How to download Android apk file to PC

Recently I struggled to find a way to download Android apk file to PC. After a quick search, someone mentioned plugins for Chrome and Firefox, but unfortunately both did not work for me.

So I returned to the old way by using adb. Here is the procedure.

1. Connect you Android device to you PC.

2. Enable USB debug mode of your Android device.

3. Run “adb shell pm list packages” to find package name of your app. For example, in my case, the package name for youtube is 

 >adb shell pm list packages
   package:com.google.android.youtube

4. Run “adb shell pm path withPackageName” to find the full path of the package. Again with the youtube apk as example.

>adb shell pm path com.google.android.youtube
package:/data/app/com.google.android.youtube-2/base.apk

5. Finally run “adb pull withFullPath” to copy apk file to local PC.

adb pull /data/app/com.google.android.youtube-2/base.apk
 [100%] /data/app/com.google.android.youtube-2/base.apk

After copy apk file to your PC, you could check details by use aapt like “aapt dump badging apkName”. Or just check its hash value by using such as “certutil -hashfile <here app file name> sha256”.

Install Apache TomEE on CentOS and deploy a Java web application

I’ve spent several hours to install TomEE and deployed a Java web application. By using online resources, it is easy to do it. But many times I find I waste much time by switching from one article to another before I completely understand the content. This time I just have referenced a few articles and it works. For later reference, I would write down the whole process.

To install Apache TomEE on CentOS, this one works for me very well. I could not blog better than the author(David Ghedini), therefore I advise you reference the original blog. The author also explains very well about how to configure TomEE to run as a service, so you can start/stop TomEE like the following:

service tomee start

service tomee stop

To deploy a Java web application, This blog is very helpful.

After build a WAR file like the follow, simply deploy WAR file through Apache TomEE manage page.

jar cfm nameOfWar.war *

Transaction signing

The idea behind transaction signing is that if you digitally ‘sign’ a transaction, if the transaction is altered on the way to a server, by checking the signature of the transaction, the server can find out alteration.

I think the idea is great, although there are two questions to answer.   What data to sign and what to use to sign?

For example, VASCO provides visual transaction signing solution and from the video I can imagine the following scenario.

1. Alice wants to transfer 1000$ to Bob so she inputs needed information including amount, Bob’s accounts number.

2. On the confirm page,  the server shows details of that transfer and a particular QR code which is supposed to base on data of the transfer.

3. Alice uses her phone to scan the QR code and generates a PIN code.

4. Alice inputs the PIN code into bank system to complete the transaction.

During the above scenario,  Alice uses her phone to sign data read from QR code (although I am not sure what is included).

Let’s see another example from HSBC, you can also watch a video on youtube. If you watch the video, you will find how they solve the two questions.

What data to sign    :   “last 8 digits of account number you wish to transfer funds to”  or “last 8 digits of biller reference number”

What to use to sign :  a online security device (looks like a card)

 

Protected: My read list

This content is password protected. To view it please enter your password below:

Password:

Apache + FreeRADIUS on CentOS

What is RADIUS? There are many online resources you can use to learn find the answer. I just find this one from Juniper is very easy to understand.

To further understand how does RADIUS work, I have spent several hours to install FreeRADIUS on a CentOS system which itself is running on a Windows 8.1 as a virtual machine.The following is about what I have done.

1.  To install FreeRADIUS on CentOS 6.4. This can be done by following this blog which also explains the installation of MySQL. One point is that you should edit config files carefully and it is better if you know what you are doing.

