Upwardly Mobile - API & App Security News

Episode NotesDescription:In this episode of Upwardly Mobile, we dive into one of the most pressing cybersecurity threats facing mobile carriers and their subscribers: eSIM swap fraud. While digital SIMs offer superior security against physical theft, they remain vulnerable to sophisticated credential-based attacks and social engineering that target the carrier's systems. We explain how this critical fraud operates and reveal the advanced, cloud-based technologies—App Attestation and Device Binding—that mobile operators are now deploying to verify user identity and device integrity in real time, effectively blocking fraudsters before a swap can be completed.The eSIM Swap ThreateSIM swapping is a form of identity fraud where an attacker convinces a mobile carrier to transfer a victim's phone number to a new eSIM under the attacker's control, often by impersonating the legitimate user remotely.• Attack Method: Attackers often gather personal details from public sources or breaches, then contact the carrier, claiming they need to transfer their number to a new device. Since no physical access is needed, the fraud relies entirely on weaknesses in the carrier’s authentication process.• The Impact: Once a swap is successful, the criminal gains full control over the victim's phone number. They can intercept calls, texts, and, critically, one-time security codes (OTPs) sent via SMS, allowing them to bypass two-factor authentication (2FA) for online banking, cryptocurrency exchanges, and other sensitive accounts, leading to massive financial loss.The Technical Solution: Attestation and BindingTo counter these remote, identity-based attacks, carriers are adopting a multi-layered verification approach focused on establishing the trustworthiness of the application and the hardware initiating the swap request.1. App AttestationThis technology focuses on verifying the integrity and legitimacy of the carrier's mobile application.• Verification: App Attestation confirms that the carrier's app being used is the genuine, untampered version downloaded directly from an official app store.• Prevention: It detects if the app has been modified with malicious code or is running in a compromised environment, such as an emulator. If an attacker attempts to use a fake or compromised version of the carrier’s app to initiate a fraudulent eSIM swap request, app attestation detects and blocks that request.2. Device BindingDevice Binding provides a cryptographic link between a user's account and the unique hardware characteristics of their trusted device.• Secure Link: When a user first logs in, a secure link is created between the app and the device's hardware IDs.• Suspicion Flagging: If a request for an eSIM swap is later initiated from a different, unverified device, the system flags the activity as suspicious, regardless of whether the attacker has stolen credentials. The system can then require additional verification steps or outright deny the unauthorized transfer.This combined approach shifts the security decision-making from the potentially compromised user device to a secure cloud service, making it extremely difficult for attackers to bypass checks through client-side tampering or reverse-engineering.Comprehensive Security Layers for Mobile CarriersBeyond app and device verification, mobile carriers are advised to strengthen defenses through systemic controls:• Stricter Authentication: Implementing secure authentication processes for eSIM transfers, including demanding extra layers like verbal confirmation or a photo ID.• Device Fingerprinting: Binding eSIM profiles to unique device hardware IDs to prevent unauthorized cloning or reuse across multiple devices.• Advanced Analytics: Leveraging AI-Driven Fraud Detection and machine learning to monitor network activity for anomalies, such as unusual call volumes or multiple simultaneous activations, which might signal digital SIM Box fraud schemes.• User Protection Features: Offering tools like Verizon's "SIM Protection," which allows customers to lock lines on their account, prohibiting any transaction requiring a new SIM/eSIM transfer until manually unlocked (with a possible 15-minute delay when unlocking).Protect Yourself: User Best PracticesUsers must also adopt strong security habits to minimize risk:• Prioritize App-Based 2FA: Always use authenticators like Google Authenticator or Authy over SMS-based two-factor authentication (2FA) for critical accounts, as SMS codes can be intercepted post-swap.• Secure Your Carrier Account: Set a strong password and add an account PIN or passcode with your carrier to prevent unauthorized changes.• Stay Vigilant: Immediately contact your carrier if you notice unexpected loss of cellular service, unusual account alerts, or unauthorized charges, which are common signs of a successful eSIM hack.--------------------------------------------------------------------------------SponsorThis episode is brought to you by Approov, pioneers in Mobile App and Device Security. Learn how Approov’s App Attestation and Device Binding solutions safeguard your mobile transactions and prevent sophisticated fraud.Visit: approov.ioThis content was created in partnership and with the help of Artificial Intelligence AI

In this episode, we're diving deep into Apple's groundbreaking Memory Integrity Enforcement (MIE), an unprecedented effort poised to redefine the landscape of mobile security, and we'll also explore the broader spectrum of threats targeting the iOS ecosystem.Apple's Memory Integrity Enforcement (MIE) is the culmination of a half-decade of intensive design and engineering, combining the unique strengths of Apple silicon hardware with advanced operating system security. Apple believes MIE represents the most significant upgrade to memory safety in the history of consumer operating systems. This comprehensive, always-on protection is designed to provide industry-first memory safety across Apple devices, all without compromising device performance.The Driving Force: Combating Mercenary Spyware While the iPhone has never experienced a successful, widespread malware attack, Apple's focus for MIE is primarily on the mercenary spyware and surveillance industry. These highly sophisticated threats, often associated with state actors, utilize exploit chains that can cost millions of dollars to target a small number of specific individuals. A common denominator in these advanced attacks, whether targeting iOS, Windows, or Android, is their reliance on memory safety vulnerabilities. MIE aims to disrupt these highly effective exploitation techniques that have been prevalent for the last 25 years.How MIE Works: A Three-Pronged Defense MIE is built on a robust foundation of hardware and software innovations:1. Secure Memory Allocators: Apple's efforts in memory safety include developing with safe languages like Swift and deploying mitigations at scale. Key to MIE are its secure memory allocators, such as kalloc_type (introduced in iOS 15 for the kernel) and xzone malloc (for user-level in iOS 17), alongside WebKit's libpas. These allocators use type information to organize memory, thwarting attackers' goals of creating overlapping interpretations of memory to exploit use-after-free and out-of-bounds bugs.2. Enhanced Memory Tagging Extension (EMTE): Building on Arm's 2019 Memory Tagging Extension (MTE) specification, Apple conducted deep evaluations and collaborated with Arm to address weaknesses, leading to the Enhanced Memory Tagging Extension (EMTE) specification in 2022. MIE rigorously implements EMTE in strictly synchronous, always-on mode, a crucial factor for real-time defensive measures in adversarial contexts. EMTE prevents common memory corruption types:    ◦ Buffer Overflows: The allocator tags neighboring allocations with different secrets. If memory access spills over into an adjacent allocation with a different tag, the hardware blocks it, and the operating system can terminate the process.    ◦ Use-After-Free Vulnerabilities: Memory is retagged when reused. If a request uses an older, invalid tag for retagged memory, the hardware blocks it. EMTE also specifies that accessing non-tagged memory from a tagged region requires knowing that region’s tag, making it harder for attackers to bypass EMTE.3. Tag Confidentiality Enforcement: This critical component protects the implementation of Apple's secure allocators and the confidentiality of EMTE tags, even against side-channel and speculative-execution attacks. Apple's silicon implementation prevents tag values from influencing speculative execution, a vulnerability seen in other MTE implementations. Furthermore, MIE addresses Spectre variant 1 (V1), a speculative-execution vulnerability, with a mitigation designed for virtually zero CPU cost, making it impractical for attackers to leak tag values and guide attacks.Impact and Availability Memory Integrity Enforcement is built right into Apple hardware and software in all iPhone 17 and iPhone Air models, offering unparalleled, always-on memory safety protection for key attack surfaces, including the kernel and over 70 userland processes. Importantly, MIE was designed to deliver groundbreaking security with minimal performance impact, remaining completely invisible to users. Apple is also making EMTE available to all developers in Xcode as part of the new Enhanced Security feature. Extensive evaluations by Apple's offensive research team have confirmed that MIE dramatically reduces the exploitation strategies available to attackers, making it extremely difficult to rebuild exploit chains.Beyond MIE: Other Threats to iOS Devices While MIE targets memory corruption, the iOS ecosystem faces a range of other threats:• Application-Level Threats: These include various forms of malware, such as TouchID malware, Yispecter, and AceDeceiver, which exploit design flaws or trick users. More widespread are leaky applications (greyware), representing 61% of iOS apps, which legally collect and silently forward unnecessary personal data like location, contacts, and photos to third parties.• Network-Level Threats: iOS devices are as exposed to network-related threats as any other operating system. These include Man-In-The-Middle (MITM) attacks, where communications are intercepted or altered via unprotected WiFi hotspots or spoofing. Phishing and Smishing are the most detected network threats on mobile devices, trapping users through malicious links in emails or SMS. Rogue cell towers can also trick devices into connecting, allowing interception of calls, SMS, and data.• Device-Level Threats: OS vulnerability exploits occur when cybercriminals leverage public security holes in outdated iOS versions (e.g., Pegasus spyware). Jailbroken devices bypass iOS security checks, making them more vulnerable to malicious applications. Finally, unmanaged or malicious profiles can be configured to send all transiting data to external servers, crushing data privacy.Organizations like Pradeo offer solutions such as Mobile Threat Defense (MTD) and Mobile Application Security Testing to provide full protection for mobile fleets and applications, safeguarding data and ensuring compliance with data privacy regulations.--------------------------------------------------------------------------------Relevant Links to Source Materials:• For deeper insights into Apple's Memory Integrity Enforcement, refer to the "Memory Integrity Enforcement: A complete vision for memory safety in Apple devices" research by Apple Security Engineering and Architecture (SEAR).• To understand broader iOS threats, consult the "iOS SECURITY REPORT: THREATS TARGETING APPLE MOBILE DEVICES" white paper by Pradeo.Sponsored by: Enhance your mobile API security with Approov. Visit them at approov.io.--------------------------------------------------------------------------------Keywords: Apple security, Memory Integrity Enforcement (MIE), iOS security, memory safety, mercenary spyware, EMTE, secure allocators, buffer overflows, use-after-free, speculative execution, cyber threats, mobile security, iPhone security, hardware security, software security, enterprise mobility, mobile malware, leaky applications, Man-In-The-Middle, phishing, jailbreaking, OS vulnerabilities, Pradeo Security, API security, mobile API protection, device integrity.This content was created in partnership and with the help of Artificial Intelligence AI

