Barry O'Rourke

API Abuse in 2017 (Part 3)

February 19, 2018

Two particularly challenging forms of API abuse are Aggregation and Cheating as a Service. In both these cases your own users are enabling and sometimes funding the individuals and organizations abusing your APIs. Read Full Story

API Abuse in 2017 (Part 2)

February 13, 2018

Our first batch of business level attacks are Data Scrapers and Account Hijack. We also take a look at the lucrative business of Fake Account Factories. Read Full Story

API Abuse in 2017 (Part 1)

February 9, 2018

2017 has seen our customers tackling a wide range of abuse and misuse of their Mobile APIs. We are seeing multiple approaches where the business process transparency provided by APIs has resulted in exploitation. Time for a retrospective... Read Full Story

Toughen Up Soft Certificate Pinning With Approov

December 14, 2017

Devops just mailed to say they will rotate the certificates on all of the endpoints today, mentioned the Engineering Manager at one of our customers, that’s unexpected, I wonder what happened. Read Full Story

Unintentional Unpinning with Firebase

August 28, 2017

Google's Firebase provides comprehensive set of analytics services for developers to integrate with their apps. On Android the basic functionality is enabled simply by integrating the desired plugins. No code changes required. Read Full Story

The Problem with Pinning

July 13, 2017

Certificate or Public Key Pinning is an extension to TLS that is highly effective for bot mitigation by protecting the HTTPS connection between your app and API from snooping by third parties (otherwise known as a Man in the Middle attack). The technique makes use of the TLS protocol which requires the server to provide a certificate containing its public key. If the client has a copy of the expected certificate (or just the public key) and checks for a match before completing the TLS handshake then the client is considered pinned to the server. Read Full Story

Help Your Mobile API Ecosystem to Flourish

July 5, 2017

(Image via http://maxpixel.freegreatpicture.com) Read Full Story

API Lockdown Without the Lockout

December 6, 2016

When retrofitting an API change to an app which already has an existing install base care must be taken to handle the transition with minimal disruption to customers. Read Full Story