecure Storage for Sensitive Information
Testing for Insecure Communication
Finding for Hardcoded Information
Testing Insecure Activities, Deep Links
Firebase Database Takeover Addendum: Popular tools name for Android penetration testing

Everyone is welcome to learn and share: Beginner’s Guide: Basic Methods for Finding Android Application Vulnerabilities

"Hacker of the Month" - Find Excellence

TECNO Security — Tue, 11 Feb 2025 09:33:19 +0000

To motivate and express our gratitude for the continuous support of security researchers, we now specially launch the "Hacker of the Month" columns, commending outstanding security researchers every month.

After you submit a security vulnerability report, we will check it and reward you after confirming it is valid. At the same time, we will select the best researcher of each month and give him this special honor and a 500 security credits reward.

Click here to submit the security reports: Submit your reports

Here is the reward detail: "Hacker of the Month" -Find Excellence