We're Hiring!

Paulo Renato

Paulo Renato is known more often than not as paranoid about security. He strongly believes that all software should be secure by default. He thinks security should be always opt-out instead of opt-in and be treated as a first class citizen in the software development cycle, instead of an after thought when the product is about to be finished or released.

Approov Blog

How To Use a MitM Attack to Bypass Code Obfuscation to Extract Secrets From the ChatGPT Mobile App

June 23, 2023

In a previous article, we saw how to use code obfuscation to make it more difficult for an attacker to extract a secret through static binary analysis of the ChatGPT demo mobile app. However, it's important to note that code obfuscation is not always as effective in protecting secrets as we might hope. It can give a false sense of security, similar to the Maginot Line that the French built during World War II to deter the German invasion of France. As many know, the German military simply went around the Maginot Line and quickly invaded France, rendering it useless. This event is now often used as an analogy for situations where something provides a false sense of security rather than actual security. Read Full Story

How to Use Code Obfuscation to Hide Secrets in Your Mobile App

June 21, 2023

Mobile app security is a crucial aspect that needs to be prioritised by developers and businesses alike. With the increasing number of cyber-attacks targeting mobile apps and their APIs, it's more important than ever to take measures to protect the secrets used by mobile apps to access their APIs to protect users' sensitive data and prevent unauthorised access to it and subsequent data breach. Read Full Story

Comparing Mobile App & API Security from Approov to Zimperium (A-Z)

May 15, 2023

In today's digital landscape, securing mobile apps and APIs is of paramount importance. Among the various security solutions available, Approov stands out as truly unique. What sets Approov apart is its combination of Mobile App Security and Mobile API Security, within a single product. With this innovative approach, Approov enables the lockdown of the Mobile API solely to clean mobile devices running authentic instances of the mobile app that have passed the Approov remote mobile app attestation process. This continuous verification process ensures the device and mobile app integrity, without any impact on user experience. Read Full Story

Mobile API Security Best Practices

May 12, 2023

Mobile devices have become a ubiquitous part of our daily lives, and they are increasingly used for business and personal transactions. Mobile apps often rely on APIs to communicate with back-end systems and other third-party APIs, making them an essential component of modern mobile apps. However, APIs also create security risks that need to be addressed to prevent data breaches, cyber attacks, and other security incidents. Read Full Story

Mobile API Security Myths

May 10, 2023

Mobile APIs are a crucial component of mobile app development, enabling apps to communicate with servers and access data. However, the security of these APIs is often misunderstood, leading to several myths and misconceptions surrounding mobile API security. We will discuss how HTTPS encryption, API keys, and authentication are not enough to fully secure mobile APIs, and how even private APIs are susceptible to attacks. We will also examine why mobile API security is a shared responsibility among developers, stakeholders, and security teams. Finally, we will explore the misconception that mobile app security is separate from mobile API security, and how both are crucial for protecting users and data. Read Full Story

Mobile App Security Myths

April 14, 2023

Mobile app usage has grown significantly in recent years, and with this growth comes an increased need for mobile app security. Unfortunately, many mobile app developers hold misconceptions and myths about mobile app security, which can lead to a false sense of security that can result in security breaches and compromises of sensitive information. We will cover a range of myths including the belief that mobile app stores guarantee secure apps, that Android mobile apps are more insecure, that iOS is more secure, and that using HTTPS to call the API backend is enough to ensure security. Additionally, we will explore the myth that only popular and public-facing apps require security measures and the belief that only root or jail-broken devices are a concern in terms of mobile app security. Read Full Story

Mobile App Security Checklist

April 12, 2023

One of the most well-known checklists for mobile app security is found in the OWASP Mobile Application Security Verification Standard (MASVS). If you implement the OWASP Mobile App Security Checklist thoroughly and meet all the requirements, your mobile app will have a good security foundation. However, there are still some potential security gaps to consider. First, the app itself is responsible for conducting security checks and making decisions about its own security, which could allow an attacker to use an instrumentation framework to bypass or modify these checks and decisions. Second, the API backend is not necessarily restricted to serving requests solely from genuine, unmodified instances of the mobile app that are not under attack or running on a compromised device and environment. Read Full Story

Is Code Obfuscation Worth it?

April 10, 2023

As a developer once said… It depends!!! In a nutshell, it depends on what is motivating you to use obfuscation in the first place. If you plan to use only code obfuscation as a security measure then you may end up with a Maginot Line on your security defences. Read Full Story

Mobile App Security Best Practices

April 3, 2023

Mobile apps are now essential for communication, entertainment, shopping, banking and other aspects of our daily lives. As security threats increase, it's crucial to ensure that mobile apps are secure. Insecure mobile apps can lead to data breaches, sensitive information theft, and financial losses. Adopting best security practices is essential to safeguard your mobile apps, APIs, and users' data and privacy. This blog post outlines the best practices for mobile app security that every mobile app developer should consider while developing mobile apps and where Approov can be used to enhance the security of a mobile app and their APIs. We'll cover topics like secure code development, authentication and authorization, network security, secure data storage, and regular security testing. Read Full Story