Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release! 

 SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab.  Select Signature Wrapping from the drop down menu, as shown in the screenshot below:



To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.
XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.



While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.


Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Se­cu­ri­ty Ana­ly­sis of XAdES Va­li­da­ti­on in the CEF Di­gi­tal Si­gna­tu­re Ser­vices (DSS)
[4] WS-Attacker
Related news
  1. Underground Hacker Sites
  2. Hackers Toolbox
  3. Hacker
  4. Hacker Security Tools
  5. Pentest Tools Nmap
  6. Pentest Tools
  7. Hacker Tools
  8. Easy Hack Tools
  9. Wifi Hacker Tools For Windows
  10. Hack Tools Download
  11. Hacker Tools Windows
  12. Pentest Reporting Tools
  13. Hacker Tools For Ios
  14. Hacking Tools Usb
  15. Hack Tools 2019
  16. Pentest Tools Port Scanner
  17. Underground Hacker Sites
  18. Pentest Tools Windows
  19. Tools Used For Hacking
  20. Pentest Tools Open Source
  21. Pentest Tools Website Vulnerability
  22. Hacker Tools Free
  23. Hackers Toolbox
  24. Pentest Tools Linux
  25. Best Hacking Tools 2019
  26. Hacker Tools
  27. Pentest Recon Tools
  28. Pentest Tools Bluekeep
  29. Hack Tools
  30. Hacker Tools For Windows
  31. Hack Tools For Pc
  32. Hacking Tools Online
  33. Hacker Tools Software
  34. New Hacker Tools
  35. Hack Tools For Games
  36. Pentest Automation Tools
  37. Hackers Toolbox
  38. Android Hack Tools Github
  39. Hacker Tools Windows
  40. Beginner Hacker Tools
  41. Hacking Tools 2019
  42. Hacking Tools Kit
  43. Usb Pentest Tools
  44. Hacker Tools Linux
  45. Hacking Tools 2019
  46. Tools 4 Hack
  47. Usb Pentest Tools
  48. Pentest Tools Review
  49. Hack Rom Tools
  50. Pentest Tools For Android
  51. Wifi Hacker Tools For Windows
  52. Hacker Tools Mac
  53. Hack Tool Apk No Root
  54. Hacking Tools For Windows
  55. Wifi Hacker Tools For Windows
  56. Hack Tool Apk
  57. Hacker Search Tools
  58. Hacker Tools Windows
  59. Kik Hack Tools
  60. Hacking Tools 2020
  61. Hacking Apps
  62. How To Hack
  63. Hack Rom Tools
  64. Pentest Tools Tcp Port Scanner
  65. Hack Tools Pc
  66. Hacking Tools For Windows
  67. Hack Website Online Tool
  68. Pentest Tools Online
  69. Computer Hacker
  70. Best Hacking Tools 2020
  71. Pentest Tools Online
  72. Hacking Tools For Kali Linux
  73. Hacking Tools Mac
  74. Pentest Tools Framework
  75. Hacking Tools Name
  76. Physical Pentest Tools
  77. Hack Tools Online
  78. Pentest Tools For Mac
  79. Underground Hacker Sites
  80. Hacker Tools Github
  81. Hacker Tools Hardware
  82. Hacking Tools Windows
  83. What Is Hacking Tools
  84. Hacking Tools Free Download
  85. Pentest Tools Url Fuzzer
  86. Hacking Tools For Windows Free Download
  87. Hack Tools For Mac
  88. Hack Tools 2019
  89. Pentest Tools Bluekeep
  90. Pentest Tools For Mac
  91. Pentest Tools Windows
  92. Black Hat Hacker Tools
  93. Pentest Tools For Windows
  94. Underground Hacker Sites
  95. Free Pentest Tools For Windows
  96. Hacker Tools Windows
  97. Nsa Hack Tools
  98. Hacking Tools For Kali Linux
  99. Hacking Tools Pc
  100. Hacker Hardware Tools
  101. Hack Tools 2019
  102. Pentest Tools Linux
  103. Hacking Tools Name
  104. Hack Apps
  105. Pentest Automation Tools
  106. Hacking Tools Windows
  107. Hacking Tools For Pc
  108. Hacker Hardware Tools
  109. Blackhat Hacker Tools
  110. Hack Tools Online
  111. Hacking Tools Github
  112. Hacking Tools Mac
  113. Hacker Tools Free
  114. Hacker Techniques Tools And Incident Handling
  115. Hacker Tools Windows
  116. Nsa Hack Tools Download
  117. Hacker Tools For Pc
  118. Pentest Tools For Mac
  119. Hacking Tools For Mac
  120. Hacking Tools For Windows Free Download
  121. Hack Rom Tools
  122. How To Install Pentest Tools In Ubuntu
  123. Tools 4 Hack
  124. Hack Tools Online
  125. Pentest Tools Nmap
  126. Best Hacking Tools 2019
  127. Hacker Security Tools
  128. Pentest Tools List
  129. Pentest Tools Apk
  130. Hacker Tools Online
  131. New Hack Tools
  132. Pentest Tools For Mac
  133. Pentest Tools For Android
  134. Hacking Apps
  135. Pentest Tools Review
Posted by at No comments:

Automating REST Security Part 3: Practical Tests For Real-World APIs

Automating REST Security Part 3: Practical Tests for Real-World APIs

If you have read our two previous blogposts, you should now have a good grasp on the structural components used in REST APIs and where there are automation potentials for security analysis. You've also learned about REST-Attacker, the analysis tool we implemented as a framework for automated analysis.

In our final blogpost, we will dive deeper into practical testing by looking at some of the automated analysis tests implemented in REST-Attacker. Particularly, we will focus on three test categories that are well-suited for automation. Additionally, we will look at test results we acquired, when we ran these tests on the real-world API implementation of the services GitHub, Gitlab, Microsoft, Spotify, YouTube, and Zoom.

Author

Christoph Heine

Overview

Undocumented Operations

The first test that we are going to look at is the search for undocumented operations. These encompass all operations that accessible to API clients despite not being listed in the API documentation. For public-facing APIs, undocumented operations are a security risk because they can expose functionality of the service that clients are not supposed to access. Consequences can range from information leakage to extensive modification or even destruction of the resources managed by the underlying service.

A good example for an operation that should not be available is write access to the product information of a webshop API. While read operations on stock amounts, prices, etc. of a product are perfectly fine, you probably don't want to give clients the ability to change said information.

In HTTP-based REST, operations are represented by the HTTP methods used in the API request (as explained in Part 1 of the blog series). Remember that API requests are essentially HTTP requests which consist of HTTP method (operation), URI path (resource address) and optional header or body data.

GET /api/shop/items

We can use the fact that REST operations are components from the HTTP standard to our advantage. First of all, we know that the set of possible operations is the same for all HTTP-based REST APIs (no matter their service-specific context) since each operation should map to a standardized HTTP method. As a result, we also have a rough idea what each operation does when it's applied to a resource, since it's based on the assigned purpose of the HTTP method. For example, we can infer that the DELETE method performs a destructive action a resource or that GET provides a form of read access. It also helps that in practice most APIs only use the same 4 or 5 HTTP methods representing the CRUD operations: GET, POST, PUT, PATCH, and DELETE.

If we know a URI path to a resource in the API, we can thus enumerate all possible API requests, simply by combining the URI with all possible HTTP methods:

GET    /api/shop/items POST   /api/shop/items PUT    /api/shop/items PATCH  /api/shop/items DELETE /api/shop/items

REST-Attacker's test case undocumented.TestAllowedHTTPMethod uses the same approach to find undocumented operations. With an OpenAPI description, the generation of API requests is extremely to automate as the description lists all defined URI paths. Since the API description also documents the officially supported operations, we can slightly optimize the search by only generating API requests for operations not documented for a path (which basically are the candicates for undocumented operations).

To find out whether an undocumented operation exist, we have to determine if the generated API requests are successful. Here, we can again rely on a standard HTTP components that are used across REST APIs. By checking the HTTP response code of the API, we can see whether the API request was rejected or accepted. Since the response codes are standardized like the HTTP methods, we can also make general assumptions based on the response code received. If the operation in the API request is not available, we would expect to get the dedicated response code 405 - Method Not Allowed in the response. Other 4XX response codes can also indicate that the API request was unsuccessful for other reasons. If the operation is accepted, we would expect the API response to contain a 2XX response code.

