Hacking Financial APIs - New Report, Familiar Results

January 20, 2022

Alissa Knight’s latest security research report “Scorched Earth” was recently released. In this blog we’ll look at 3 key themes from the report and the immediate mitigations that banks, crypto companies and fintechs should implement. Read Full Story

Shift Left but Shield Right - and what are the options?

January 17, 2022

As I explained in a previous blog about the FHIR API Research Alissa Knight recently completed, “Shift Left, but Shield Right” is a strategy Alissa recommends to address the issues she uncovered in the mobile apps she tested.  Read Full Story

Shift Left but Shield Right - but what does that mean?

January 12, 2022

We sponsored a major report “Playing with FHIR” by Alissa Knight, released in October 2021 (download it here) which investigated the security of mobile healthcare apps and APIs which use the FHIR standard. This report has certainly sparked a lot of debate about the security of healthcare apps and a broader discussion about who is accountable for keeping patient data safe as the ecosystem expands.  Read Full Story

What is Bank-Grade Security and is it Enough for 2022?

December 8, 2021

Many digital companies describe their platforms as being protected by ‘bank-grade security’. In this article, we will examine what is meant by this term and whether or not you should be comforted by it. Read Full Story

How to Defend against App Impersonation in 2022

November 25, 2021

Editor's note: This post was originally published in November 2021 in ThreatPost Most users who install applications through legitimate channels such as Google's Play Store or the Apple Store do so with complete trust that their information is safe from malicious attacks. This makes sense because they're the official app stores across the globe.  Read Full Story

FHIR API Security Research - 3 Immediate Actions For Mobile Healthcare Companies

November 22, 2021

Considering the recent “Playing with FHIR” research report together with the earlier “All that We Let In” research report (which looked at the state of mHealth app/API security), it would be understandable if healthcare organizations were unsure of what immediate actions they should take. In this article we will focus on healthcare service companies who have patient or clinician mobile apps, for whom we will recommend 3 immediate steps which should be taken today. Read Full Story

FHIR API Security Research Sparks Debate

November 9, 2021

Alissa Knight released her report “Playing with FHIR” a couple of weeks ago (download it here) about her investigations into the security of healthcare apps and APIs which use the FHIR standard. This report has certainly sparked a lot of debate about the security of healthcare apps and a broader discussion about who is accountable for keeping patient data safe as the ecosystem expands. The bottom-line is that everyone in the healthcare ecosystem needs to take steps to shield their APIs immediately. Read Full Story

How Certificate Pinning Helps Thwart Mobile MitM Attacks

November 9, 2021

Editor's note: This post was originally published in November 2021 in Cyber Defense Magazine. The massive deployment of mobile apps is presenting new attack surfaces to bad actors and the API channel between the apps and backend services is one of the 5 defined attack surfaces in the ecosystem. In this article we will explore the challenges of defending this channel and outline some practical steps you can take to put immediate protection in place. Read Full Story

Approov Dynamic Certificate Pinning

September 30, 2021

One of the key, if sometimes overlooked, features of Approov is its integrated support for dynamic certificate pinning. In this blog we explain how it works and its numerous advantages. Read Full Story

Our Certificate Pinning Configuration Tool

September 30, 2021

In this blog we introduce our new mobile certificate pinning configuration tool. This free web tool allows you to automatically generate the configuration required to pin your mobile app connections, providing an additional layer of security.  Read Full Story