Posts about

Mobile App Development

Let's Fight COVID-19 With Apps - Privately

April 3, 2020

Photo by CDC on Unsplash In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity. Read Full Story

Bypassing Certificate Pinning

August 18, 2019

In a previous article we saw how to protect the https communication channel between a mobile app and an API server with certificate pinning, and as promised at the end of that article we will now see how to bypass certificate pinning. To demonstrate how to bypass certificate pinning we will use the same Currency Converter Demo mobile app that was used in the previous article. In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning. Read Full Story

Improve the Security of API Keys

July 24, 2019

Securely identify your API Caller Read Full Story

Securing HTTPS with Certificate Pinning on Android

June 26, 2019

  In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning. In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article. In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack. Read Full Story

Steal That API Key with a Man in the Middle Attack

April 4, 2019

As I promised in my previous article, here it is the follow up article about performing a man in the middle (MitM) attack to steal an API key, and to follow this article you will need to become the man sitting in the middle of the actual channel, using mitmproxy to help you with the task of stealing the API key. Now it should be clear why MitM stands for man in the middle! Read Full Story

Preventing Mobile App and API Abuse

March 21, 2019

This post includes a video of SKip Hovsmith's talk on preventing mobile app and API abuse at the 2019 AppSec California Conference.   Read Full Story

How to Pin Mobile gRPC Channels

March 4, 2019

Last-mile Security for gRPC-connected mobile APIs Read Full Story

Why Does Your Mobile App Need an API Key?

March 1, 2019

Mobile apps are becoming increasingly important in the strategy of any company. As a result, companies need to release new application versions at a fast pace, and this puts developers under pressure with tight deadlines to complete and release new features very quickly. Read Full Story

Consider gRPC for Mobile APIs

February 5, 2019

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems. Read Full Story

Approov Cordova QuickStart

June 15, 2018

Editor's note: This post was originally published in June 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in July 2020. Our aim is to make the process of integrating Approov into your mobile app easy. Our Cordova Advanced-HTTP Quickstart  allows you to get up and running with Approov easily, whether you are building a new Cordova app that uses Cordova Advanced HTTP or are adapting an existing one to have an improved security posture. Read Full Story