cryptographic Archives

Winsage

May 23, 2026

CVE-2026-45585: YellowKey BitLocker Bypass

BitLocker, a security feature for data protection, has a vulnerability identified as CVE-2026-45585, also known as YellowKey, which allows unauthorized access to encrypted data on Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025. This flaw does not compromise BitLocker’s encryption but affects the recovery environment supporting it. The vulnerability can be exploited locally through the Windows Recovery Environment (WinRE) by an attacker with physical access, who can trigger an unrestricted shell and access the BitLocker-protected volume. Microsoft has provided two mitigation strategies: modifying the WinRE image to remove the autofstx.exe entry and transitioning from TPM-only protection to a TPM+PIN requirement at startup. The exploit poses challenges for detection, as it occurs pre-boot and currently lacks vendor-published indicators of compromise. Organizations using BitLocker for unattended devices are particularly at risk, as the vulnerability can lead to loss of confidentiality if an attacker gains access before the legitimate user.

AppWizard

May 7, 2026

Local Data Security with Android Keystore

Threema, a secure messaging application, prioritizes user privacy by avoiding server-side storage and ensuring that message content remains on users' devices. On Android, it utilizes the Keystore for secure cryptographic key management, storing data in an app-specific directory to isolate it from other applications. All stored data is encrypted, making it unreadable without the appropriate key. The Android Keystore allows for key generation without direct access to raw data, enhancing security by performing cryptographic operations internally. Modern devices with dedicated security chips provide hardware-backed security, while older devices rely on a software-backed Keystore, which is more vulnerable. Threema offers users the option to set a passphrase, adding an extra layer of protection by encrypting data before it is stored in the Keystore. This multi-layered security strategy adapts to the device's capabilities.

AppWizard

May 6, 2026

Android Apps Get Public Verification System to Stop Supply Chain Attacks

Google has launched an enhanced Binary Transparency initiative for Android to strengthen the ecosystem against supply chain attacks. This initiative builds on the Pixel Binary Transparency framework introduced in October 2021, which ensures Pixel devices operate on verified OS software through a public cryptographic log of factory images. The new initiative aims to address the increasing sophistication of binary supply chain attacks, emphasizing that a binary's digital signature alone is insufficient for guaranteeing its authenticity. Starting May 1, 2026, all production Android applications released by Google will include a cryptographic entry confirming their authenticity. This initiative covers various Google applications and provides a transparent 'Source of Truth' for users to verify the software on their devices. Google is also offering verification tools for users and researchers to confirm the transparency state of supported software types, enhancing user privacy and security.

Tech Optimizer

May 6, 2026

Immudb Upgrade Brings Immutable Audit Trails To PostgreSQL Workloads – Open Source For You

Codenotary has released immudb 1.11, enhancing its open-source database into a comprehensive trust infrastructure layer. Key features include immutable audit logging, which allows organizations to create permanent, tamper-proof records of data and database activities, supported by cryptographic verification to prevent unauthorized alterations. The update also introduces compatibility with PostgreSQL, enabling existing applications to use immudb without modifications. Benefits for organizations include unalterable audit trails, simplified compliance and reporting, and reduced operational complexity. This release positions open source as a viable alternative to proprietary compliance and logging systems, addressing challenges in demonstrating data trustworthiness.

AppWizard

May 6, 2026

Google expands Android Binary Transparency to counter supply chain attacks

Supply chain attacks targeting mobile software have increased due to the reliance on smartphones for essential functions. In response, Google has launched an enhanced Binary Transparency program for Android, which includes a public ledger that records cryptographic entries for production applications. This program initially covers two software layers: Google Applications and Mainline Modules. For Pixel device owners, it complements the Pixel System Image Transparency feature introduced in 2023, allowing users to verify the authenticity of system images and Google applications. The program aims to address the gap in software trust by distinguishing between digital signatures, which confirm the identity of the binary's creator, and binary transparency, which indicates the intent for public release. If a Google-signed application released after May 1, 2026, is not listed in the ledger, it means Google did not authorize it as production software. Verification tools are available on GitHub for assessing software against the ledger. Google employs "defense-in-depth" protocols to mitigate insider risks, ensuring that no single individual can publish a binary without triggering cryptographic verification. The ledger acts as a public record to deter unauthorized modifications. Google is also working to extend Binary Transparency to third-party developers to enhance the security of the global software supply chain.

