We're Hiring!

Approov Blog
MitM Attack

The Limitations of Google Play Integrity API (ex SafetyNet)

December 20, 2023

This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. The imminent deprecation of Google SafetyNet Attestation API means this is a good time for a comprehensive evaluation of solutions in this space. Read Full Story

Security Threats to Mobile Crypto Apps and How to Protect Them

July 28, 2023

The last year has not been great for crypto. Most crypto currencies, including Bitcoin, experienced significant loss of value, and we saw high profile exchanges like FTX collapse. In addition, hackers were actively stealing crypto currency. The blockchain company Chainalysis calculated that $3.8bn was stolen by hackers in 2022. Read Full Story

How To Use a MitM Attack to Bypass Code Obfuscation to Extract Secrets From the ChatGPT Mobile App

June 23, 2023

In a previous article, we saw how to use code obfuscation to make it more difficult for an attacker to extract a secret through static binary analysis of the ChatGPT demo mobile app. However, it's important to note that code obfuscation is not always as effective in protecting secrets as we might hope. It can give a false sense of security, similar to the Maginot Line that the French built during World War II to deter the German invasion of France. As many know, the German military simply went around the Maginot Line and quickly invaded France, rendering it useless. This event is now often used as an analogy for situations where something provides a false sense of security rather than actual security. Read Full Story

What is “Bank-Grade Security” and is it Enough?

June 7, 2023

"Bank-grade security" is a term often used to describe a high level of security measures implemented in mobile applications to protect sensitive data, transactions, and user privacy. It implies that the app's security measures are at par with or comparable to the security standards employed by financial institutions, such as banks, which are known for their rigorous security practices. In this post, we will examine what is meant by this term and whether or not you should be comforted by it. Read Full Story

What is Runtime Application Self-Protection (RASP)?

April 6, 2023

Runtime Application Self-Protection (RASP) is a security technology that is designed to protect applications from attacks while the application is running. It works by embedding a security mechanism directly into the application, which allows it to monitor the application's behavior and detect and prevent malicious activities in real-time. Read Full Story

Mobile App Security: Uncovering the Risks of Secret Theft at Runtime

March 23, 2023

This is our second blog highlighting the results of the Approov Threat Lab Report. Read Full Story

Do You Want to Know a Secret? Just Take a Look Inside Top Finance Apps

March 7, 2023

Financial apps have access to valuable and sensitive personal data, so you would think mobile app security would be top-of-mind for financial institutions. But is it? Read Full Story

Is Certificate Pinning Worth it?

November 24, 2022

In a word - yes; when implemented correctly, certificate pinning is an effective method for securing mobile application traffic by restricting the accepted certificates to just those you are willing to trust. In its most secure manifestation, this trust sits outside the standard TLS certificate store managed by the device. Read Full Story

How Do I Protect My Flutter App?

October 10, 2022

Google’s open source Flutter has quickly become one of the most popular development toolkits for building cross platform mobile applications. In this article we will examine what security is built-in to Flutter mobile apps and recommend additional layers which you may wish to consider for your mobile projects. Read Full Story

How to Prevent API Abuse

May 27, 2022

API abuse, when the API is used in an unexpected way, is a growing problem in software development and one of the leading attack vectors cybercriminals exploit. According to a recent security research report that surveyed more than 200 enterprise security professionals, there was a 21.32% growth in malicious API call volume between December 2020 and December 2021. The same study also established that 95% of respondents had suffered an API security incident in the past year. Read Full Story