The App Store Freedom ActEpisode Description: In this episode of Upwardly Mobile, we unpack the App Store Freedom Act, a landmark bipartisan bill aiming to reform the highly concentrated mobile app marketplace dominated by tech giants like Apple and Google. Introduced by Representative Kat Cammack (R-FL) and co-sponsored by Representative Lori Trahan (D-MA), this legislation addresses significant concerns about anti-competitive practices, consumer choice, and developer freedom.The Coalition for App Fairness (CAF), an independent nonprofit advocating for consumer choice and a level playing field for app developers, applauds the bill's bipartisan support, seeing it as a crucial step to dismantle "mobile walled gardens". We explore the bill's key provisions, which include allowing users to choose third-party app stores, install apps outside of official stores, and delete pre-installed applications. The Act also seeks to remove limitations on communication between developers and users, cap commissions on payments outside default systems, and mandate data sharing for app developers.However, the App Store Freedom Act isn't without its critics. We delve into the concerns raised by the American Action Forum, particularly regarding potential overlaps with existing antitrust law and recent rulings like Apple v. Epic Games. A major point of contention is the security implications: opening up app stores could lead to a significant influx of fraudulent apps, data theft, and unverified third-party providers, potentially compromising the "walled garden" security benefits that currently protect users. We also discuss how while the bill might expedite FTC enforcement, it could bypass crucial antitrust requirements, potentially overlooking pro-consumer behaviors by app store providers. Join us as we explore the multifaceted debate surrounding this pivotal piece of tech legislation.Key Discussion Points:• The Problem: Anti-competitive practices and lack of consumer freedom in mobile app stores controlled by Apple and Google.• The Bill's Purpose: To foster competition, enhance consumer choice, and create a level playing field for app developers globally.• Core Provisions of the App Store Freedom Act (H.R.3209):    ◦ Interoperability: Users can choose default third-party app stores, install apps from outside sources, and hide/delete pre-installed apps.    ◦ Open App Development: Requires covered companies to provide developers with access to interfaces, hardware, and software features on equivalent terms.    ◦ Prohibitions: Bans requirements for specific in-app payment systems, prevents punitive actions against developers using alternative pricing or payment methods, and protects legitimate business communications between developers and users.    ◦ Nonpublic Business Information: Prohibits covered companies from using developer data to compete against those apps.• Enforcement: Violations are treated as unfair or deceptive acts by the Federal Trade Commission (FTC), with potential civil penalties up to $1,000,000 per violation. State attorneys general can also bring civil actions.• Overlap with Existing Law & Apple v. Epic Games: Discussion on whether new legislation is fully necessary given previous court rulings that addressed similar anti-steering practices.• Security Concerns: Analysis of how opening the "walled garden" could impact user safety, potentially leading to fraudulent apps, stolen data, and unverified third-party providers.• Balancing Act: The trade-offs between promoting competition and maintaining user security and convenience.Relevant Source Materials for this Summary:• "CAF Applauds Bipartisan Support for App Store Freedom Act - Coalition for App Fairness"• "Evaluating the App Store Freedom Act - AAF"• "Text - H.R.3209 - 119th Congress (2025-2026): App Store Freedom Act | Congress.gov | Library of Congress"Sponsor: This episode of Upwardly Mobile is brought to you by Approov.io. Secure your APIs and mobile apps against fraud and abuse. Visit approov.io to learn more.Keywords: App Store Freedom Act, digital markets, app store regulation, Apple, Google, anti-competitive practices, consumer choice, app developers, mobile apps, Open App Markets Act, Apple v. Epic Games, FTC, security concerns, H.R.3209, mobile walled gardens, competition policy, tech legislation, digital monopoly, software development, consumer protection, privacy.  --------------------------------------------------------------------------------This content was created in partnership and with the help of Artificial Intelligence AI

Episode Title: Anatsa Unleashed: How a Sophisticated Android Banking Trojan Targets Over 830 Financial Apps GloballyIn this episode of "Upwardly Mobile," we dive deep into the alarming evolution of Anatsa, a potent Android banking trojan that has significantly expanded its reach, now setting its sights on over 830 financial applications worldwide. First identified in 2020, Anatsa (also known as Teabot or Troddler) grants its operators full control over infected devices, enabling them to perform fraudulent transactions and steal critical bank information, cryptocurrencies, and various other data on behalf of victims.What You'll Learn in This Episode:• Anatsa's Expanded Targets: Discover how the Anatsa banking trojan has broadened its scope to include more than 150 new banking and cryptocurrency applications, extending its malicious campaigns to mobile users in new countries like Germany and South Korea.• Deceptive Distribution Methods: Understand the cunning ways Anatsa spreads, primarily through decoy applications found on the official Google Play Store. These seemingly harmless apps often masquerade as useful tools like PDF viewers, QR code scanners, or phone cleaners, accumulating over 50,000 downloads in some cases. Once installed, they silently fetch a malicious payload disguised as an update from Anatsa's command-and-control (C&C) server.• Advanced Evasion Techniques: Learn about Anatsa's sophisticated anti-analysis and anti-detection mechanisms, designed to evade security measures. These include decrypting strings at runtime using dynamically generated Data Encryption Standard (DES) keys, performing emulation and device model checks, and periodically altering package names and installation hashes. The malware even hides its DEX payload within corrupted archives that bypass standard static analysis tools.• How Anatsa Compromises Devices: Find out how Anatsa requests and automatically enables critical accessibility permissions upon installation. This allows it to display overlays on top of legitimate applications, tamper with notifications, receive and read SMS messages, and ultimately present fake banking login pages to steal credentials. The trojan also incorporates keylogging capabilities.• Industry Response: Hear about the efforts of cybersecurity firms like Zscaler, which identified and reported 77 nefarious applications distributing Anatsa and other malware families, collectively accounting for over 19 million downloads. While Google has since removed these reported applications and states that Google Play Protect offers automatic protection, the continuous evolution of Anatsa highlights the ongoing threat.Protect Yourself: Cybersecurity experts advise Android users to always verify the permissions that applications request and ensure they align with the intended functionality of the app.--------------------------------------------------------------------------------Relevant Links to Source Materials:• Source 1: SecurityWeek Article on Anatsa: "Anatsa Android Banking Trojan Now Targeting 830 Financial Apps"• Source 2: Zscaler ThreatLabz Report: "Anatsa’s Latest Updates | ThreatLabz"• Source 3: BSI Report on Anatsa: "BSI - Anatsa / Teabot"--------------------------------------------------------------------------------Sponsor: This episode of "Upwardly Mobile" is brought to you by Approov Mobile Security. Learn more about securing your mobile applications at approov.io.--------------------------------------------------------------------------------Keywords: Anatsa, Android banking trojan, mobile security, cybersecurity, financial apps, Google Play, malware, credential theft, keylogging, fraudulent transactions, Zscaler, threat intelligence, Android malware, cryptocurrency, mobile banking, data protection, Teabot, Troddler, anti-analysis, C&C server.This content was created in partnership and with the help of Artificial Intelligence AI

