UK Contact Tracing App Privacy Risks

Tue 05 May 2020 By Richard Taylor

Category: Threats, Mobile App Development, API Security, Healthcare

More details of the UK's controversial NHSX contact tracing app are being released as the app starts a wider scale trial on the Isle of Wight this week. NHSX is a digital transformation group associated with the UK National Health Service.

Why controversial? There are many reasons, some to do with how the app development was initially procured, but also specifically from a technical perspective as the UK has opted for a centralised contact tracing approach rather than the decentralised model being championed by Apple and Google amongst others (including ourselves).

Read More

Cloner Apps: Playing in a Shared Sandbox

Mon 27 April 2020 By Richard Taylor

Category: Android, Mobile App Authentication, Repackaged Apps, Threats, Fintech

Image by Andrew Martin from Pixabay

The Android app store contains numerous Cloner Apps. These are an increasingly popular category that allow you to have multiple accounts associated with an app, such as a social media or messaging app. Our analysis shows that such apps introduce some really concerning potential security isolation risks that you should be aware of so that you can decide if you want to enable features to block the use of such cloner apps with your own app.

Read More

Contact Tracing Apps: Privacy vs. Security?

Thu 16 April 2020 By Richard Taylor

Category: Mobile App Authentication, Threats, API, API Abuse, API Security, Healthcare

Photo by Fusion Medical Animation on Unsplash

Last Friday, there was an unusual joint announcement from Apple and Google providing details of a new phone API for Covid-19 contact tracing via Bluetooth. The protocol allows mobile phones to continually transmit Bluetooth advertisements to one another. This includes a proximity identifier derived from randomly generated keys that can be held secretly on each device. If a phone user is later diagnosed with Covid-19, they are able to upload the daily tracing keys for those days when they might have been infectious. 

Read More

COVID-19 App User Anonymity Mandates App Authentication

Sat 04 April 2020 By Richard Taylor

Category: Business, Threats, API, API Abuse, API Security

With smartphone usage now a global phenomenon, mobile apps and connectivity are common denominators binding people the world over. And as the world’s nations grapple with the common dilemma of how to manage the ongoing pandemic of coronavirus or COVID-19, it’s little wonder that governments and health authorities across the planet are turning to mobile app technology as a weapon in their crisis management arsenal.

Read More

Let's Fight COVID-19 With Apps - Privately

Fri 03 April 2020 By Richard Taylor

Category: News, Threats, API, Mobile App Development, API Security

Photo by CDC on Unsplash

In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity.

Read More

Securing the Enterprise for Remote Work

Thu 02 April 2020 By David Stewart

Category: Business, Mobile App Authentication, Threats, MitM Attack, API Security

At a time when the world could use some good news, any good news, the central health crisis continues to get compounded by a persistent wave of cyberattacks targeted at companies and their employees. Not even healthcare institutions and agencies at the center of responding to the emergency have been spared, with the World Health Organization, the U.S. Department of Health and Human Services and even a UK-based coronavirus testing facility being targeted by cyber profiteers.

Read More

How to Protect Against Certificate Pinning Bypassing

Tue 15 October 2019 By Paulo Renato

Category: Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, API, MitM Attack, Certificate Pinning

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack.

In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands.

Read More

Apple DeviceCheck and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

Google SafetyNet and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

THE TOP 6 MOBILE API PROTECTION TECHNIQUES - ARE THEY ENOUGH?

Sat 22 December 2018 By Paulo Renato

Category: API Keys, Mobile App Authentication, Scrapers, Bots, Threats

APIs are a necessary and central part of the strategy of any digital business that wants to stay competitive and monetize its assets. Additionally, end users’ form factor of choice when using digital services is now firmly mobile. The trend towards APIs and mobile devices has moved the attack surface in a significant way and digital businesses must adapt and evolve their security policies accordingly.

Read More

Page 2 of 4