Posts about

Threats

Let's Fight COVID-19 With Apps - Privately

April 3, 2020

Photo by CDC on Unsplash In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity. Read Full Story

Securing the Enterprise for Remote Work

April 2, 2020

At a time when the world could use some good news, any good news, the central health crisis continues to get compounded by a persistent wave of cyberattacks targeted at companies and their employees. Not even healthcare institutions and agencies at the center of responding to the emergency have been spared, with the World Health Organization, the U.S. Department of Health and Human Services and even a UK-based coronavirus testing facility being targeted by cyber profiteers. Read Full Story

How to Protect Against Certificate Pinning Bypassing

October 15, 2019

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack. In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands. Read Full Story

Apple DeviceCheck and CriticalBlue Approov

April 27, 2019

We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here. Read Full Story

Google SafetyNet and CriticalBlue Approov

April 27, 2019

We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here. Read Full Story

The Top 6 Mobile API Protection Techniques - Are They Enough?

December 22, 2018

APIs are a necessary and central part of the strategy of any digital business that wants to stay competitive and monetize its assets. Additionally, end users’ form factor of choice when using digital services is now firmly mobile. The trend towards APIs and mobile devices has moved the attack surface in a significant way and digital businesses must adapt and evolve their security policies accordingly. Read Full Story

API Abuse in 2017 (Part 3)

February 19, 2018

Two particularly challenging forms of API abuse are Aggregation and Cheating as a Service. In both these cases your own users are enabling and sometimes funding the individuals and organizations abusing your APIs. Read Full Story

API Abuse in 2017 (Part 2)

February 13, 2018

Our first batch of business level attacks are Data Scrapers and Account Hijack. We also take a look at the lucrative business of Fake Account Factories. Read Full Story

API Abuse in 2017 (Part 1)

February 9, 2018

2017 has seen our customers tackling a wide range of abuse and misuse of their Mobile APIs. We are seeing multiple approaches where the business process transparency provided by APIs has resulted in exploitation. Time for a retrospective... Read Full Story

The Spectre of the Zygote

January 10, 2018

In part1 of this blog I provided an overview of the Meltdown and Spectre and in this blog I look at the potential impact for mobile security. Read Full Story