Apple's iOS Obfuscation Dilemma: App Store Rejection & Developer Security ChallengesIn this vital episode of "Upwardly Mobile," we dive deep into the complexities of mobile app security within the healthcare sector, particularly concerning the HIPAA Security Rule and the challenges of iOS code obfuscation and App Store review. As telemedicine and mobile access to ePHI (Electronic Protected Health Information) become ubiquitous, understanding and implementing robust security measures is no longer optional—it's imperative. What You'll Learn in This Episode:The Evolving Threat Landscape for Healthcare Apps: Discover how the rapid adoption of mobile healthcare apps by both patients and practitioners has created new, data-rich attack surfaces for hackers. This includes apps used for consultations, prescription refills, appointment scheduling, accessing test results, and even those associated with medical devices.Limitations of Traditional Security: We explore why traditional security approaches and even robust TLS (Transport Layer Security) are often insufficient for protecting mobile healthcare apps and their APIs, particularly due to the unique exposure of mobile app code and device environments. Xcode's native build settings like symbol stripping and dead code stripping are primarily for optimization and offer no meaningful protection against determined reverse-engineering efforts.Proposed Improvements to the HIPAA Security Rule: Learn about Approov's specific recommendations to strengthen the updated HIPAA Security Rule (initially proposed in June 2024), focusing on mobile apps accessing ePHI. Key proposed changes include mandating:App Attestation: A proven technique to ensure only genuine, unmodified apps can access APIs.Runtime Device Attestation: Continuous scanning and real-time reporting of device environments to block requests from compromised devices.Dynamic Certificate Pinning: Essential for protecting communication channels from Man-in-the-Middle (MitM) attacks, even when traffic is encrypted.API Secret Protection: Explicit guidelines to ensure API keys are never stored in mobile app code and are delivered only as needed to verified apps.Runtime Zero Trust Protection of Identity Exploits: Additional controls like app and device attestation to provide an extra layer of zero-trust security against credential stuffing and identity abuse.Breach Readiness and Service Continuity: Extending incident response plans to cover third-party breaches and explicitly managing API keys and certificates during a breach.The Role of OWASP MASVS: Understand how the OWASP Mobile Application Security Verification Standard (MASVS) serves as the industry standard for mobile app security, offering guidelines for developers and testers. We specifically highlight MASVS-RESILIENCE for hardening apps against reverse engineering and tampering.The iOS Obfuscation Dilemma: Unpack the conflict faced by developers in regulated industries like fintech and healthcare: the critical need to protect proprietary algorithms and sensitive logic through code obfuscation versus the risk of rejection by Apple's App Store. Apple's guidelines are ambiguously enforced, often flagging aggressive obfuscation as an attempt to "trick the review process".Third-Party Obfuscation Solutions: Since Xcode provides no built-in true obfuscation features, we discuss the imperative for advanced third-party solutions. Learn about techniques like symbol renaming, string encryption, control flow obfuscation, and dummy code insertion. We also touch upon leading commercial tools like Guardsquare's iXGuard, Zimperium's Mobile Application Protection Suite (MAPS), and Appdome, as well as LLVM-based obfuscators.Obfuscation as a Compliance Control: Discover why code obfuscation and Runtime Application Self-Protection (RASP) are fundamental technical safeguards for HIPAA compliance and meeting the requirements of PCI DSS, even if not explicitly named in the regulations.Strategic Recommendations for Implementation: Get insights on implementing a risk-based tiered approach to app protection, integrating obfuscation into your CI/CD pipeline, and transparently communicating your security posture to the App Store review team to mitigate rejection risks.Tune in to gain a comprehensive understanding of securing your mobile health applications in today's complex digital environment! Relevant Links & Resources:Sponsor: Learn more about app and API security solutions from Approov: approov.ioApproov Blog: Injecting Mobile App Security into The HIPAA Healthcare Security Rule: approov.io/blog/injecting-mobile-app-security-into-the-hipaa-healthcare-security-ruleOWASP Mobile Application Security (MAS) Project: owasp.org/www-project-mobile-app-securityOWASP Mobile Application Security Verification Standard (MASVS): mas.owasp.org/MASVS/03-Using_the_MASVS/Keywords: Mobile App Security, Healthcare, HIPAA, ePHI, API Security, Code Obfuscation, iOS Security, App Store Review, App Attestation, Runtime Application Self-Protection (RASP), PCI DSS, OWASP MASVS, Man-in-the-Middle (MitM) Attacks, API Keys, Zero Trust, Telemedicine, Virtual Healthcare, Mobile Health, Cybersecurity, Enterprise Security, Data Protection, Compliance, InfoSec, Privacy, Digital Health. This content was created in partnership and with the help of Artificial Intelligence AI

Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI ThreatsEpisode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include:- Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways.- Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards.- Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents.- Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts.- The necessity for sensitive data access, making robust access management and data protection crucial.The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including:- Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems.- Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation.- Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance.- Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives.- Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code.- Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users.- Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrate and manipulate distributed AI environments.Essential Mitigation Strategies for Agentic AI Defending against these advanced threats requires a multi-layered, adaptive security approach. Our sources outline several crucial best practices for both app and API security: 1. Foundational App Security Best Practices:- Continuous Authentication: Move beyond session-based authentication. Implement behavioral baselines, short-lived tokens, session fingerprinting, and re-authentication on state changes to ensure the right user is in control.- Detecting AI-Generated Traffic: Employ behavioral anomaly detection, device and environment fingerprinting, adaptive challenge-response mechanisms, and input entropy measurement to identify and block sophisticated AI bots.- Secure APIs as Crown Jewels: Implement strict input validation, rate limiting per user/IP/API key, authentication/authorization at every endpoint, request signing, replay protection, and detailed logging.- Zero Trust Architecture: Assume no part of your infrastructure is inherently trusted. Enforce identity and access management at every layer, segment networks, use mutual TLS between services, and continuously monitor for unusual access patterns.- Harden MFA Workflows: Mitigate MFA fatigue attacks by moving away from push notifications as the primary MFA method, preferring hardware tokens or TOTP, and limiting approval attempts with exponential backoff.- LLM-Aware Security Filters: If your app uses LLMs, implement context-aware input sanitization, prompt filtering layers, output monitoring for hallucinations, and rate limit suspicious query patterns.- Encrypt and Obfuscate Client-Side Code: Protect intellectual property and reduce attack surface by obfuscating code, encrypting sensitive strings, implementing runtime code splitting, and avoiding embedding secrets in client code.- Train Detection Systems with Synthetic Attacks: Use AI-generated synthetic attack simulations to train ML classifiers for anomaly detection, turning AI's offensive power into a defensive advantage.- Adopt Secure-by-Design Principles: Integrate security into every phase of the development lifecycle, validating inputs, enforcing least privilege, using static/dynamic code analysis, and automating dependency management.- Stay Compliant with Emerging AI Security Standards: Implement transparent logging and audit trails for AI interactions, ensure explainability, follow data minimization principles, and prepare for AI risk management certifications.2. API-Specific Defenses for Agentic AI:- Design for API Security by Default: Apply secure-by-design principles, enforce HTTPS/TLS 1.3, use least-privilege permissions, and implement strong authentication/authorization with dynamically-scoped tokens.- Identify & Monitor AI-Agent Traffic: Include agentic endpoints in API discovery and monitor traffic in real-time using AI-backed analytics to detect anomalous behavior.- Context-Aware Guardrails & Threat Modeling: Develop tailored agentic AI threat models like MAESTRO or SHIELD/ATFAA and implement LLM-aware guardrails to enforce boundaries.- Authenticate & Audit AI Agent Identities: Treat each agent as a non-human identity, enforce strong credential hygiene, rotate secrets, and audit identity posture.- Input/Output Filtering & Prompt Hygiene: Defend against prompt injection through sanitization, prompt separation, and adversarial testing. Enforce data hygiene for agent memory to mitigate poisoning attacks.- Continuous Authentication & Rate Limiting: Avoid long-lived sessions with continuous authentication and use strict rate limiting to prevent bots from chaining tasks or overwhelming endpoints.- Use Adaptive Security Tools & AI-Based Defense: Deploy API security platforms with real-time anomaly detection and consider a "good-guy" AI to inspect agent intents.- Red-Teaming & Continuous Testing: Simulate attacks like memory poisoning, prompt injection, and privilege misuse to uncover vulnerabilities proactively.- Training & Governance: Educate teams on agent-specific vulnerabilities and establish agent lifecycle governance with approval flows, isolation environments, and human-in-the-loop checkpoints.3. OWASP's Mitigation Playbooks: The OWASP Agentic Security Initiative provides structured mitigation strategies organized into playbooks, addressing specific threat categories:- Preventing AI Agent Reasoning Manipulation: Focuses on reducing attack surface, implementing agent behavior profiling, preventing goal manipulation, and strengthening decision traceability.- Preventing Memory Poisoning & AI Knowledge Corruption: Involves securing AI memory access, detecting/responding to poisoning, and preventing the spread of false knowledge.- Securing AI Tool Execution & Preventing Unauthorized Actions: Emphasizes restricting AI tool invocation, monitoring/preventing tool misuse, and preventing resource exhaustion.- Strengthening Authentication, Identity & Privilege Controls: Covers secure AI authentication mechanisms, restricting privilege escalation, and detecting/blocking AI impersonation attempts.- Protecting Human-in-the-Loop (HITL) & Preventing Decision Fatigue Exploits: Aims to optimize HITL workflows, identify AI-induced human manipulation, and strengthen AI decision traceability.- Securing Multi-Agent Communication & Trust Mechanisms: Focuses on securing AI-to-AI communication, detecting/blocking rogue agents, and enforcing multi-agent trust and decision security.Companies like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola offer patented mobile app attestation technology that ensures only genuine, unmodified apps running in trusted environments can access backend services and APIs, providing real-time verification, dynamic API shielding, and secure credential management to mitigate AI-driven credential leaks. By combining traditional API security fundamentals with agent-specific strategies, mobile developers can transform APIs from vulnerabilities into resilient trust boundaries, capable of resisting threats posed by autonomous, goal-oriented AI agents.Relevant Links:- Rocket Farm Studios: 10 App Security Best Practices for AI Threats - Learn more about securing apps against AI-driven threats: https://www.rocketfarmstudios.com/blog/10-app-security-best-practices-for-ai-threats/- https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/This content was created in partnership and with the help of Artificial Intelligence AI

