Do any API-based CASB use native DLP features in cloud applications?

I think I’ve understood what CASB are and the differences between proxy/API-based architectures. What is still unclear to me is how exactly API-based CASB function.

I know most products use APIs to traverse the cloud documents storage to download and inspect the documents. Or maybe even use APIs to download auditing logs from the service. But for example Office 365 offers DLP features such as Exchange Mail Flow Rules or Office 365 DLP rules. Do any API-based CASB also automatically configure and use these DLP functions?

OAuth native app without localhost redirect

Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).

Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:

  1. Command line tool initiates intent to perform OAuth flow to Application Server.
  2. Application Server generates a random in progress session token and a separate random OAuth flow state value
  3. Application Server stores both values in the database together
  4. Application Server returns both values to the Command line tool
  5. Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
  6. User authenticates
  7. Authorization Server redirects to the Application Server along with the state value
  8. Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
  9. Command line tool submits the in progress session token to the application server
  10. Application server retrieves the authorization code from the database and treats it as if the command line tool provided it

Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?

What are the ramifications of Aasimar PCs being Outsider (Native)?

I’m playing an Aasimar. They are the type Outsider (Native).

I wanted to find out what impact that has on the game. So I looked up outsiders:

and I saw this:

Proficient with all simple and martial weapons and any weapons mentioned in its entry.

Skill points equal to 6 + Int modifier (minimum 1) per Hit Die. The following are class skills for outsiders: Bluff, Craft, Knowledge (planes), Perception, Sense Motive, and Stealth. Due to their varied nature, outsiders also receive 4 additional class skills determined by the creature’s theme.

And a few other cool things.

I’m assuming these don’t apply to Aasimar PC’s. But my question remains unanswered: what are the ramifications of being a PC that is of the type Outsider (Native)?

Install a PFX/SSL certificate downloaded from the server on Android/iOS device in a React Native app?

I am building a React Native application that downloads an SSL certificate file or a PFX from the server or a remote file storage. After getting this file, I want to install this certificate onto the device so that only my app can access it. I want to use this certificate to facilitate secure API calls to another server that talks HTTPS. I am assuming that I should use the Keychain on iOS and Keystore on Android for storing the certificate but I am not sure if it enables me to store a PFX. And after storing it, how do I use it for the API calls that I make subsequently?

How can I replicate the native look & feel of Fate documents?

Fate documents (whether they are rule books, adventure books, character sheets, etc.) generally have a pretty recognizable style (a typical example is the Fate Core Character Sheet). The rule books have pages with a specific layout, a specific style for page numbering, specific shapes around the edges, specific shapes for sections with GM tips, specific shapes for sections with examples, etc.

As a GM, I sometimes want to create customized sheets and handouts. Possibly I’d like to write and publish an original setting or adventure at some point. In either case, I would prefer to make something that feels like a ‘native’ Fate document (considering that the folks at Evil Hat have said they don’t mind people doing so).

How can I go about replicating that look & feel in a rich text editor or DTP software? (To me, it doesn’t matter which specific product I’d have to use.) Are there any reusable templates made by players that make this process repeatable? Is there perhaps a visual style guide that authors can follow? Anything instructions to avoid ‘reinventing the wheel’ or at least be able to ‘reinvent’ it faithfully?

Security of the native Password Autofill function in iOS 12

I have read Apple documents on the iOS 12 password autofill function for iPhones. But I could not find much information pertaining to where the passwords are stored and what vulnerabilities might exist. I understand storage would be either the device or the cloud. Apple Keychain includes a setting for cloud storage, and of course, Apple encrypts the passwords. And the docs suggest that if storage is on the device, it may be with the app itself (this is not clear from my reading). The general overarching security assumption is that the user has access control at the device level (both physical and OS). But eventually, the password has to be entered as “plain text” through the autofill function. So it would seem a point of vulnerability.

Are there any experiments or papers/reports on the security strength of Apple’s autofill function?

What security vulnerabilities exist for password exploit/theft for the iOS autofill feature?

¿Como logro que el decelerationRate sea el mismo para Android y IOS en react native?

Estoy haciendo un carrusel de imágenes con mostrador de index (burbujitas/paginacion como gusten llamarle), pero lo que pasa es que en android se nota algo laggeado en el momento que cambia de indice con respecto a cuando se muestra la imagen, ya que al soltarla o dejar de arrastrar la imagen se va muy rápido y cambia lento el indice, a diferencia de android, sirve muy bien en IOS. Quisiera que fuera exactamente igual que en IOS donde se puede scrollear suavemente sin que se jaloneé la imagen al soltarla.. he intentado con decelerationRate={'normal'} pero no comparten el mismo valor de 'normal', asi que lo volví a intentar con decelerationRate={0.998} (siendo la desaceleracion por default en IOS) y ni así.. al parecer no comparten la misma potencia en que desaceleran como si fuesen diferentes unidades kilómetros y millas. Un buen ejemplo del resultado que quiero obtener esta en la app de instagram donde se puede ver claramente como en las dos plataformas se tiene la misma desaceleración en cualquier carrusel… Esta es la primera pregunta que hago en StackOverflow y soy nuevo a javascript en general.