Using the same approach, we let REST-Attacker search for undocumented operations in all 6 APIs we tested. None of them exposed undocumented operations that could be identified by the tool, which means they would be considered safe in regards to this test. However, it's interesting to see that the APIs could responded very differently to the API requests sent by the tool, especially when considering the response codes.

API Response Codes
GitHub 401, 404
Gitlab 400, 404
MS Graph 400, 401, 403, 404
Spotify 405
YouTube 404
Zoom 400, 401, 403, 404, 405

Spotify's API was the only one that used the 405 response code consistently. Other APIs returned 400, 401, 403, or 404, sometimes depending on the path used in the the API request. It should be noted that the APIs returned 401 - Unauthorized or 403 - Forbidden response codes even when supplying credentials with the highest possible level of authorization. An explanation for this behaviour could be that the internal access checks of the APIs work differently. Instead of checking whether an operation on a resource is allowed, they may check whether the client sending the request is authorized to access the resource.

Credentials Exposure

Excessive Data Exposure from OWASP's Top 10 API Security Issues is concerned with harmful "verbosity" of APIs. In other words, it describes a problem where API responses contain more information than they should return (hence excessive exposure). Examples for excessive data exposure include leaks of private user data, confidential data about the underlying service, or security parameters of the API. What counts as excessive exposure can also depend on the application context of the underlying service.

Since the definition of excessive data exposure is very broad, we will focus on a particular type of data for our practical test: Credentials. Not only do credentials exist in some form for almost any service, their exposure would also have a significant impact on the security of the API and its underlying service. Exposed credentials may be used to gain higher privileges or even account takeovers. Therefore, they are a lucrative target for attacks.

There are several credential types that can be interesting for attackers. Generally, they fit into these categories:

  • long-term credentials (e.g., passwords)
  • short-term credentials (e.g., session IDs, OAuth2 tokens)
  • service-specific credentials for user content (e.g., passwords for files on a file-hosting service)

Long- and short-term credentials should probably never be returned under any circumstances. Service-specific credentials may be less problematic in some specific circumstances, but should still be handled with care as they could be used to access resources that would otherwise be inaccessible to an API client.

The question is: Where can we start looking for exposed credentials? Since they would be part of the API responses, we could scrape the parameters in the response content. However, we may not actually need to look at any response values. Instead, we can examine the parameter names and check for association with credentials. For example, a parameter names "password" would likely contain a type of credential. The reason this can work is that parameter names in APIs are generally descriptive and human-readable, a side effect of APIs often being intended to be used by (third-party) developers.

In REST-Attacker, credentials parameter search is implemented by the resources.FindSecurityParameters test case. The test case actually only implements an offline search using the OpenAPI description, as the response parameter names can also be found there. The implementation iterates through the response parameter names of each API endpoint and matches them to keywords associated with credentials such as "pass", "auth" or "token". This naive approach is not very accurate and can produce a number of false-positives, so the resulting list of parameters has to be manually checked. However, the number of candidates is usually small enough to be searched in a small amount of time, even if the API defines thousands of unique response parameters.

API Parameter Count Candidates long-term short-term service-specific
GitHub 2110 39 0 0 0
Gitlab 1291 0 0 0 0
MS Graph 32199 117 0 0 0
Spotify 290 6 0 0 0
YouTube 703 6 0 0 0
Zoom 800 96 0 0 2

5 out of 6 APIs we tested had no problems with exposed credentials.

Zoom's API was the only one which showed signs of problematic exposure of service-specific credentials by returning the default meeting password for meetings created via the API at an endpoint. It should be noted that this information was only available to approved clients and an required authorized API request. However, the credentials could be requested with few priviledges. Another problem was that Zoom did not notify users that this type of information was accessible to third-party clients.

Default Access Priviledges

The last test category that we are going to look at addresses the access control mechanisms of REST APIs. Modern access control methods such as OAuth2 allow APIs to decide what minimum priviledges they require for each endpoint, operation, or resource. In the same way, it gives them fine-grained control on what priviledges are assigned to API clients. However, for fine-grained control to be impactful, APIs need to carefully decide which priviledges they delegate to clients by default.