The Future of App Development with Vibe Coding and ApproovDescription: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.Key Takeaways:• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.Relevant Links:• CBS News: Tea dating app disables direct messaging as it investigates data breach: https://www.cbsnews.com/news/tea-dating-app-data-breach-cbs-news/• VIBE Apps | Fast to Market, Risky to Deploy? The Security Debt in Rapid App Development: https://www.linkedin.com/pulse/vibe-apps-fast-market-risky-deploy-security-debt-rapid-approov-mobile-security• From Vibe to Venture: A Guide to Building and Securing Your App: https://approov.io/blog/from-vibe-to-venture Sponsor: This episode is brought to you by Approov Mobile Security. Learn more about securing your mobile app and APIs, including the new Founder-Friendly Tier, at approov.io.Keywords: vibe coding, app development, mobile security, API security, data breach, Tea app, Lovable, Approov, startup security, founder-friendly tier, fast to market, app launch, investor confidence, user trust, cybersecurity, no-code, low-code, app protection, digital securityThis content was created in partnership and with the help of Artificial Intelligence AI

Apple's Enduring Browser Engine Ban: A Global Standoff for the Open WebDescription:In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS. We explore why this ban matters for consumers, developers, and the future of the open internet.Key Discussion Points:• The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine. This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:    ◦ Apple claims its restrictions are for security, privacy, and system integrity. Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests. Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:    ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU. This single requirement "destroys the business case".    ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users.    ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA".    ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days.• Regulatory Pressure and Compliance:    ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine.The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025. Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fair API access and prompt choice screens at initial smartphone setup.    ◦ UK Competition and Markets Authority (CMA): Provisionally designated Apple (and Google) with "Strategic Market Status," highlighting Apple's browser engine ban and suppression of web app competition. The UK sees strong enforcement as crucial for economic growth and innovation, especially for startups.• Why Apple Resists: It's fundamentally about protecting revenue.    ◦ Google Search Deal: Safari is Apple's "highest margin product," bringing in $20 billion annually from Google for default search engine status. Losing even 1% browser market share means a $200 million annual revenue loss.    ◦ App Store Revenue: By limiting web app capabilities, Apple protects its App Store revenue, estimated at $27.4 billion in 2024. Web apps could replace most phone apps, and even a 20% shift could mean a $5.5 billion annual loss for Apple.    ◦ User Lock-in: The ban also contributes to user lock-in, making it harder for consumers to switch devices or operating systems, as seen with iMessage.• The Path Forward: Regulators and advocates, like Open Web Advocacy, call for firm intervention to compel Apple to make necessary changes. Key fixes include allowing browsers to update existing apps with their own engines, enabling global web developer testing, granting full hardware and content filtering API access, and allowing third-party browsers to manage and install web apps.Conclusion: The fight for browser competition on iOS is a global issue, not just a regional one. With the EU, Japan, and the UK now directly addressing Apple's ban, 2026 is poised to be a decisive year in restoring browser competition and ensuring the web remains an open, interoperable platform.Sponsor: This episode is brought to you by Approov, ensuring secure mobile API access for your apps. Learn more at approov.io.Sources/Further Reading:• "Apple's Browser Engine Ban Persists, Even Under the DMA" - Open Web Advocacy• "Japan: Apple Must Lift Browser Engine Ban by December" - Open Web Advocacy• "UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation" - Open Web AdvocacyKeywords: Apple, iOS, Browser Engine Ban, DMA, Digital Markets Act, WebKit, Safari, Open Web Advocacy, Browser Competition, Web Apps, App Store, Google, Mozilla, UK CMA, Japan Smartphone Act, Antitrust, Market Power, Revenue, Gatekeeper, Tech Regulation, Monopoly, Interoperability, Mobile Software Competition Act, SMS.This content was created in partnership and with the help of Artificial Intelligence AI

Beyond the Beta: iOS 26 Features, AI, and Next-Gen App SecurityThis episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features.Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night.AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available.Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions.User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users.Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now.Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included.Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max.Installation Steps: To install, visit the Apple Developer site on the device you plan to update, sign in with your Apple ID, agree to the terms, and enable Developer Mode in Settings > Privacy and Security. Then, navigate to Settings > General > Software Update > Beta Updates and choose the "iOS 26 Developer Beta" option. The download size is approximately 15.28GB.Important Warning: The iOS 26 developer beta is primarily meant for developers, not for day-to-day use. Early builds often contain bugs that can cause apps to crash, drain your battery, overheat your phone, and generally make your device sluggish. It’s generally smarter to stick with the public beta (expected very soon) for your main iPhone unless you need to test software. Always archive a backup of your device before installing any beta software to prevent data loss.iOS 26 Security: A Developer's Imperative For apps handling sensitive or high-value data, such as those in fintech, healthcare, or enterprise sectors, iOS 26 strongly signals the need to implement multi-layer security measures beyond Apple's default protections.Rising API-Level Threats: Most security incidents today are focused on the backend and API, where attackers exploit app behavior to reverse-engineer API calls and then use bots, scripts, or tampered apps to access sensitive data. Crucially, Apple’s native device security does not inherently protect APIs.Beyond Apple’s App Attest: While Apple’s built-in App Attest API is a helpful tool, it does not work reliably on jailbroken devices, rendering it insufficient on its own for robust security, especially for high-value apps.The Power of Third-Party App Attestation (Sponsor Highlight): To ensure that API calls originate only from unaltered, legitimate app instances, strong app attestation mechanisms are essential. Third-party attestation solutions, such as Approov, are critical for comprehensive protection. These solutions offer:Detection of rooted/jailbroken devices, preventing tokens from being issued to apps on compromised devices.Resistance against runtime manipulation tools like Frida or Magisk.Dynamic API key delivery and certificate pinning, which avoids embedding static keys in code or resources and enforces strict server identity verification (Mutual TLS).Continuous verification of the app environment's integrity during use.Runtime Application Self-Protection (RASP): With the increasing sophistication of attack tools, iOS apps should actively protect themselves at runtime. RASP capabilities detect and respond to various threats, including runtime manipulation, debugging and hooking attempts, and unauthorized code injection. When debuggers are detected, sessions can be terminated. Sensitive logic and API call structures should also be obfuscated.Preparing for Sideloading (EU DMA): With legislation like the Digital Markets Act (DMA) forcing Apple to allow more third-party services and sideloading in the EU, app security can no longer rely solely on the App Store's "walled garden". Developers must prepare for multi-channel app distribution by validating app signatures post-distribution and embedding anti-repackaging measures that invalidate modified builds.Continuous Monitoring & DevSecOps: It is vital to integrate continuous threat monitoring, supporting dynamic policy updates and telemetry-based threat intelligence ideally with cloud-based control planes. Security should be integrated directly into CI/CD pipelines, scanning every build for secrets and insecure code. Automated tools like the Approov CLI should be utilized for secure app registration and deployment.Compliance & Privacy: Ensure GDPR/CCPA compliance by not collecting Personally Identifiable Information (PII) via security SDKs, maintaining access logs for tokens and policy changes, and configuring policy-driven access control based on region, device, or user group rules.Conclusion: iOS 26 sets a new standard for operating systems, offering a blend of innovative features, enhanced security, and expanded content options. For developers building high-value apps, this update serves as a strong cue to double down on multi-layer security strategies that go beyond Apple’s default offerings. Sponsor: This episode is brought to you by Approov. Learn more about securing your mobile APIs and protecting your apps from advanced threats at approov.io. Keywords: iOS 26, Apple, iPhone, AI features, Liquid Glass, Call Screening, Hold Assist, App Security, API Security, App Attestation, RASP, Runtime Application Self-Protection, Sideloading, Digital Markets Act (DMA), Jailbroken devices, Approov, Mobile Security, Cybersecurity, Fintech apps, Healthcare apps, Enterprise apps, iOS 26 Beta, Developer Tools, Mobile App Development, Threat Detection, Apple Intelligence, OS Update, Tech News. This content was created in partnership and with the help of Artificial Intelligence AI

