Can one trust OS and apps from Onyx: app store, modified Android, Onyx Cloud

Onyx Boox is a brand of e-book reader produced by Onyx International Inc, based in China. They have e-book readers based on Android OS. They have features that can violate user privacy or other accounts security:

  1. App store with optimized for e-book apps from other App stores: kindle, office, evernote and etc
  2. Account manager: Dropbox, Evernote and etc
  3. Option to enable Google play and other Google services (like Calendar)
  4. Onyx Cloud (sync personal notes and etc)

So the question is: are there any sings of backdoors or vulnerabilities known about their modified apps or OS itself or other stuff that can lead to user data leaks (like privacy leaks or leaks of sensitive information: like passwords or other data)?

Using OpenVPN on Windows instead of VPN apps: missing certificate

Sorry this might be a noob question, but I subscribed to a VPN provider which ships its own app on Windows. Now I thought I’d prefer to use the OpenVPN client app instead.

I create a profile by providing it with a .ovpn file, which contains a block and a block as well.

Upon connecting, OpenVPN fails with “Connection Error. Missing external certificate“.

All those different certificates are quite abstract to me, but I think it needs a “client certificate”. Is it something created for my profile by the VPN provider when I registered? Or can I generate it myself? When trying to add a certificate in the Windows OpenVPN app, I am asked for .p12 files. Also, when hitting “continue” (without external certificate), the connection never establishes.

For comparison, when putting .ovpn file in Linux in Network-Manager, it works out of the box.

What is the missing step or package? It’s never made clear on the VPN provider help pages.

Why is it possible for all programs / apps to see all network traffic?

I am reading about sandboxing, specifically for Android and Linux based systems (like snap apps). Each app is isolated and can only see its own files, i.e. each app has its own environment. What I don’t understand is why can each app see all network traffic being sent? On Android I can install HTTP Canary which works by being a VPN and then allows you to see all traffic sent from your device. On my PC I can use Wireshark and monitor all traffic sent from my computer. My question is, why is this possible? Why do all programs have the ability to see all network traffic? Shouldn’t true sandboxing result in only each app being able to see its own network traffic? I am thinking that it’s because all programs have access to the network adapter, i.e. all programs should be able to use the network adapter, and thus each program can see everything that enters and exits the network adapter. Wouldn’t it be better if some form of channels were used, so each app can only see its own channel in the network adapter? I know that as soon as the traffic leaves the device, every device nearby can monitor the wireless traffic, as it is in the air (it’s encrypted however). However it’s only before it leaves the network adapter that I don’t understand, why all programs can see all traffic.

Is there no way to bypass certificate pinning without patching apps?

Can you do anything other than patching apps’ compiled-code/cert-files (which is app-specific, requires manual analysis and patching + super-user/root) to intercept TLS traffic of apps that use certificate pinning?

The answer seems to be No, from mitmproxy’s docs:

Certificate Pinning

Some applications employ Certificate Pinning to prevent man-in-the-middle attacks. This means that mitmproxy and mitmdump’s certificates will not be accepted by these applications without modifying them. It is recommended to use the passthrough feature in order to prevent mitmproxy and mitmdump from intercepting traffic to these specific domains. If you want to intercept the pinned connections, you need to patch the application manually. For Android and (jailbroken) iOS devices, various tools exist to accomplish this.

I understand that certificate pinning is part of the trust model of these apps, at the same time as a user, I would like to sniff/intercept their traffic for analysis, locally on my device, in order to make statistics/insights on my habits and behavior, from events such as emails sent (using ProtonMail), messages sent (using Signal/WhatsApp) or any event that can be deduced from the analysis of traffic (using something similar-to/as-powerful-as mitmproxy’s Python scripting API or Scapy’s filters).

Do UIWidgets work well for developing mobile apps in Unity?

I just found out about this package and am going to check it out: https://github.com/UnityTech/UIWidgets

It’s a UI framework for Unity that is based on Flutter, which I find interesting. I was considering Flutter for some mobile game ideas I have, but if this works well I’d much prefer sticking with Unity (my main tool).

Does anyone have experience with UIWidgets and know if it works well? It looks like it was developed by Unity in China, is it used by anyone else?

How do the various DND-5e character sheet apps compare? [closed]

I’m thinking about having my players use apps to keep track of their characters since they’re kind of new. How do the available character sheet apps compare in terms of:

  • Requiring additional source books be purchased in-app
  • Having poor performance or user interface
  • Having bad mobile apps in general
  • Not supporting either iOS or Android
  • Anything else relevant
  • Allowing the DM to view characters sheets

How to create two apps in MS Azure with the same Entity IDs? [migrated]

I am needing some technical inputs to overcome a technical challenge with regards to an MS Azure app.

Goes like this…

We have manually configured a non-gallery app in MS Azure which allows a third party party platform to SSO (SAML based) into their app. It works fine no issues. This app allows SSO for the third party platform’s Australia based staff.

However, I am now needing to configure another app for the same third party platform in order to support SSO for their New Zealand based staff. However, the ‘Entity ID’ that the third party has provided me for this second app is the same. The reply URL etc. are different.

In MS Azure all Australia and New Zealand staff are in the same Azure instance. My technical team is now faced with a big challenge as they are unable to create the second app (in MS Azure) as the ‘Entity ID’ for two apps is the same. How do I work around this uniqueness requirement? How do I configure two apps with the same ‘Entity ID’ in MS Azure?

Any help would be greatly appreciated.

Higher risk of no certificate pinning on mobile apps vs web apps?

Talking with people, it is frequently considered that having a mobile application without certificate pinning is a vulnerability. But i rarely see people mentioning it for web applications.

The question is, why is this issue only mentioned for mobile apps? Is there a higher risk derived out of this vulnerability on mobile apps?

Thinking about it, considering that the degree of difficulty is about the same for installing a rogue certificate on both pc and mobile, i would say that the vulnerability should exist in both cases, but in the case of web apps, there would be no remediation action since the hpkp which i think is the only way to achieve cert pinning is becoming obsolete.

Now none of the people i’ve talked with could give some reasonable explanations, so that’s why i wanted to see if there is indeed any good justification for the mobile cert pinning.