Posts about

Threats

How Certificate Pinning Helps Thwart Mobile MitM Attacks

November 9, 2021

Editor's note: This post was originally published in November 2021 in Cyber Defense Magazine. The massive deployment of mobile apps is presenting new attack surfaces to bad actors and the API channel between the apps and backend services is one of the 5 defined attack surfaces in the ecosystem. In this article we will explore the challenges of defending this channel and outline some practical steps you can take to put immediate protection in place. Read Full Story

Our Certificate Pinning Configuration Tool

September 30, 2021

In this blog we introduce our new mobile certificate pinning configuration tool. This free web tool allows you to automatically generate the configuration required to pin your mobile app connections, providing an additional layer of security.  Read Full Story

API-First Strategies Require API-First Security

August 3, 2021

Editor's note: This post was originally published in July 2021 in ToolBox. Back in 2017, Gartner predicted that API abuse would be the most frequent attack vector for data breaches by 2022. Two years later, when exposed APIs already made up 40% of the attack surface for web-enabled applications, the research and advisory company estimated that figure to soar to 90% by 2021.  Read Full Story

The Mobile Attack Pyramid

July 13, 2021

Editor's note: This post was originally published in July 2021 in Cyber Defense Magazine. A regular pyramid has 5 surfaces, 4 sloping ones and another as its base. In this article we will walk through the mobile attack pyramid, discussing each of the 5 attack surfaces and recommending best practice for protecting them. Read Full Story

Tipping Point for the Car Rental Industry

June 16, 2021

Editor's note: This post was originally published in June 2021 in Security Today. The Covid-19 epidemic has forced the car rental industry into rethinking its value proposition. While it once positioned itself as an ancillary service to the airline industry, generating the bulk of its income through airport locations, a collapse in global airline passenger numbers over the past year may have sped up a process already underway: Far from occupying a segment in the travel industry, car rental companies are now one corner of the Cars as a Service industry. Read Full Story

API Keys Can Be Phished Too

May 10, 2021

Photo credit: iStock.com/Evkaz We are all very aware of the issues around phishing of user credentials. But it is not only users that can be phished, apps can be too. In previous blogs we’ve shown you how you can make a MITM attack against an app. In this blog we’ll demonstrate that a MITM attack against an app is analogous to a phishing attack against a human. Moreover, there are some similar characteristics to the protections required. Read Full Story

Guest Blog: Alissa Knight on 'Standing Outside The FHIR'

April 22, 2021

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In this blog, Alissa provides a plain English explanation of FHIR from the perspective of a hacker. Enjoy! Read Full Story

Closing Both Web and Mobile Doors To Automated Traffic

March 16, 2021

In this article we will look at the challenges of making sure that bots and other automated traffic can’t gain access to your backend systems, no matter how they try. Most enterprises offer services through their website and their mobile app and both attack surfaces must be considered. Ensuring that both channels are properly defended will prevent DDoS, credential stuffing, data scraping and other fraudulent exploits from occurring. Read Full Story

Clubhouse Needs A Bouncer

February 26, 2021

Even if you only have a vague interest in app security I’m sure the recent furore around Clubhouse hasn’t escaped your attention. There is significant buzz around this invite-only iOS app. Enabling live audio chat rooms between participants, it sets the expectation that these interactions are somewhat private and certainly not recorded.  With big celebrity names such as Elon Musk, Kanye West and Oprah Winfrey as users there is a significant demand for a coveted invite. Read Full Story

Balancing Mobile App and API Protection

January 18, 2021

A common discussion that comes up with customers is how they should consider the security requirements of their mobile apps and of the APIs that service them. A recent incident involving Nissan provides a reminder of how easily best laid protections can unravel. Read Full Story