Tech Optimizer

May 5, 2026

Open Source Tamper-Proof Database Adds Immutable Audit Logging and Expands PostgreSQL Compatibility

Codenotary has released immudb 1.11, an open-source database that enhances immutable audit logging and compatibility with PostgreSQL. This version features integrated audit logging that captures database activities in a tamper-proof manner, eliminating the need for external logging systems. It allows organizations to create unalterable audit trails, streamline compliance processes, and maintain a reliable history of data interactions. Immudb 1.11 is compatible with existing PostgreSQL code, enabling seamless integration with various applications and tools. The database is particularly beneficial for sectors requiring trust and accountability, such as finance, software development, cybersecurity, regulated industries, AI systems, and supply chain management. Immudb has over 50 million downloads and supports a zero-trust approach to data management. The open-source version is available on GitHub.

AppWizard

May 5, 2026

Meta enhances security of WhatsApp and Messenger encrypted backups

Meta has enhanced the security and transparency of its end-to-end encrypted backup system for WhatsApp and Messenger. The improvements focus on refining the distribution and verification of encryption keys, and allow for independent audits of certain infrastructure components. The updates are based on Meta's Hardware Security Module (HSM)-based Backup Key Vault architecture, which securely stores recovery secrets in tamper-resistant hardware, ensuring that neither Meta nor cloud service providers can access users' message archives. For encrypted backups, users' devices generate a 256-bit encryption key locally, which encrypts all backup data before uploading it to cloud storage. The key remains on the device in an encrypted format, with the user's password not visible to Meta or third parties. An encrypted version of the backup key is stored in the HSM-based vault using the OPAQUE password-authenticated key exchange protocol, enhancing recovery security without revealing the password. The recent updates include an over-the-air (OTA) fleet key distribution mechanism, which avoids hardcoding trusted infrastructure keys into Messenger applications. Clients receive a “validation bundle” containing the HSM fleet's public keys during runtime, with signatures verified against Cloudflare’s Key Transparency system. The vault operates across at least seven data centers using majority-consensus replication to ensure availability and integrity. Meta plans to publish cryptographic proof of each new HSM fleet deployment, allowing advanced users and researchers to verify these deployments through the open-source “mbt” (Meta Binary Transparency) CLI tool, which conducts multiple checks to confirm that fleet keys are untampered.

AppWizard

May 4, 2026

Evolving Verifiable Trust: Bringing Binary Transparency to the Android Ecosystem

Starting May 1, 2026, all production Android applications released by Google will include a cryptographic entry to verify their authenticity. This initiative establishes a "Source of Truth" for users to confirm that the software on their devices is genuine and unaltered. It includes Google Applications and Mainline Modules, with a production ledger that records all official updates. If a Google-signed application is not listed in this ledger, it indicates that the application was not intended for release by Google. This system aims to prevent unauthorized modifications and enhance user privacy and security. For Pixel users, it allows verification of both system images and Google applications. Google has also provided verification tools to check the transparency status of supported software types.

AppWizard

April 27, 2026

Elon Musk’s XChat App Is More Like Facebook’s Messenger Than Signal

Elon Musk launched the XChat app, a stand-alone messaging service for X users, claiming it to be the only secure, encrypted messaging app. Critics have raised concerns about XChat's security, particularly its requirement to link an existing X account and the storage of cryptographic keys on X's servers. The app's rollout faced delays and confusion, with users in the UK experiencing access issues. Initial user experiences indicated limited messaging capabilities, as many contacts may not have X accounts. The app's privacy claims were questioned, as it still collects data linked to users. XChat shares similarities with Facebook's Messenger, both requiring account creation and linking to their respective platforms.

Winsage

April 24, 2026

Microsoft to roll out Entra passkeys on Windows in late April

Microsoft will introduce passkey support for phishing-resistant passwordless authentication on Microsoft Entra-protected resources starting in late April, with broader availability expected by mid-June 2026. This feature will allow passwordless sign-in on unmanaged Windows devices and will support various device types, including corporate, personal, and shared options. Administrators can manage passkeys through Conditional Access and Authentication Methods policies. Users can create device-bound passkeys stored securely within the Windows Hello container, using methods like facial recognition, fingerprint scanning, or a PIN. The passkeys will adhere to FIDO2 standards and will be securely bound to individual devices, preventing transmission over the network to enhance security against phishing and malware attacks. Microsoft has also announced plans for mandatory multifactor authentication registration for Entra tenants by October 2024 and that all new accounts will be passwordless by default starting in May 2025.