Approov Blog

Mobile App Authentication (9)

(Image via http://maxpixel.freegreatpicture.com) The API for a service faces conflicting demands in order to deliver value to end users. It needs to be open to allow innovation by 3rd party app developers. This is necessary to meet niche customer needs and open new markets for your service beyond what an in house app development team could provide. Read Full Story

One Developer's Bad Dream Disclaimer: No Python or JavaScript coders were harmed during the writing of this article. All actions involving coders were safely simulated and purely fictional. Read Full Story

(Image by Cory Doctorow licensed under CC BY 2.0) It's another sunny Scottish morning at CriticalBlue and we're having a chat about the latest and trendiest of Android vulnerabilities and the fundamental mobile security flaws that have come up in our pentesting activities. Every now and again they might be enabled by a race condition that's been in the Linux kernel for nine years but more often than not, they lurk in the apps themselves, storing secrets in plain text on devices or sending unencrypted data over the network. We all know we shouldn't be doing it, and if we didn't, we could learn how to equip our code with basic security in a few stack overflow questions' time, so why do embarrassing things keep happening? Read Full Story

(Image © Steve Fareham (cc-by-sa/2.0)) Over the years the OWASP top 10 has been a key guide for directing application developers to the things they should worry about from a security perspective. The same types of issues seem to occur again and again with alarming regularity. Read Full Story

Nowadays it's very common for car manufacturers to develop mobile applications that allow you to control several aspects of your vehicle. The level of control that these apps give you is diverse. From the simple function of unlocking the car to the much more complicated action of summoning it to your location. Read Full Story

On Friday, 21 October 2016, multiple waves of distributed denial of service (DDoS) attacks shut down major internet services across the United States and Europe. The attacking botnet army consisted mainly of printers, IP cameras, residential gateways, and baby monitors infected with Mirai malware. Mirai targets IoT devices, and though each individual IoT device was not very powerful, taken together these devices did significant damage. For many mainstream internet users, the need for strong IoT security became painfully obvious. Read Full Story

The number of devices connected to the internet has exploded in recent years as everyone becomes permanently attached to their phone or tablet. As the number of mobile users has increased, there has been movement away from websites towards mobile apps. Large companies can gain more information about users when they use their app, and can also provide a more fully featured experience by offering offline functionality or by making use of the phone’s camera, accelerometer or GPS. Users tend to prefer them as well because they offer a richer experience. Read Full Story

The attack on the website of Brian Krebs and the release of the Mirai malware source code demonstrates the challenges that face the anti-bot world. At its peak, the Krebs on Security DDoS attack was generating 620Gbps of traffic, mostly from IoT devices. With the ever increasing number of internet connected devices, and their current security shortcomings, it should come as little surprise that the scale of DDoS attacks is increasing. Read Full Story

Suppose your mobile app relies on a back-end server that holds sensitive data or just data that you do not want to be manipulated or copied freely. You trust your own app to do everything right, but what about bots exploiting your API or if someone steals and subverts your app? Read Full Story

A massive success, a staggered worldwide release, ravening hordes of eager adults (and children) with an obsessive urge to catch ’em all. I am of course talking about Pokémon GO from Niantic. Read Full Story