But why is it important that APIs assigned do not grant too many priviledges by default? The best practice for authorization is to operate on the so-called least priviledge principle. Basically, this means that a client or user should only get the minimum necessary priviledges required for the respective task they want to do. For default priviledges, the task is usually unspecified, so there are no necessary priviledges. In that case, we would expect an API to grant either no priviledges or the overall lowest functional priviledge level.

If the API uses OAuth2 as its access control method, we can easily test what the API considers default priviledges. In OAuth2, clients can request a specific level of priviledge via the scope parameter in the initial authorization request.

Including the scope parameter in the request is optional. If it's omitted, the API can deny the authorization request or - and that's what we are interested in - decide which scope it assigns to the authorization token returned to the client. By analyzing the default scope value, we can see whether the API adheres to the least priviledge principle.

REST-Attacker can automatically retrieve this information for configured OAuth2 clients with the scopes.TestTokenRequestScopeOmit test case. For every configured OAuth2 client, an authorization request without the scope parameter is sent to the OAuth2 authorzation endpoints of the API. The tool then extracts the scope that is assigned to the returned OAuth2 token. This scope value then has to be manually analyzed.

Out of the 6 APIs we tested, 2 (MS Graph and YouTube) denied requests without a scope parameter. The other 4 APIs (GitHub, Gitlab, Spotify, and Zoom) allowed omitting the scope parameter. Therefore, only the latter 4 APIs assigned default prviledges that could be analyzed.

API Assigned Scope Least Priviledge?
GitHub (none) Yes
Gitlab api No
Spotify (default) Yes*
Zoom all approved No

* OAuth2 scope with least priviledges

Interestingly, the extent to which a least priviledge principle was followed varied between APIs.

GitHub's API assigned the overall lowest possible priviledges by default via the (none) scope. With this scope, a client could only access API endpoints that were already publicly accessible (without providing authorization). While the scope does not grant more priviledges than a public client would get, the (none) scope had other benefits such as an increased rate limit.

In comparison, the Spotify API had no publicly accessible API endpoints and required authorization for every request. By default, tokens were assigned a "default" scope which was the OAuth2 scope with the lowest available priviledges and allowed clients to access several basic API endpoints.

Gitlab's and Zoom's API went into the opposite direction and assigned the highest priviledge to their clients by default. In Gitlab's case, this was the api scope which allowed read and write access to all API endpoints. Zoom required a pre-approval of scopes that the client wants to access during client registration. After registration, Zoom returned all approved scopes by default.

Conclusion

We've seen that while REST is not a clarly defined standard, this does not result in REST APIs being too complex for a generalized automated analysis. The usage of standardized HTTP components allows the design of simple yet effective tests that work across APIs. This also applies to other components that are used across APIs such as access control mechanisms like OAuth2. The practical tests we discussed worked on all APIs we tested, even if their underlying application contexts were different. However, we've also seen that most of the APIs were generally safe against these tests.

Tool-based automation could certainly play a much larger role in REST security, not only for finding security issues but also for filtering results and streamlining otherwise manual tasks. In the long run, this will hopefully also result in an increase in security.

Acknowledgement

The REST-Attacker project was developed as part of a master's thesis at the Chair of Network & Data Security of the Ruhr University Bochum. I would like to thank my supervisors Louis Jannett, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk for their continued support during the development and review of the project.

