Approov Blog

Mobile App Development (6)

When the NHSX contact tracing app was made available in the app stores last Thursday we decided to take a quick look at its operation and how the code has been put together. We used the Android version and the excellent MobSF tools to do our reversing analysis. On Friday the full source code of the app was also published on github. Read Full Story

More details of the UK's controversial NHSX contact tracing app are being released as the app starts a wider scale trial on the Isle of Wight this week. NHSX is a digital transformation group associated with the UK National Health Service. Why controversial? There are many reasons, some to do with how the app development was initially procured, but also specifically from a technical perspective as the UK has opted for a centralised contact tracing approach rather than the decentralised model being championed by Apple and Google amongst others (including ourselves). Read Full Story

Photo by Digital Buggu from Pexels Google announced Android App Bundles a couple of years ago at I/O 2018. App Bundles are a new app publishing format providing new features that have rapidly driven their adoption. In particular App Bundle delivery enables automatic splitting of various assets within the overall app package, so they are only delivered to a device if they are actually needed. Read Full Story

Photo by Ferenc Almasi on Unsplash React Native is a very popular framework for building cross platform apps. Apps are developed in Javascript, but with full support for inclusion of native iOS or Android libraries where that is necessary. You shouldn’t need to compromise on security though just because you are using a higher level framework rather than developing native apps. Our React Native Quickstart allows you to easily get up and running with Approov, whether you are building a new app or adapting an existing one to have an improved security posture. Read Full Story

Photo by Pathum Danthanarayana on Unsplash Our aim is to make the process of integrating Approov into your mobile app as simple as possible. Our Quickstart guides show you how to Approov into your app, tailored to whatever framework or programming style you’ve already adopted. In this blog we are going to cover the comprehensive options we have for Android Native app development. Read Full Story

Photo by CDC on Unsplash In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity. Read Full Story

Editor's note: This post was originally published in August 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how to protect the HTTPS communication channel between a mobile app and an API server with certificate pinning, and in this article we will now see how to bypass that certificate pinning. Read Full Story

Securely identify your API Caller Read Full Story

Editor's note: This post was originally published in June 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the HTTPS traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning. Read Full Story

Editor's note: This post was originally published in April 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. As I promised in my previous article, here is the follow up article about performing a man-in-the-middle (MitM) attack to steal an API key, and to follow this article you will need to become the man sitting in the middle of the actual channel, using mitmproxy to help you with the task of stealing the API key. Now it should be clear why MitM stands for man in the middle! Read Full Story