Android 5.x Application-Security-related updates


I just copied and summarized the security-related changed in Android 4.4, 5.0 and 5.1. Enjoy guys!


Custom permission

Android 5.0 prevents the installation of apps if they define a custom permission that is already defined by an existing resident app.


Web view

The WebView default behavior was changed to block mixed content. Please do not use: setMixedContentMode..


SSL default configuration

Android 5.0 introduces changes to the default TLS/SSL configuration used by apps for HTTPS and other TLS/SSL traffic:

  • TLSv1.2 and TLSv1.1 protocols are now enabled
  • AES-GCM (AEAD) cipher suites are now enabled
  • MD5, 3DES, export, and static key ECDH cipher suites are now disabled
  • Forward Secrecy cipher suites (ECDHE and DHE) are preferred

Read more

SSL FREAK Vulnerablity

As security experts, AppSec Labs can help you protect against SSL based attacks as well as keeping our website, safe from these attacks.

SSL/TLS is a transport encryption protocol which is used by most applications and infrastructure to provide confidentiality and integrity for safe communication between a client and a server.

Read more

Online ClickJacking/UI redressing PoC Tester

AppSec Labs is proud to introduce the ClickJacking Tester – a tool which is designed to allow information security specialists around the world to easily check online whether their websites are vulnerable to ClickJacking/UI redressing attack:


How to Use:

  1. Open the tool in your browser.
  2. Enter your website’s URL in the text box.
  3. Check “add allow-forms to Iframe” box in order to add the ‘allow-forms in the sandbox’ attribute in case it is necessary.
  4. Hit ‘enter’ or click submit button.
  5. If the page is vulnerable, it will be displayed in the window on the left side of the testing page.
  6. Take a screenshot for your PoC and enjoy!

Read more