Guest Blog: Alissa Knight on 'FHIR Walker: Authentication and Authorization in FHIR APIs'

May 13, 2021

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In the first article, Alissa provided a plain English explanation of FHIR from the perspective of a hacker. In this blog, Alissa covers mobile API authentication and authorization. Read Full Story

Approov Integration for the Azure API Management Platform

May 13, 2021

The Azure API Management Platform aims to be the front door to APIs hosted in Azure, on premises, or even in other clouds. The managed platform allows developers to secure, monitor, transform and maintain APIs published through it, using the Azure portal or the Azure CLI. Read Full Story

API Keys Can Be Phished Too

May 10, 2021

Photo credit: iStock.com/Evkaz We are all very aware of the issues around phishing of user credentials. But it is not only users that can be phished, apps can be too. In previous blogs we’ve shown you how you can make a MITM attack against an app. In this blog we’ll demonstrate that a MITM attack against an app is analogous to a phishing attack against a human. Moreover, there are some similar characteristics to the protections required. Read Full Story

How to Bypass Certificate Pinning with Frida on an Android App

May 4, 2021

In a previous article we learned how to perform a MitM attack on a mobile app that doesn’t employ certificate pinning as a mechanism of preventing such attacks. Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning. Read Full Story

How to MitM Attack the API of an Android App

May 1, 2021

In a previous article we saw how to perform a MitM attack to steal an API key, but that approach required installing the proxy certificate into the Android device through the user trusted certificates store. An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app. Read Full Story

Guest Blog: Alissa Knight on 'Standing Outside The FHIR'

April 22, 2021

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In this blog, Alissa provides a plain English explanation of FHIR from the perspective of a hacker. Enjoy! Read Full Story

React Native Automated Quickstart

April 12, 2021

The new React Native Approov Quickstart provides automated integration of Approov API threat protection for most React Native apps. Read Full Story

Closing Both Web and Mobile Doors To Automated Traffic

March 16, 2021

In this article we will look at the challenges of making sure that bots and other automated traffic can’t gain access to your backend systems, no matter how they try. Most enterprises offer services through their website and their mobile app and both attack surfaces must be considered. Ensuring that both channels are properly defended will prevent DDoS, credential stuffing, data scraping and other fraudulent exploits from occurring. Read Full Story

Approov Integration for Python FastAPI Backends

March 9, 2021

Python FastAPI framework’s first commit dates from 5th December 2018, followed by the first release on 25th December 2018. It was created by Sebastián Ramírez as a direct reflection of his several years of experience in creating APIs with complex requirements. Read Full Story

Clubhouse Needs A Bouncer

February 26, 2021

Even if you only have a vague interest in app security I’m sure the recent furore around Clubhouse hasn’t escaped your attention. There is significant buzz around this invite-only iOS app. Enabling live audio chat rooms between participants, it sets the expectation that these interactions are somewhat private and certainly not recorded.  With big celebrity names such as Elon Musk, Kanye West and Oprah Winfrey as users there is a significant demand for a coveted invite. Read Full Story