cryptographic Archives

AppWizard

April 18, 2026

Android 17 Beta 4 arrives with post-quantum cryptography and new memory limits

On April 16, Google released Android 17 Beta 4, concluding its beta phase and focusing on app compatibility and platform stability. Developers must finalize updates for Android 17 to avoid delays when the stable version is released. Key behavioral changes for apps targeting Android 17 include: - Large-screen resizability restrictions, preventing apps from opting out of maintaining orientation, resizability, and aspect ratio constraints. - Expanded restrictions on dynamic code loading, requiring native files loaded via System.load() to be read-only. - Certificate Transparency is enabled by default. - Local network access is restricted by default, with a new ACCESSLOCALNETWORK permission for persistent access. - Stricter rules on background audio interactions, including playback and volume change APIs. Android 17 introduces per-app memory limits based on device RAM to target memory leaks and anomalies, with minimal impact expected on app sessions. Developers can check for memory limit impacts via ApplicationExitInfo and utilize profiling tools in Android Studio Panda. An on-device anomaly detection service monitors resource-intensive behaviors and provides profiling artifacts. Additionally, the Android Keystore now supports ML-DSA for quantum-safe signatures, allowing developers to generate keys and create signatures within secure hardware.

AppWizard

March 26, 2026

Russia Plans Law Forcing Banks to Use State Messenger Max for Transaction Verification

Russian authorities are advancing legislation that requires banks to verify customer financial transactions through the state-controlled messaging platform, Max, as part of the "Antifraud 2.0" initiative, which is awaiting its second reading in the State Duma. The proposed law mandates confirmation via the government messenger for all significant remote actions, but lacks clarity on what constitutes a significant action. The National Financial Market Council has opposed the initiative, labeling it as legally excessive and costly, and expressing concerns about the security risks and technical limitations of the platform. Experts argue that existing banking security measures are more effective than those proposed, and users of Max have reported being subscribed to pro-war channels without consent, indicating a lack of trust in the platform among officials and employees.

Winsage

March 12, 2026

Microsoft Introduces Phishing-Resistant Windows Sign-Ins With Entra Passkeys

Microsoft will introduce phishing-resistant passwordless authentication through passkeys for Windows devices, integrated with Microsoft Entra. This feature is expected to enter public preview between mid-March and late April 2026 for global tenants, while government cloud environments will receive the update from mid-April to mid-May. Users can access Entra-protected resources using device-bound passkeys stored securely within Windows Hello, allowing authentication through biometric or local verification methods. This update expands passwordless authentication to unmanaged or personal Windows devices. Passkeys utilize public-key cryptography, enhancing security by storing a private key on the device and registering a matching public key with the service. Each passkey is uniquely associated with a specific device and cannot be exported or synchronized. Organizations must enable the Passkeys (FIDO2) authentication method in Entra for the preview. This initiative is part of Microsoft's broader strategy to eliminate passwords, responding to rising cybersecurity concerns related to password-based authentication.

Winsage

March 11, 2026

Windows Hello gets passkey support for Entra accounts

Microsoft is enhancing the sign-in process for Microsoft Entra on Windows devices by introducing support for passkeys that integrate with Windows Hello, reducing reliance on traditional passwords. This feature aims to improve resistance against phishing attacks and will begin its optional public preview between mid-March and the end of April 2026 for organizations globally. Government cloud environments will have a separate preview from mid-April to mid-May. Administrators must activate this functionality for users. Employees will be able to access Entra-secured services using Windows Hello through biometric recognition or a PIN code, with cryptographic keys securely stored on the device. This method protects against phishing and account abuse since the keys remain on the device and are not vulnerable to interception. Passkeys will also work on Windows systems not linked to Entra, allowing access to company resources without passwords on personal or shared devices. Each Entra account generates a unique passkey per device, and synchronization between devices is not supported. Administrators need to enable the FIDO2 passkey method within Entra’s authentication policy to activate this feature. Microsoft aims to gradually eliminate passwords, providing stronger defenses against phishing and account compromise.

AppWizard

March 11, 2026

Quantum Computing Isn’t Just Coming for Bitcoin—It Threatens Messaging Apps Too

IBM researchers are collaborating with Signal and Threema to develop messaging systems resilient to quantum computing threats, prompted by concerns that quantum technology could compromise current encryption methods. IBM's report stresses the need to redesign messaging protocols in anticipation of potential quantum capabilities that could break existing encryption. Cryptography expert Ethan Heilman highlighted that encrypted messaging platforms face immediate risks from quantum threats, specifically through "store-and-forward attacks." Both Signal and Threema are enhancing their security measures; Signal is implementing upgrades like PQXDH and SPQR for post-quantum protection, while Threema is integrating the ML-KEM algorithm for quantum-safe encryption. Research indicated that adapting the Signal protocol for quantum safety may increase bandwidth requirements, necessitating a complete redesign for efficiency.

AppWizard

March 11, 2026

How Advanced Browsing Protection Works in Messenger

Advanced Browsing Protection (ABP) in Messenger enhances user privacy by warning users about potentially harmful links shared in end-to-end encrypted communications. It analyzes links using on-device models and a dynamic watchlist of millions of potentially malicious sites, utilizing cryptographic techniques to maintain user privacy. ABP is based on a cryptographic primitive called private information retrieval (PIR), which minimizes the information a server learns from client queries. The system also employs oblivious pseudorandom functions (OPRFs) and manages URL queries through a privacy-preserving URL-matching scheme. The server groups links by domain, allowing clients to request a single bucket for domain-specific path components, and generates a ruleset to balance bucket sizes. To safeguard client queries, AMD's SEV-SNP technology creates a confidential virtual machine (CVM) that processes hash prefixes securely, generating attestation reports for integrity verification. The use of Oblivious RAM and Oblivious HTTP (OHTTP) enhances privacy by preventing exposure of memory access patterns and stripping identifying information from client requests. The lifecycle of an ABP request includes pre-processing phases where the server updates the URL database and computes rulesets, followed by client requests that involve calculating bucket identifiers, sending encrypted requests through a proxy, and checking for unsafe URLs based on server responses.

AppWizard

March 11, 2026

Messenger can warn you about sketchy links without knowing what you clicked

Meta has introduced Advanced Browsing Protection (ABP) in its Messenger application to enhance user safety by identifying harmful websites during chats. ABP utilizes a constantly updated watchlist of potentially harmful websites, improving upon the existing Safe Browsing feature. Due to end-to-end encryption, Messenger cannot access message content or links, so ABP uses cryptography and secure computing techniques for link verification without exposing them. When a user clicks a link, Messenger checks it against a blocklist using a privacy-preserving query system. Users can enable or disable ABP in the Messenger app under Settings, Privacy & safety, and Safe browsing. If the option is not visible, users may need to update the app.

Winsage

March 7, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011, embedded in the motherboard's firmware, to ensure a secure boot process. The first of these certificates will expire on June 24, 2026, which will affect the ability to receive future security updates for critical components of the Windows startup process. Microsoft is rolling out replacement certificates through Windows Update, marking a significant security maintenance effort. Secure Boot operates as a chain of trust with certificates stored in the motherboard's UEFI firmware, validating software before the operating system loads. The Platform Key (PK) is at the top of this chain, followed by the Key Exchange Key (KEK) and the Signature Database (DB). The replacement certificates introduced in 2023 restructure certificate management, separating responsibilities among different certificate authorities to enhance the trust model. Not all PCs are affected by the upcoming expiration; newer devices manufactured since 2024 already have the new certificates. Windows 10 users face challenges as support for this version ends in October 2025, and they will not receive the new certificates unless enrolled in Extended Security Updates. Home users should ensure their PCs are set to receive updates automatically, while enterprise environments require coordination for firmware updates before the Windows certificate update.

Winsage

March 6, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011 for boot process integrity. The first of these certificates will expire on June 24, 2026, impacting the ability to receive future security updates. Microsoft is rolling out replacement certificates through Windows Update, requiring collaboration between Microsoft, PC manufacturers, and users. Three critical certificates will expire: the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 in June 2026, and the Microsoft Windows Production PCA 2011 in October 2026. The new certificates introduced in 2023 have a restructured functionality to enhance security. Not all PCs are affected; newer devices manufactured since 2024 come with the new certificates. Windows 10 users face challenges as support ends in October 2025, and unsupported devices will not receive updates. Home users should ensure automatic Windows updates and check for firmware updates, while enterprise environments must verify firmware updates before applying certificate updates. The first certificate expiration is on June 27, 2026.

Winsage

March 5, 2026

Bitwarden now lets users log into Windows 11 using passkeys

Bitwarden has introduced a feature that allows Windows 11 users to log in using passkeys stored in their vaults, enhancing security by enabling phishing-resistant authentication at the operating system's login screen. Users can authenticate by scanning a QR code displayed on the Windows screen with the Bitwarden app on their mobile device, which verifies access to the stored passkey. This feature requires the Windows device to be joined to Microsoft Entra ID and for the organization to enable FIDO2 security key sign-in. Users must also register a passkey for their Entra ID profile stored in Bitwarden. The integration aims to improve security against cyber attacks targeting operating system authentication. Microsoft plans to roll out this passkey-based Windows login feature in March, depending on the organization's Microsoft Entra ID configuration, and it will be available across all Bitwarden plans, including the free tier.