![]() ![]() The only tricky part was to determine how we were going to find these cases without inundating ourselves with false-positives. Luckily for us though, the Go packages library comes with the tools for us to build a custom static analysis solution to this problem! Unfortunately, it can’t help us solve this particular problem. There are a plethora of great static analysis tools for Go, for example there’s securego/gosec to help find security problems. To solve this problem, we used a custom static analysis tool that we now run as part of our continuous integration system so that every Merge Request is pushed to our GitLab instance. How can we ensure that we aren’t making the same mistake elsewhere? We could manually check by searching for ‘user.VerificationToken’ references,’ but how do we ensure this mistake doesn’t happen again? Building a solution As developers we’re less interested in solving one specific problem so much as a whole class of problems. ![]() So now we know why doing these comparisons in constant time is important, and how we might go about fixing this particular issue. As a general rule though, we try to make sure that whenever we verify your information we apply constant time comparisons. Sometimes we don’t have a concrete attack in mind - because we can’t always look in the minds of our attackers, or look into the future of how our codebase evolves. ![]() Sometimes we have concrete attacks in mind: we don’t want to leak information on whether you supplied the right or wrong session key. One such piece of information is how long the server takes to validate your information. At 1Password we try our best to stop attackers from learning anything about what’s going on inside our servers. VerificationToken ), byte ( token )) != 1Īn identical timeframe for “true” and “false” comparisons minimizes what an attacker can learn from a request. Fixing this is quite simple, you change something that looked like: We use the Go programming language for our server, and Go has the crypto/subtle package which provides functions to do this. A constant-time approach ensures that the comparison always takes the same amount of time, regardless of the outcome. The recipient uses this to effectively prove they received the email and control the email account. In this case, the comparison was a token string that is sent to the user via email. It’s recommended that security-sensitive comparisons be done in a constant-time manner. What are we trying to solve?īefore we get to the solution, let’s talk about the problem. You can expect these to be technical, nerdy, and frankly… not nearly as polished as what our crack marketing and content teams put out. This is the first in a series of new developer-written posts on our blog about Building 1Password, a behind-the-scenes look at what goes into making the app. The fix, while trivial, created an interesting challenge for us: How can we confidently say that we don’t have this issue elsewhere? A recent penetration test by Cure53 identified a case where the 1Password server wasn’t using a constant-time comparison when it should. So its not a viable solution.At 1Password, we regularly hire outside experts to check our source code and look for security vulnerabilities. This does work, but makes the generated drawing fuzzy, I guess this is because we are drawing in lower resolution due to the scaling. Looking at section "scale" PaintCode suggest to play with the density metric in android to perform scaling. It seams that the generated drawing code does not take into account the scale of the device (as it does on iOS). Or in general all drawings that I make in PaintCode when drawn using the draw method generated by PaintCode are to small. This works very well on iOS but on android, the radius is 20 pixels not points, resulting in a far to small radius (now with the high res devices). The result is that whatever the size of the button is going to be (= the frame) the corners will always be nicely rounded with 20 points.I draw a frame around and then setting the correct resizing behaviour using the springs (see screenshot).In PaintCode I draw a button which is basically a rounded rectangle with a radius of 20 points.I want to do the same for android and have the following issue: I have been using PaintCode for drawing custom buttons for years in iOS, it works brilliantly. So please don't reply in offering other solutions for buttons in Android, I am looking for a solution with PaintCode. Note: Yes I know there are other ways of doing buttons in Android, but this is just an example to demonstrate my issue (the actuall buttons are far far more complex). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |