SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches;
Jul 10, 2025
Learn how to set up your own internal certificate authority for development with practical tips. Discover the dangerous animation-driven tapjacking technique on Android, which can trick users into unwanted actions. The discussion highlights concerning vulnerabilities in more than a dozen Adobe products, notably in ColdFusion, where code execution risks loom large. Delve into the significance of robust mobile application security and the alarming lack of protection in many popular apps.
AI Snips
Chapters
Transcript
Episode notes
Set Up Internal Certificate Authority
- Use smallstep CA to set up your own internal certificate authority for development purposes.
- Integrate it with ACME protocol and tools like CertBot for simplicity and convenience.
Defend Against Android Tapjacking
- Android app developers should disallow custom animations on UI elements accessed by other apps.
- They should also prevent user interaction with dialogs while animations are running to block tapjacking.
Android Tapjacking Vulnerability
- Animation-driven tapjacking on Android exploits transparent animated dialogs to trick users into clicking.
- About 70% of apps are vulnerable because they don't restrict calling apps' control over dialog animations.