How to Protect Against Certificate Pinning Bypassing

Tue 15 October 2019 By Paulo Renato

Category: Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, API, MitM Attack, Certificate Pinning

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack.

In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands.

Read More

Apple DeviceCheck and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

Google SafetyNet and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

THE TOP 6 MOBILE API PROTECTION TECHNIQUES - ARE THEY ENOUGH?

Sat 22 December 2018 By Paulo Renato

Category: API Keys, Mobile App Authentication, Scrapers, Bots, Threats

APIs are a necessary and central part of the strategy of any digital business that wants to stay competitive and monetize its assets. Additionally, end users’ form factor of choice when using digital services is now firmly mobile. The trend towards APIs and mobile devices has moved the attack surface in a significant way and digital businesses must adapt and evolve their security policies accordingly.

Read More

API ABUSE IN 2017 (PART 3)

Mon 19 February 2018 By Barry O'Rourke

Category: Business, CheatingAsAService, Aggregators, Threats, A Series - API Abuse

Two particularly challenging forms of API abuse are Aggregation and Cheating as a Service. In both these cases your own users are enabling and sometimes funding the individuals and organizations abusing your APIs.

Read More

API ABUSE IN 2017 (PART 2)

Tue 13 February 2018 By Barry O'Rourke

Category: Business, Account Hijacking, Fake Accounts, Scrapers, Threats, A Series - API Abuse

Our first batch of business level attacks are Data Scrapers and Account Hijack. We also take a look at the lucrative business of Fake Account Factories.

Read More

API ABUSE IN 2017 (PART 1)

Fri 09 February 2018 By Barry O'Rourke

Category: Business, Threats, A Series - API Abuse

2017 has seen our customers tackling a wide range of abuse and misuse of their Mobile APIs. We are seeing multiple approaches where the business process transparency provided by APIs has resulted in exploitation. Time for a retrospective...

Read More

THE SPECTRE OF THE ZYGOTE

Wed 10 January 2018 By Richard Taylor

Category: Threats

In part1 of this blog I provided an overview of the Meltdown and Spectre and in this blog I look at the potential impact for mobile security.

Read More

YOU JUST NEED TO SPECULATE TO EXFILTRATE

Tue 09 January 2018 By Richard Taylor

Category: Threats

There is much to discuss in the wake of the security news flow last week. It was dominated by the Meltdown and Spectre CPU bug announcements — 2018 has certainly got off to an interesting start. In part one of this two part blog I will look at these bugs from a high level. In part two I shine the spotlight on the implications for mobile security, and for Android in particular.

Read More

IF YOU CAN'T MAKE IT, FAKE IT

Wed 22 November 2017 By Shona Hossell

Category: Business, Mobile App Authentication, Bots, Threats

As many social media platforms continue to experience incredible growth in popularity, the supporting apps, and the APIs that service them, remain top targets for bad actors. The ability to communicate quickly and indirectly with the platforms’ vast user bases make them ideal for spreading malware, phishing attacks, or fake news. Networks of automated accounts, gaining artificial levels of popularity and influence are often used to instigate attacks and the recent admission by Facebook that Kremlin linked propaganda may have been seen by as many as 126 million users gives us some idea of the scale of the threat and the ambition of the attackers.

Read More

Page 1 of 2