Mobile-First Security: The Urgent Lessons from the Tea App BreachIn this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included:13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process.59,000 publicly viewable images from posts, comments, and direct messages within the app.The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights:Broken access controls. (BOLA)Weak authentication.Missing transport protections.Absent runtime safeguards.Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to half of APIs may lack basic usernames and passwords, and their access keys can be easily stolen from various locations, including mobile device files, server-side files, or even decompiled application source code. Hackers, by gaining control over their own devices, can easily reverse engineer apps and steal crucial API keys, which then allow them to build scripts to attack back-end corporate services undetected. Failing to protect API keys is likened to "putting all your money in a safe place in the home but not locking the front door". This breach serves as a powerful reminder that organizations must prioritize mobile security as a central component of their cybersecurity strategy, rather than an afterthought.This content was created in partnership and with the help of Artificial Intelligence AI

Unlocking True Mobile & API Security in the Cloud AgeWelcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.• Marketing & Brand Management Teams: A breach of sensitive user data dueating to API or mobile app vulnerabilities would "severely damage the brand's reputation and trust", directly impacting efforts to attract and retain users.The Flaws in Traditional Mobile Security:• Obfuscation is Not Enough: While code obfuscation aims to deter reverse engineering and IP theft, it is a "thin veil, not an impenetrable shield". It offers "minimal protection against threats that manifest during runtime" and is "ineffective secret protection" as secrets must eventually be in cleartext memory. It can also create a "false sense of security" and is increasingly vulnerable to "modern tools and AI" which can automate deobfuscation.• APIs are the True Target: Attackers are increasingly bypassing the mobile app itself and "targeting the backend APIs directly". APIs provide a "direct pathway to backend application logic and sensitive data stores", making them prime targets for "credential stuffing, account takeover (ATO), scraping, and business logic abuse". Recent incidents involving e-hailing and delivery apps, Experian, and John Deere highlight common flaws like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola and insecure access controls that exposed vast amounts of PII and operational data.The Solution: Embracing Dynamic, Zero Trust Runtime Protection:To address modern threats, a decisive shift from static, pre-deployment security to a "dynamic, runtime-centric model rooted in Zero Trust principles" is essential. This approach entails:• Zero Trust Architecture: This model mandates "never trust, always verify", requiring continuous, runtime verification of devices, users, and networks for access to critical resources. It emphasizes that "trust is never implicit" and acknowledges that traditional static checks and one-time authentication are insufficient. Zero Trust requires "external, cryptographically verifiable measurements that originate outside the app and cannot be forged or intercepted" to avoid a "circular trust problem".• Key Dynamic Defenses:    ◦ https://approov.io/mobile-app-security/rasp/: Acts as the app's "internal bodyguard", detecting and preventing real-time attacks from within the application. It identifies threats like reverse engineering attempts, code tampering, execution on compromised environments (root/jailbreak), and the presence of hooking frameworks. RASP provides "real-time protection" and "zero-day potential" by detecting anomalous behaviour.    ◦ https://approov.io/mobile-app-security/rasp/app-attestation/: This crucial process verifies the "authenticity and integrity of the mobile application instance and its runtime environment" before granting API access. It ensures that only "genuine, untampered app instances" running in a safe environment can interact with APIs, effectively solving the "‘What’ vs. ‘Who’ Problem" (validating the client app in addition to the user). This blocks automated bots, scripts, and tampered apps.    ◦ https://approov.io/mobile-app-security/rasp/runtime-secrets/: This robust solution eliminates the need to hardcode sensitive credentials like API keys directly into the app. Instead, secrets are stored securely in a backend service and delivered "just-in-time" to the validated app instance only after passing rigorous app attestation checks. This protects against both static and dynamic extraction of secrets.    ◦ Dynamic Channel Protection (Dynamic Pinning): Overcomes the brittleness of traditional static certificate pinning. This approach securely retrieves the current, valid set of pins dynamically over the air from a trusted management service (after attestation). This ensures "robust MitM Protection" against Man-in-the-Middle attacks while offering "flexibility and maintainability" for certificate rotations without requiring app updates.• Defense in Depth: An "optimal mobile security strategy employs a defense-in-depth approach, leveraging both static and dynamic techniques". While static analysis and obfuscation can still identify coding errors early, they must be "complemented by robust dynamic and runtime defenses". For applications handling sensitive data or critical functions, dynamic security measures are "fundamental requirements for achieving adequate resilience against modern threats".Empowering Your Mobile-to-Cloud Connection with Approov: Solutions like Approov Mobile Security play a vital role in securing the communication channel between your genuine mobile app and the cloud backend. Approov provides a "unique, patented runtime shielding solution" that focuses on:• Mobile App Attestation: Verifying the integrity of the running mobile app to ensure it's genuine and untampered, preventing bots and modified apps from accessing APIs.• API Request Verification: Cryptographically binding API requests to an attested app instance, ensuring only legitimate requests are processed.• Runtime Secrets Protection: Eliminating hardcoded API keys by securely delivering short-lived tokens to attested apps on demand.• Dynamic Pinning: Providing secure, over-the-air updates for certificate pins, ensuring tamper-proof communication between the app and API. Approov enables "https://approov.io/knowledge/ota-updates-are-essential-for-securing-mobile-apps" for security policies, pin configurations, and attestation logic, allowing instant responses to new threats without requiring app releases. It offers analytics and reporting for monitoring, auditing, and compliance.By adopting a comprehensive AppSec strategy that includes strong cloud security practices and innovative solutions, organisations can significantly reduce their attack surface and protect their users and valuable data.Don't leave your back door open – and ensure only trusted visitors can reach your front door!--------------------------------------------------------------------------------Sponsored by: Approov Visithttps://approov.io to learn how Approov can safeguard your mobile apps and APIs with advanced runtime protection, app attestation, and secure secrets management.--------------------------------------------------------------------------------Keywords: Mobile App Security, API Security, Cloud Security, AppSec, Zero Trust, RASP, App Attestation, Runtime Secrets Protection, Dynamic Pinning, Code Obfuscation, Data Breach, PII, Cyber Security, Digital Transformation, EnterThis content was created in partnership and with the help of Artificial Intelligence AI

Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].In this episode of "Upwardly Mobile," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].Key Takeaways:• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:    ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].    ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].• Coinbase Under Attack:    ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].    ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected and mitigated this issue [5].• Evolving Attack Vectors:    ◦ Social Engineering and Phishing: These tactics remain highly lucrative, with scammers evolving methods to trick victims into revealing sensitive information or transferring funds [6, 13]. Phishing was the most costly attack vector in Q2 2025, with over $395 million lost, surpassing previous periods [14].    ◦ Wallet Compromise: This has been the costliest attack vector overall in H1 2025 due to major incidents like the Bybit hack [6].    ◦ Infrastructure-Level Breaches: More than 80% of stolen funds in 2025 have resulted from breaches where hackers gain significant access to core infrastructure [7].    ◦ Targeting Employees/Contractors: The Coinbase incident specifically illustrates a growing trend of cybercriminals bribing or coercing individuals with legitimate system access [7].    ◦ Supply Chain Attacks: Exploiting vulnerabilities in third-party tools or service providers, often through weak APIs or compromised software updates [10].    ◦ Malware Attacks: Including Advanced Persistent Threats (APTs) and keylogging for credential theft [15].• Strengthening Defenses: Crypto exchanges are implementing comprehensive security frameworks and multi-layered approaches to build resilience [11]:    ◦ Advanced Wallet Technologies: Utilizing Multi-Party Computation (MPC) Wallets to eliminate single points of failure by never reconstructing private keys in full [9, 16], alongside robust hot-warm-cold storage architectures [16].    ◦ Enhanced Security Protocols: Implementing Multi-Factor Authentication (MFA), biometric verification, and real-time transaction notifications [8].    ◦ Strong Governance Policies: Multi-approval policies for high-risk actions [8].    ◦ Insider Threat Detection: Robust detection and prevention systems are crucial [7].    ◦ Continuous Monitoring: Real-time monitoring of API activity and system updates [10].    ◦ Compliance: Adherence to international security standards like SOC 2 and ISO 27001 provides built-in compliance assurance [17].Relevant Links to Source Materials:• Excerpts from "Crypto Losses Surpass $2.47 Billion in H1 2025, CertiK Report Reveals Alarming Rise in Phishing Attacks" • Excerpts from "How Crypto Exchanges Get Hacked: Understanding the Growing Threat Landscape" **Sponsor Message:**This episode of Upwardly Mobile is brought to you by Approov. In a world where mobile apps are crucial for engaging customers and employees, Approov provides advanced mobile app protection against reverse engineering, tampering, and automation. Secure your APIs and protect your critical data with Approov. (Note: The information regarding Approov.io is not from the provided sources and should be independently verified.) Learn more at approov.io.**Keywords:**Cryptocurrency, Crypto exchange hacks, Cyberattacks 2025, Web3 security, Coinbase hack, Bybit breach, CertiK report, Social engineering, Insider threat, Supply chain attack, Crypto losses H1 2025, Digital asset security, Blockchain security, Phishing attacks, Wallet compromise, MPC wallets, Data breach, Cybersecurity for crypto, Decentralized finance, DeFi.This content was created in partnership and with the help of Artificial Intelligence AI

In this episode of Upwardly Mobile, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics.Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities.Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection.So, how does remote app attestation combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive operations (like accessing premium content or making transactions).Remote app attestation provides specific protections against Konfety by:• Detecting "Evil Twins": Even if the "evil twin" spoofs a package name, its underlying code and environment measurements would likely differ from the legitimate app. The attestation service would detect this mismatch, as the "fingerprint" wouldn't match the expected genuine app.• Preventing Tampering: Konfety's manipulation of APK structures and dynamic code loading aims to hide malicious activity. Remote attestation, particularly if it includes code integrity checks and runtime environment monitoring, would detect these unauthorized modifications or the execution of unapproved code.• Identifying Compromised Devices: If Konfety relies on a rooted or otherwise compromised device to operate, remote app attestation can identify these device security issues, allowing the backend to deny service to that device.• Backend Control: A key benefit is that the decision of trust is made on a secure backend, not on the potentially compromised mobile device itself. This makes it much harder for Konfety to spoof or interfere with the attestation process.Organisations like Zimperium offer on-device Mobile Threat Defence (MTD) solutions and zDefend which are noted to protect customers against Konfety malware's new evasion techniques. HUMAN's Satori Threat Intelligence Team originally uncovered the Konfety operation in 2024, and their Human Defense Platform is stated to protect customers from its impacts.While remote app attestation isn't a silver bullet against all malware, it provides a strong defence against the specific techniques used by Konfety by verifying the authenticity and integrity of the app and its environment before allowing it to interact with critical backend services. Please note that the source materials were provided as excerpts, and direct hyperlinks to the full articles are not available.--------------------------------------------------------------------------------Keywords: Konfety malware, evil twin apps, mobile app security, remote app attestation, ad fraud, Android malware, obfuscation, dynamic code loading, APK manipulation, CaramelAds SDK, cyber security, mobile threats, Zimperium, HUMAN Security, app integrity, device compromise, malvertising, fraud detection, mobile security solutions, threat intelligence.This content was created in partnership and with the help of Artificial Intelligence AI

The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App SecretsWelcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups:MASVS-STORAGE: Addresses the secure storage of sensitive data on a device (data-at-rest), a critical area directly violated by the Fitify leak.MASVS-NETWORK: Focuses on secure network communication between the mobile app and remote endpoints (data-in-transit). While Fitify claimed encryption in transit, the publicly accessible bucket points to fundamental network security misconfigurations in data storage.MASVS-CODE: Covers security best practices for data processing and keeping the app up-to-date, directly related to the problem of hardcoded secrets and securing credentials.MASVS-PRIVACY: Aims to protect user privacy, which was severely compromised in this breach due to the sensitive nature of the leaked progress photos.The OWASP Mobile Top 10 risks also highlight prevalent issues in mobile app security, such as static reverse engineering (ranked 9th) and code tampering (ranked 8th), which are common techniques used by attackers to uncover hardcoded secrets and manipulate app behavior. Shielding Your App: Solutions with Approov: The Fitify leak demonstrates the critical need for advanced mobile app and API protection beyond basic security measures. Approov offers a runtime shielding solution that effectively protects mobile apps, their APIs, and the communication channel between them from automated attacks. Approov works by using a cryptographically signed "Approov token" to allow the app to provide proof of its authenticity, ensuring that only a genuine, untampered mobile app running in an uncompromised environment can access your APIs. Key Approov capabilities relevant to preventing such leaks and attacks include:Runtime Secrets Protection: This feature allows hardcoded API keys and other sensitive secrets to be removed directly from the app's code and instead securely managed in the Approov cloud. These secrets are only delivered to verified, legitimate app instances at runtime. This directly addresses the hardcoded secrets vulnerability found in Fitify.MASVS-R Resilience against Reverse Engineering and Tampering: Approov significantly enhances an app's resilience. It integrates diverse detection mechanisms to identify and respond to threats such as rooted or jailbroken devices, attached debuggers, app tampering, the presence of widely used reverse engineering tools (e.g., Frida), and apps running in emulators or cloners.MASVS-L2 SSL Pinning: Approov provides dynamic certificate pinning as a defense-in-depth measure to secure TLS connections. This helps prevent Man-in-the-Middle (MitM) attacks by ensuring the app only communicates with trusted backend endpoints. A powerful aspect is that these pins can be updated over-the-air without requiring a new app release, simplifying DevOps processes.By blocking illegitimate requests, Approov prevents the exploitation of stolen user credentials, known or "zero-day" vulnerabilities, malicious business logic manipulation, and large-scale MitM attacks. Actionable Takeaways: This incident serves as a stark reminder for both developers and users. Developers must prioritize secure coding practices, implement robust access controls and encryption for all data storage (at rest and in transit), and avoid hardcoding sensitive information. For users, it highlights the critical importance of scrutinizing privacy policies, understanding what data is collected and how it's stored, and being cautious about sharing sensitive personal information through mobile applications. Relevant Links:Fitify Privacy Policy: https://gofitify.com/privacy-policyApple World Today report: "Cybernews claims iOS Fitify app has a massive data leak"Cybernews report: "Fitify app exposes 138K user progress photos"OWASP Mobile Security Project: For more on mobile app security standards and testing guidesSponsor: Approov Mobile Security: Learn how to protect your apps and APIs from sophisticated attacks at approov.ioKeywords: Fitify, Data Leak, Mobile App Security, iOS, Fitness App, Privacy, PII, Personal Data, Google Cloud, Hardcoded Secrets, API Security, OWASP, MASVS, Approov, Runtime Shielding, SSL Pinning, Authentication, Authorization, Reverse Engineering, Tampering, Jailbreak, Rooting, Man-in-the-Middle (MitM), Zero-Day Vulnerabilities, Cybernews, Data Breach Prevention, Digital Health, App Vulnerabilities, Mobile Privacy, Cyber Attack. This content was created in partnership and with the help of Artificial Intelligence AI