More information
  1. Hack Tools For Pc
  2. Top Pentest Tools
  3. Hacking Tools For Pc
  4. Pentest Tools Online
  5. Usb Pentest Tools
  6. Kik Hack Tools
  7. Hack Tools
  8. Pentest Tools Find Subdomains
  9. Hackers Toolbox
  10. Pentest Automation Tools
  11. Hacker Hardware Tools
  12. Hacker Tools For Pc
  13. Pentest Tools Framework
  14. How To Hack
  15. Pentest Tools For Android
  16. Hacker Tools Online
  17. Hacking Tools For Games
  18. Hackers Toolbox
  19. Pentest Tools Tcp Port Scanner
  20. Hackrf Tools
  21. Hacker Tools Apk
  22. Hacking Tools Mac
  23. Pentest Tools Open Source
  24. Pentest Tools List
  25. How To Install Pentest Tools In Ubuntu
  26. Hacking Tools Kit
  27. Kik Hack Tools
  28. Hack Tools For Mac
  29. Usb Pentest Tools
  30. Hacker Tools Online
  31. Pentest Box Tools Download
  32. Hacking Tools 2019
  33. Pentest Tools Free
  34. Hacker Tools Software
  35. Hacking Tools 2019
  36. Ethical Hacker Tools
  37. Hacker Hardware Tools
  38. Hacking Tools For Beginners
  39. Hacker Tools Windows
  40. Hacks And Tools
  41. What Are Hacking Tools
  42. Hacker Tools 2019
  43. Hacker Tool Kit
  44. Hacking Tools
  45. Hacker Search Tools
  46. Hacking Tools 2019
  47. Hack Tools
  48. Android Hack Tools Github
  49. Pentest Tools Android
  50. Pentest Tools Open Source
  51. Hacker Hardware Tools
  52. Physical Pentest Tools
  53. Blackhat Hacker Tools
  54. Hacker Tools Apk Download
  55. Hacker Tools Free
  56. Kik Hack Tools
  57. Tools For Hacker
  58. Hacking Tools Online
  59. Hacking Apps
  60. Hacker Tools Apk
  61. Hacker Tools For Ios
  62. Game Hacking
  63. Hacker Tools For Ios
  64. How To Install Pentest Tools In Ubuntu
  65. Hack Tool Apk
  66. Hackers Toolbox
  67. Hacker Tools Github
  68. Hack Tools For Windows
  69. Pentest Tools Website
  70. Best Pentesting Tools 2018
  71. Hacking Tools For Kali Linux
  72. Hack Tools For Ubuntu
  73. Pentest Tools Free
  74. Hacker Tools 2019
  75. Hacking Tools Windows
  76. Best Pentesting Tools 2018
  77. Pentest Tools Nmap
  78. Hackrf Tools
  79. Hackers Toolbox
  80. Nsa Hack Tools Download
  81. Hacking Tools Usb
  82. Hacker Tools Apk Download
  83. World No 1 Hacker Software
  84. Hacker Security Tools
  85. Nsa Hack Tools
  86. Nsa Hack Tools Download
  87. Hacking Tools For Pc
  88. Hacking Tools Windows
  89. Android Hack Tools Github
  90. Pentest Tools Nmap
  91. Hacker Tools
  92. Hacker Tools Free Download
  93. Hack Tools For Pc
  94. Hacker Hardware Tools
  95. Hack Tools Download
  96. Hacking App
  97. How To Install Pentest Tools In Ubuntu
  98. Hack Tools For Pc
  99. Computer Hacker
  100. Hackers Toolbox
  101. Hacker Tools List
  102. New Hacker Tools
  103. Pentest Tools Kali Linux
  104. Hack Tools
  105. Hack Tools
  106. Hacker Hardware Tools
  107. Ethical Hacker Tools
  108. Hack Tools Online
  109. Hacker Security Tools
  110. Hacking Apps
  111. Top Pentest Tools
  112. Hacking Tools Windows 10
  113. Hacks And Tools
  114. Pentest Tools Tcp Port Scanner
  115. Hacking App
  116. What Are Hacking Tools
  117. Hak5 Tools
  118. Hack Tools 2019
  119. Hacking Tools Online
Posted by at No comments:

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

Android made endless possibilities for everyone. It introduced a platform where are millions of apps that a user can download and buy depending on their needs. You're thinking about Google PlayStore, yes I am also talking about Google PlayStore. It's categorized app collection depending on every niche of life. Few of them are free and some of them are paid. Most of the paid apps are only charges small cost in between $2 to $8, but few apps are highly costly that make cost over $50 even, which is not possible for every user to buy and get benefit from it. So, here I am sharing a really useful app, that can make every Google PlayStore app for you to download it for free. You can download any paid app that may even cost about $50. It's totally free. Download blackmart Android app and download google play store paid apps freely.

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

  • It's extremely easy to use.
  • It has a Multilingual option for a global user experience.
  • The app doesn't ask for any payments.
  • Capable to download full of downloadable applications.
  • Super fast in downloading and installation.

Related articles


Posted by at No comments:
Subscribe to: Posts (Atom)

Remember...

If you want more information on any of these news updates, do feel free to call the office at any time! 02890673379
or email office@summermadness.co.uk
....or check out the rest of the SM website