Approov Blog

Mobile Security (3)

One of the most well-known checklists for mobile app security is found in the OWASP Mobile Application Security Verification Standard (MASVS). If you implement the OWASP Mobile App Security Checklist thoroughly and meet all the requirements, your mobile app will have a good security foundation. However, there are still some potential security gaps to consider. First, the app itself is responsible for conducting security checks and making decisions about its own security, which could allow an attacker to use an instrumentation framework to bypass or modify these checks and decisions. Second, the API backend is not necessarily restricted to serving requests solely from genuine, unmodified instances of the mobile app that are not under attack or running on a compromised device and environment. Read Full Story

As a developer once said… It depends!!! In a nutshell, it depends on what is motivating you to use obfuscation in the first place. If you plan to use only code obfuscation as a security measure then you may end up with a Maginot Line on your security defences. Read Full Story

Runtime Application Self-Protection (RASP) is a security technology that is designed to protect applications from attacks while the application is running. It works by embedding a security mechanism directly into the application, which allows it to monitor the application's behavior and detect and prevent malicious activities in real-time. Read Full Story

Mobile apps are now essential for communication, entertainment, shopping, banking and other aspects of our daily lives. As security threats increase, it's crucial to ensure that mobile apps are secure. Insecure mobile apps can lead to data breaches, sensitive information theft, and financial losses. Adopting best security practices is essential to safeguard your mobile apps, APIs, and users' data and privacy. This blog post outlines the best practices for mobile app security that every mobile app developer should consider while developing mobile apps and where Approov can be used to enhance the security of a mobile app and their APIs. We'll cover topics like secure code development, authentication and authorization, network security, secure data storage, and regular security testing. Read Full Story

Broken Object Level Authorization (BOLA) is the #1 vulnerability in the OWASP API Security Project’s API Security Top Ten in 2019. Using BOLA, an attacker exploits a vulnerable API endpoint by manipulating an arbitrary object identifier to exfiltrate or manipulate data they are not authorized to access. Authorization schemes can be complex, and it is easy for an API developer to miss an authorization check when the application state is passed between client and service. Read Full Story

Pinduoduo Malware highlights the need for App Attestation on a Global Scale The recent Pinduoduo hack may have impacted over 700 million users in China, and highlights the need for mobile app attestation to protect against mobile app malware and other vulnerabilities. In the Pinduoduo hack, attackers were able to exploit a vulnerability in the popular ecommerce mobile app to gain access to user accounts and steal sensitive information, such as users' names, phone numbers, and addresses. This type of attack is not uncommon, and highlights the importance of implementing strong security measures, such as app attestation, to help prevent such vulnerabilities from being exploited. Read Full Story

This is our second blog highlighting the results of the Approov Threat Lab Report. Read Full Story

First of all, this blog was written by a human being! Now that that's out of the way, let's get onto our main topic for today which is to take a look at ChatGPT and use it to understand some key aspects of mobile security. Read Full Story

Data breaches involving the healthcare industry can have serious consequences, as they can compromise sensitive and personal information such as medical records, financial data, and personal identification numbers. Mobile apps are increasingly being used in the healthcare industry to provide services such as telemedicine, appointment scheduling, and electronic health records, and these apps can also be vulnerable to data breaches. Read Full Story

API abuse is a growing concern in today's digital landscape, with criminals finding new and innovative ways to exploit APIs for their own gain. According to a recent study by Salt Security, "malicious API attack traffic surged 117% over the past year, from an average of 12.22 million malicious calls per month to an average of 26.46 million calls." This article explores the topic as it relates to mobile centric businesses. Read Full Story