2. To use radtest to test FreeRADIUS

radtest test test 127.0.0.1 0 sharedSecret

3. Download Apache RADIUS authentication module from freeradius.org. ( Because I have not yet installed git in my CentOS, I installed git first.

sudo yum install git

git clone git://git.freeradius.org/mod_auth_radius.git

4. Use apxs to install Apache RADIUS authentication module.

yum install httpd-devel.x86_64

yum install openssl-devel

apxs -i -a -c mod_auth_radius-2.0.c

5. Change Apache’s httpd.conf to define which files should require RADIUS authentication.

<Location /secure/>
AuthType Basic
Order Allow,Deny
Satisfy any
Require valid-user
AuthName “RADIUS authentication”
AuthBasicAuthoritative Off
AuthRadiusAuthoritative on
AuthBasicProvider radius
# Does this cookie REALLY expire the specified number of minutes?
AuthRadiusCookieValid 1
AuthRadiusActive On
</Location>

 

###Useful commands

To start MySQL server :

  service mysqld start

To start or stop radius server:
 service radiusd restart
 service radiusd stop
 radiusd -X

As noted in RFC6421, RADIUS security is based on the MD5 algorithm, which is recommended to be replaced by stronger hash algorithm, such as sha256. And if you want FreeRADIUS to support RADSEC - RADIUS/TLS over TCP(RFC6421), it is said that FreeRADIUS Version 3 should be used.

Forrest’s Risk-Based Authentication Q1 2012 Report

To learn more about risk-based authentication(RBA), I came across Forrest’s Risk-Based Authentication Q1 2012 Report and have found that the report is very useful to get a better understanding at RBA, especially vendors, market presences etc.

In the Forrest’s Report, the following vendors and their products were evaluated.

CA Technologies / CA RiskMinder (formerly CA Arcot RiskFort)
Entrust / IdentityGuard
Iovation / ReputationManager 360
RSA / Adaptive Authentication
Symantec / VIP Fraud Detection Service
ThreatMetrix / ThreatMetrix Prevention Platform

Some mentioned vendors , including CA and Iovation, look like satisfied with the conclusion and are using the report as a marketing motivation factor.

Gartner also publised its Magic Quadrant about Risk-Based Authentication.

Here is another report from Gartner which details not only RBA but also user authentication.

 

 

Openssl tips

1. How to verify that a private key goes with a certificate?
  The private key contains a series of numbers.Two of those numbers from the “public key”,the others are part of your private kye. The public key bits are also embedded in Certificate. To check that the public key in your cert matches the public portion of your private key,you need to view the cert and the key and compare the numbers.
  $ openssl x509 -noout -text -in server.crt
  $ openssl rsa -noout -text -in server.key

To avoid comparing long modulus you can use the following approch:

  $ openssl x509 -noout -text -in server.crt | openssl md5
  $ openssl rsa -noout -text -in server.key | openssl md5
As a one-liner:
  $ openssl x509 -noout -text -in server.crt | openssl md5 ;\openssl rsa -noout -text -in server.key | openssl md5

2. How to calculate thumbprint or fingerprint of certificate?

  $ openssl x509 -in cert.pem -noout -fingerprint
  $ openssl x509 -in cert.pem -noout -sha1 -fingerprint

To convert a certificate from DER to PEM:

  $ openssl x509 -in input.crt -inform DER -out output.key -outform PEM

 To view details of a PEM certificate:

  $ openssl x509 -in mainserver.pem -noout -text 

 To create hash:

  $ openssl sha1 filename    $ openssl md5 filename  …

 To create CSR:

  $ openssl genrsa -out private_key.pem 2048

  $ openssl req -new -key private_key.pem -out domainname.csr

 To test ssl connection:
  $ openssl s_client -cert usercert.pem -key private.pem  -connect http://www.xxx.xxx:443

  To check server certificate:
  $ openssl s_client -showcerts -connect xxx.xxx.xxx:443

  $ openssl s_client -connect <serverhost>:<port>

  To export private key from pkcs12 file:

  $ openssl pkcs12 -in cert.pfx -nocerts -out privateKey.pem

  To remove the password from the private key file
  $ openssl rsa -in privateKey.pem -out private.pem

  To dump binary file:

  $ openssl asn1parse -inform DER -in testFromSCEPLog.bin > logFromSCEP.bin

  To check a pkcs7 file:

  $ openssl asn1parse -inform der -in renew.cer

i have a signed letter,
how can i extract the certificate from it ?

and in command line i can use
openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs
but i wonder how to achieve it in program

openssl pkcs7 -in pkcsInformation.p7b -print_certs -inform DER

http://qistoph.blogspot.jp/2012/01/manual-verify-pkcs7-signed-data-with.html

Use the verify option to verify certificates.
 openssl verify cert.pem

 