In this episode of Upwardly Mobile, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025.While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience.We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering.The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery.The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution.Key elements of this essential dynamic security strategy include:• Mobile Runtime Application Self-Protection (RASP): Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness.• App Attestation & API Request Validation: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse.• Runtime Secrets Protection: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering.• Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates.We also differentiate between leading mobile app security solutions:• Guardsquare, with products like DexGuard and iXGuard, excels in client-side mobile app protection, focusing on code obfuscation, hardening, and RASP to make the app's code incredibly difficult to compromise on the device.• Approov emphasizes remote mobile app attestation, performing deep, continuous inspection of the mobile app and device in the cloud. This server-side decision-making makes it significantly harder for attackers to bypass the attestation process, ensuring only genuine apps access your APIs. Approov's positive security model effectively "locks down" backend APIs.Ideally, a comprehensive mobile app security strategy leverages both types of solutions: Guardsquare for strong in-app protection, and Approov for critical API integrity and abuse prevention. This multi-layered approach, combining static and dynamic defenses, is no longer optional but a fundamental requirement for achieving adequate resilience against modern mobile threats.--------------------------------------------------------------------------------Relevant Links to Source Materials:• Learn more about the research highlighting the mobile app security blindspot: "Research exposes $7M mobile app security blindspot fueled by overconfidence" • Explore in-depth the need for dynamic defenses: "WP- Mobile Security Beyond Obfuscation v1.0 FINAL B.pdf".• Discover Approov's approach to superior mobile API protection: "Approov: Superior Mobile API Protection via Remote Attestation".Sponsor: This episode is brought to you by Approov. Safeguard your mobile apps and APIs with their unique, patented runtime shielding solution. Visit approov.io to learn more.This content was created in partnership and with the help of Artificial Intelligence AI

In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:The Alarming State of IoT Security:A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins.Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks.Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data".Building a Secure Foundation: Solutions and Best Practices:Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair.Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token.Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which inherently trusts nothing by default. Instead, each and every API request must cryptographically prove it originates from a legitimate, unmodified mobile app at runtime. This involves per-request attestation using short-lived, signed tokens and API-side validation.Approov: Enhancing API and App Security: Solutions like Approov Mobile Security play a crucial role by continuously inspecting the app and device to validate the legitimacy of any request from the app, ensuring only authorized apps can access APIs. This not only protects against bots and unauthorized access but also helps reduce cloud costs and allows API owners dynamic control over access policies and certificates without requiring app updates.Key Recommendations for Users and Manufacturers:Always change default passwords immediately upon setup, using strong, unique combinations.Regularly apply firmware and software updates provided by the manufacturer to patch critical security flaws.Implement network segmentation, isolating smart home devices on a separate Wi-Fi network (e.g., a guest network or dedicated IoT VLAN) to limit potential lateral movement for attackers if one device is compromised.Manufacturers must adopt secure development guidelines from day one, conducting regular penetration testing and prioritizing security throughout the product lifecycle, not as an afterthought.Organizations need robust incident response plans and better visibility into their IoT inventories to quickly identify and address threats.For critical systems like water shutoff valves, prioritize devices with robust, independent operation (e.g., hardwired connections, substantial battery backups) over those solely reliant on internet connectivity.Protect your connected devices and digital life by understanding these risks and implementing proactive security measures!Relevant Links:IoT Security Challenges: Device Vulnerability & Attack Stats | PatentPC: https://patentpc.com/blog/iot-security-challenges-device-vulnerability-attack-statsPhyn (Example of Smart Water Solution discussed): https://www.phyn.comSecure your mobile apps and APIs with Approov: https://approov.ioKeywords: IoT Security, Smart Home Security, API Security, Mobile App Security, OAuth2, App Attestation, Zero Trust, Mirai Botnet, Data Breaches, Device Hijacking, Network Segmentation, Cybersecurity, Smart Devices, Connected Home, Digital Privacy, Firmware Updates, Password Security, Water Damage Prevention, Phyn, Moen Flo, Flo-Logic, IoT Vulnerabilities, Mobile API Security.This content was created in partnership and with the help of Artificial Intelligence AI

In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue.Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.Key takeaways include:• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated in real-time.Relevant Links & Resources:• Approov Mobile Security Knowledge Base: Approov Mobile Security Knowledge Base• How to Implement Zero Trust for Mobile Apps (Approov): How to Implement Zero Trust for Mobile Apps• Why Is Zero Trust Not Systematically Applied to Mobile App Security? (Approov): Why is Zero Trust Not Systematically Applied to Mobile App Security?• Promon SHIELD® for Mobile & More: Products• A guide to Zero Trust for your mobile apps (Promon): Bringing Zero Trust to mobile applications• OWASP Zero Trust Architecture Cheat Sheet: OWASP Zero Trust Architecture Cheat Sheet• OWASP Mobile App Security Verification Standard (MASVS): What is the OWASP MASVS?• Promon Mobile App Security Library: All Resources--------------------------------------------------------------------------------This content was created in partnership and with the help of Artificial Intelligence AI

Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's ThreatIn this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.Key Takeaways from the Breach:Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen.Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure.The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset.Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems.Industry Recommendations & Solutions:Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks.Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding backend APIs from abuse and enabling the removal of hardcoded API keys and secrets from apps.Organizations are urged to gain complete visibility across their infrastructure, identity systems, and critical management services, focusing on securing self-service password reset platforms, help desks, and third-party identity vendors.Qantas's Response: Qantas detected unusual activity, took immediate steps to contain the system, and confirmed that all Qantas systems remain secure. They notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. However, the airline faced criticism for its public relations approach, as CEO Vanessa Hudson was on leave, and neither the acting CEO nor other executives made public appearances, relying instead on personalized emails to customers.Learn more about the incident from the articles that informed this episode:"Qantas confirms cyberattack on third-party call center app | SC Media""Qantas discloses cyberattack amid Scattered Spider aviation breaches""Qantas executives nowhere to be seen after data breach affecting up to 6 million customers - ABC News"Sponsor Shoutout: Our episode today is brought to you by Approov. As highlighted in this episode, securing backend APIs and mobile applications is paramount in today's threat landscape. Approov provides robust solutions for mobile app security and API protection, ensuring the authenticity of your apps and devices, and safeguarding your data against sophisticated attacks. Learn more about their comprehensive zero-trust approach to API security at approov.io.Keywords: Qantas cyberattack, data breach, Scattered Spider, aviation security, third-party risk, supply chain attack, social engineering, API security, mobile security, data privacy, frequent flyer data, cybersecurity, Qantas, zero-trust, identity verification, call center breach, corporate response. This content was created in partnership and with the help of Artificial Intelligence AI

