Posts about

Mobile Security

The Mobile Attack Pyramid

July 13, 2021

Editor's note: This post was originally published in July 2021 in Cyber Defense Magazine. A regular pyramid has 5 surfaces, 4 sloping ones and another as its base. In this article we will walk through the mobile attack pyramid, discussing each of the 5 attack surfaces and recommending best practice for protecting them. Read Full Story

Tipping Point for the Car Rental Industry

June 16, 2021

Editor's note: This post was originally published in June 2021 in Security Today. The Covid-19 epidemic has forced the car rental industry into rethinking its value proposition. While it once positioned itself as an ancillary service to the airline industry, generating the bulk of its income through airport locations, a collapse in global airline passenger numbers over the past year may have sped up a process already underway: Far from occupying a segment in the travel industry, car rental companies are now one corner of the Cars as a Service industry. Read Full Story

Guest Blog: Alissa Knight on ‘Playing with FHIR’

June 2, 2021

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight. This is the third blog in a series about the security risks exposed by the push to adopt FHIR APIs in US healthcare. Read Full Story

Guest Blog: Alissa Knight on 'FHIR Walker: Authentication and Authorization in FHIR APIs'

May 13, 2021

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In the first article, Alissa provided a plain English explanation of FHIR from the perspective of a hacker. In this blog, Alissa covers mobile API authentication and authorization. Read Full Story

How to Bypass Certificate Pinning with Frida on an Android App

May 4, 2021

In a previous article we learned how to perform a MitM attack on a mobile app that doesn’t employ certificate pinning as a mechanism of preventing such attacks. Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning. Read Full Story

How to MitM Attack the API of an Android App

May 1, 2021

In a previous article we saw how to perform a MitM attack to steal an API key, but that approach required installing the proxy certificate into the Android device through the user trusted certificates store. An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app. Read Full Story