 

 

Solaris/Linux command tips

###Solaris###

finger
— display information about logged-in users

shutdown -y -i5 -g0
— shutdown a solaris server

shutdown -y -i6 -g0
— reboot a solaris server

uncompress myTest.tar.Z
— extract tar.Z file

tar cvf myTestFolder.tar myTestFolder
— tar file or folder

tar xfv *.tar
— untar file or folder

find myTestFolder -type f | egrep “\.(htm|html)$” | xargs grep -l “oldString” | xargs perl -p -i -e ‘s/oldString/newString/g’
— replace oldString to newString of all htm/html files within myTestFolder folder

gzip -cd XX.tar.gz | tar xfv –
— extract tar.gz file

ldd my.exe
— print shared library dependencies

netstat -a | grep 80
— check if a port is open

du -hs yourfoldername
— check a folder’s size

df -kh
— check total disk size

/usr/dt/bin/dtconfig -d

bash-3.00$ isainfo -v
64-bit sparcv9 applications
vis2 vis
32-bit sparc applications
vis2 vis v8plus div32 mul32
bash-3.00$ isainfo -kv
64-bit sparcv9 kernel modules

useful link about Solaris:
http://www.asi.co.jp/techinfo/unix/solaris.html

uname -a
— find out Solaris’s version

./apachectl startssl
— start apache server

The list of users is in /etc/passwd on most systems.

###CentOS###

find /. -name httpd
— find file by name

sestatus
— view the current SELinux status

semanage port -l
— view all ports that services are permitted access by SELinux

iptables -F
—  flush all existing iptables rules so we start with a clean state from which to add new rules

 

 

 

Export private keys marked as non-exportable on Windows PC

This topic is not new and has been discussed many times by different individuals or vendors. After searching online for a while, I think Jason Geffner’s work Export Non-Exportable RSA Keys is very comprehensive and easy to understand.Within this article, the author not only published a sample code to export non-exportable private keys, he also explained clearly how the analysis was done by using reverse engineering. I think this is very amazing, which means you could adjust your program to make it work even if Microsoft changes its CyrptAPI or CNG libraries.

Another very helpful part of Jason Geffner’s work is that he also mentioned several known approaches and explained  technologies behind each one briefly:

• Jailbreak : using code injection
• mimikatz : using code injection
• Xu Hao : using API hooking and code injection

With so many similar methods have been implemented, as the author wrote, you should only consider the option to mark keys non-exportable “as a UI feature” that prevent uses from accidentally exporting private keys.

From Windows 8 and Windows Server 2012 R2, Microsoft provides virtual smart card technology which seems to have the “three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering”. If this works as promised, it looks like until January 14, 2020 when Windows 7 SP1 would be end of extended support, you’d better to use hardware to store private keys if you consider non-exportability as a crucial requirement.

Note: Several years ago, I remember there was a link where you could download Jailbreak, but it looks like this page does not work right now. iSEC Partners says “please contact us so that we can send it to you directly”.

Troubleshooting PKI in Windows Server 2008

I am helping one customer to set up client certificate authentication in Windows Server 2008. Although so far so good, I expect they will ask me many questions as they begin to test next week. Fortunately in Windows Server 2008, if you enable CAPI12 log you would have a better chance to solve a PKI relevant problem. The following is the simple procedure.

1.  click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click  Continue.

3. In the console tree, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.

4. To enable CAPI2 logging, right-click Operational, and click Enable Log.

Here is the source.

One week later, I am still trying to solve a typical problem: when end users access the IIS server with a valid client certificate, 403 error always occurs. If I disable CRl check by using command like the following, this problem can be resolved temporarily.

cscript.exe adsutil.vbs Set W3SVC\1\CertCheckMode 1

But I still do not know why the IIS server could not find CRL automatically. So I tried to verify one end user client certificate by using below.

CertUtil -verify -urlfetch clientCertPKCS10.cer

No problem. It looks like CRL has been retrieved correctly and the certificate can be verified as “trusted” and “no revoked”.