Prashant's Blog

Understanding Authentication, Authorization, and Encryption Authentication -           Authentication is an absolutely essential element of a typical security model. It is the process of confirming the identification of a user (or in some cases, a machine) that is trying to log on or access resources. There are a number of different authentication mechanisms, but all serve this same purpose. -           Authentication is used by a server when the server needs to know exactly who is accessing their information or site. Used by a client when the client needs to know that the server is system it claims to be. It is very easy to confuse between Authentication and Authorization.   Authorization is yet another mechanism when security considered. Where Authentication verifies the user’s identity and Authorization verifies whether user has permissions to access resources. We will discuss A...

The Android keystore provides secure system level credential storage. With the keystore, an application creates a new Private/Public key pair, and uses this to encrypt application secrets before saving it in the private storage. We will learn how to use Android keystore to create and delete keys also how to encrypt the user sensitive data using these keys. The Keystore system is used by the  KeyChain API as well as the Android Keystore provider feature that was introduced in Android 4.3 (API level 18). This document goes over when and how to use the Android Keystore provider Android has had a system-level credential storage since Donut (1.6). Up until ICS (4.0), it was only used by the VPN and WiFi connection services to store private keys and certificates, and a public API was not available. ICS  introduced  a public  API   and integrated the credential storage with the rest of the OS.  Why to use Keystore?     ...

Certificate and Public Key Pinning in Android. Now a days it’s very easy for an attacker to intercept the request and responses in secured channel ( SSL / TLS ).   This allows the attacker to get in the middle of the conversation between a client and server. They could be just eavesdropping on the conversation or could be changing the data as it moves to the client or server. This kind of attack is known as “Man in the Middle Attack” (MiTM). You can read more about MiTM attack here ( https://en.wikipedia.org/wiki/Man-in-the-middle_attack ) What is Certificate Pinning or Public key pinning?                 Certificate Pinning is most often used to address the scenario above, i.e. to keep unwanted eyes from looking into a mobile application’s traffic. Certificate pinning is hardcoding or storing the information for digital certificates/public keys in a mobile application. In mobile application...