Fortify Your Phone: Android 16's Advanced Security FeaturesIn this episode, we'll explore two of the most impactful security features in Android 16 that you need to know about: Advanced Protection and Identity Check, along with other significant API security improvements.Key Features and Insights:Android 16's Focus on Security: Despite foundational work for future design and multitasking changes, Android 16's initial rollout emphasizes "significant security enhancements" designed to make a "meaningful difference" in data protection. Android 16 sets the stage for the platform's most dramatic reinvention in ages, and while some elements are part of a future update, this new software features a slew of significant security enhancements. The Android 16 Security Release Notes, published June 10, 2025, detail vulnerabilities addressed in this version. Devices with a security patch level of 2025-07-01 or later are protected against these issues. The Android security team actively monitors for abuse through Google Play Protect, which is enabled by default on devices with Google Mobile Services, and warns users about potentially harmful applications.Advanced Protection: This is a new, all-encompassing Android security "supermode" activated by a single switch within your system settings. On Google Pixel phones, it's an added section within the main Security & Privacy settings. Enabling Advanced Protection simplifies the process of activating a bundle of advisable Android security settings at once, rather than requiring you to find and enable them individually.Bundled Safeguards: Advanced Protection activates a suite of protections, including:Extra theft protection: Utilizes Theft Detection Lock and Offline Device Lock, which were introduced previously, to automatically lock your device if it detects it's fallen into the wrong hands.Enhanced app protection: Ensures Android's Google Play Protect on-demand scanning system is in place, restricts app installations to official Play Store (and any other preloaded app stores), and incorporates Memory Tagging Extension, making it less likely for an app to corrupt your device's memory.Smarter web protection: Provides live scanning for browser-based threats, forces the more secure HTTPS encrypted web standard, and adds additional protections around Javascript processing within Chrome.Advanced calling and messaging protection: Offers real-time scanning and warnings about likely scams and spam within Google Messages, detects and warns about unsafe links in incoming texts, and includes spam detection, scam detection, and call screening systems for incoming calls in the Google Phone app.Heightened network protection: Actively rejects any less secure 2G-level network connections that may come along over time. This feature can also be individually activated to disable 2G connections.Future Updates: Google's goal is to keep Advanced Protection updated with all the latest Android security features over time, so once activated, you don't have to manually enable new options as they arrive. Confirmed upcoming features expected "later this year" include:Inactivity Reboot: Automatically restarts your device if it remains locked for 72 consecutive hours, re-encrypting all data to require a full password or pattern unlock.Intrusion Logging: Securely stores encrypted logs of sensitive system actions in the cloud, connected solely to your Google account, for investigating suspicious activity.USB Protection: Sets your phone's USB port to allow only charging by default, preventing unauthorized data transfers via physical connection.Disable Auto-Reconnect to Insecure Networks: Your phone will not automatically reconnect to networks that are not secure, even if you manually connected to them once.Identity Check: This feature, gaining prominence with Android 16, requires biometric authentication (e.g., fingerprint, face unlock) to access critical security settings or sensitive information like saved passwords, especially when your device is outside of a designated "trusted location". While you can set trusted locations where biometrics aren't required, for maximum security, it's recommended not to add any. The feature should be enabled by default but can be found by searching for "identity check" in your Settings app.Overall API Security Weaknesses: Android 16 introduces several enhancements that directly improve mobile API security.Intent Redirection Protection: Android 16 features stronger security against Intent redirection attacks, which are a common vulnerability where malicious applications can intercept or manipulate Intents. Developers are encouraged to test their Intent handling and should only opt out of these protections if it's absolutely necessary.Local Network Permission: For apps targeting Android 16 or newer, a new permission is required to access the local network. This enhances privacy and security by restricting unauthorized network access.More Granular Permissions: Android 16 introduces more granular permissions for sensitive data, such as body sensors. This means apps must explicitly declare their need for specific health-related data, giving users more control and enhancing data privacy.Dynamic Code Loading Restrictions: The new version tightens rules around dynamic code loading, making it more difficult for apps to download and execute potentially malicious code after they have been installed.Predictive Back Navigation: Although primarily a user experience feature, the changes to predictive back navigation and the deprecation of onBackPressed could indirectly impact how developers manage back events, potentially reducing certain vulnerabilities linked to navigation manipulation if implemented correctly.Complementary Protections: It's important to differentiate between Android 16's Advanced Protection (for your device) and Google's broader "Advanced Protection" program (for your Google account). The latter is more intense, requiring physical security keys for account sign-ins and severely limiting third-party app access, making it more suitable for high-profile or at-risk individuals. However, these two programs are designed to be complementary, offering heightened protection for both your device and your Google account when used together. It is recommended to enroll your Google account in Advanced Protection and confirm a recovery email.Beyond Advanced Protection: Even with these significant updates, ongoing security requires "common sense and careful thinking". Regularly reviewing your Android security settings with a comprehensive checkup is crucial, ideally at least once annually. Android 16, as the latest Android version, is rolling out automatically in the coming months, though schedules can vary by device and manufacturer. You can check your device's Android version in Settings under "About phone" or "About tablet".Remember to update your device and activate these powerful security features to keep your phone and data safe!.Keywords: Android 16, Advanced Protection, Identity Check, mobile security, data protection, Google Pixel, privacy, Android updates, cybersecurity, smartphone security, Google Play Protect, theft protection, app security, web protection, calling protection, network security, API security, Intent Redirection, Local Network Permission, Granular Permissions, Dynamic Code Loading, Predictive Back Navigation.This episode is brought to you by Approov Mobile Security. For robust mobile app and API security solutions, visit www.approov.io.This content was created in partnership and with the help of Artificial Intelligence AI

Independence Day: Cloudflare's Dual Defense for Web Mobile Apps & Original ContentWelcome to "Upwardly Mobile"! In this episode, we dive deep into Cloudflare's groundbreaking efforts to protect both mobile applications and original online content from the escalating challenge of AI bots and data scrapers.Key Topics Covered:Protecting Mobile Applications from AI Bots:Cloudflare's AI bot blocking features are fully capable of protecting mobile APIs.Their Bot Management system analyzes incoming traffic without differentiating between desktop and mobile user agents when scoring bot activity.Leveraging machine learning models, Cloudflare identifies and blocks various bot behaviors, including those targeting mobile apps. They have specifically developed and deployed a Mobile-Focused ML Model trained on mobile request data to improve accuracy and reduce false positives for mobile app traffic.Features like Super Bot Fight Mode offer a robust defense against various automated traffic, including mobile-based bots.For mobile apps primarily driven by APIs, Cloudflare's API Gateway offers enhanced protection.If you require very specific handling of different mobile user agents, premium support is available by upgrading to a Cloudflare Enterprise account with the Bot Management add-on.Safeguarding Original Content from AI Data Scrapers:Cloudflare has introduced a new permission-based setting that automatically blocks artificial intelligence companies from exploiting websites by collecting their digital data. This changes the rules of the internet, requiring bots to "go on the toll road" to get content.This initiative aims to protect original content on the internet, addressing concerns that AI companies freely using data without permission or payment could discourage and ultimately kill the incentives for content creation.Cloudflare, whose network of servers handles about 20% of internet traffic, has observed a sharp increase in AI data crawlers on the web.The company is developing a "Pay Per Crawl" system, which would give content creators the option to request payment from AI companies for utilizing their original content.Many content creators, publishers, authors, and news organizations have accused AI firms of using their material without permission and payment, leading to legal actions such as Reddit suing Anthropic and The New York Times suing OpenAI and Microsoft.Cloudflare argues that AI breaks the unwritten agreement between publishers and crawlers, as AI crawlers collect content to generate answers without sending visitors to the original source, thus depriving content creators of revenue.Cloudflare's CEO, Matthew Prince, is confident they can block AI companies from accessing content if they don't pay, asserting that their product will be worse as a result.This move is considered a "game-changer" for publishers by Roger Lynch, chief executive of Condé Nast.Revolutionizing Bot Authentication with Cryptography:Historically, Cloudflare relied on user agent headers and IP addresses to verify legitimate crawlers, but these methods are now considered broken or impractical due to easy spoofing, shared IP addresses, and the impracticality of managing individual secrets at scale.Cloudflare is proposing a better mechanism for legitimate agents and bots to declare who they are using well-established cryptography techniques, providing a clearer signal for site owners to decide what traffic to permit.Two primary proposals are being introduced: HTTP Message Signatures and request mTLS (mutual TLS).HTTP Message Signatures (RFC 9421) is a standard defining the cryptographic authentication of a request sender, allowing bots/agents to cryptographically sign requests originating from their service, proving their identity in a tamper-proof manner. OpenAI has already begun signing their Operator requests using this method. Cloudflare is prioritizing this approach as it relies on an adopted RFC and works at the HTTP layer, making adoption simpler.Request mTLS is another mechanism for mutual authentication via TLS certificates, though it has limitations, fewer implementations, and upgrading the TLS stack has proven more challenging.This authentication can be consumed by Cloudflare when acting as a reverse proxy or directly by site owners on their own infrastructure.These advancements will be integrated into Cloudflare's AI Audit and Bot Management products to provide better visibility into bots and agents willing to identify themselves.Relevant Links & Resources:Explore Cloudflare's solutions for AI bot protection for mobile apps, their new approach to safeguarding content from AI data scrapers, and innovative cryptographic bot verification mechanisms in their official documentation and blog posts.For cutting-edge mobile app security solutions, visit our sponsor: Approov Mobile Security Keywords: Cloudflare, AI bot protection, mobile apps, bot management, content creation, data scraping, AI crawlers, copyright, intellectual property, web security, HTTP Message Signatures, mTLS, authentication, publishers, content creators, pay per crawl, Super Bot Fight Mode, digital rights, online content, AI ethics, content monetization.   This content was created in partnership and with the help of Artificial Intelligence AI