Approov Blog

Mobile App Authentication (8)

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome! A quick question: Do you know what’s using your API? Really? Read Full Story

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in October 2022. OAuth2, often combined with OpenID-Connect (OIDC), is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth2 provides authorization flows for both web and mobile applications. Read Full Story

As many social media platforms continue to experience incredible growth in popularity, the supporting apps, and the APIs that service them, remain top targets for bad actors. The ability to communicate quickly and indirectly with the platforms’ vast user bases make them ideal for spreading malware, phishing attacks, or fake news. Networks of automated accounts, gaining artificial levels of popularity and influence are often used to instigate attacks and the recent admission by Facebook that Kremlin linked propaganda may have been seen by as many as 126 million users gives us some idea of the scale of the threat and the ambition of the attackers. Read Full Story

SAN JOSE, CALIFORNIA, USA, October 31, 2017 /EINPresswire.com/ -- CriticalBlue, provider of the award winning Approov mobile API protection solution, today announced the successful deployment of Approov within the Nimses social media platform. Fast growing mobile businesses are an attractive target for bad actors who will attack the rich APIs between mobile apps and enterprises’ backends to attempt exploits such as scraping of competitive data, fake account onboarding, fraud, DDoS and account takeover. Time and again, basic encryption and embedded secrets in mobile apps have proven to be insufficient barriers against these automated scripts and hackers. Read Full Story

Editor's note: This post was originally published in October 2017 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in October 2022. OAuth2, often combined with OpenID-Connect, is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth 2 provides authorization flows for both web and mobile applications. Read Full Story

Rival Cab Companies Are Quick to Move, But Cyber Criminals May be Quicker Read Full Story

Google's Firebase provides comprehensive set of analytics services for developers to integrate with their apps. On Android the basic functionality is enabled simply by integrating the desired plugins. No code changes required. Read Full Story

As an API provider, you open your restful back end to those you trust in the hopes of doing something useful, making a profit, or both. You’re quite careful about registering and authenticating your users, and you probably identify the app they are calling from, but is that enough to protect access and your revenue stream from malicious actors? Read Full Story

source: nourishmorelove Used properly, whitelisting is a simple and effective security tactic to minimize attack surfaces. If you’re not on the list, you don‘t get in. No exceptions. Smooth as chocolate. If it’s too easy for you to find and spoof a name on the list, use indirection to make it harder. Sticky as peanut butter. Together they taste great. Read Full Story

Certificate or Public Key Pinning is an extension to TLS that is highly effective for bot mitigation by protecting the HTTPS connection between your app and API from snooping by third parties (otherwise known as a Man in the Middle attack). The technique makes use of the TLS protocol which requires the server to provide a certificate containing its public key. If the client has a copy of the expected certificate (or just the public key) and checks for a match before completing the TLS handshake then the client is considered pinned to the server. Read Full Story