Upwardly Mobile - API & App Security News

Approov Limited
Upwardly Mobile - API & App Security News

Dive into the high-stakes world of mobile app development and API security with Upwardly Mobile, your ultimate guide to defending apps in today’s volatile digital landscape. Hosted by Skye Macintyre and George McGregor, and proudly sponsored by Approov, the leaders in mobile app attestation and API security, this podcast unpacks the evolving threats and innovative solutions shaping mobile security.Explore why the built-in protections from tech giants like Apple, Google, and Huawei often fall short, leaving sensitive data vulnerable. Learn how advanced techniques—like runtime attestation and dynamic API security—thwart attackers and secure your app ecosystem. Each episode delivers insights into major data breaches, emerging trends, and actionable strategies to fortify your apps and APIs against ever-advancing cyber threats.From development best practices to navigating compliance and regulation, Upwardly Mobile equips mobile developers, security professionals, and tech enthusiasts with the knowledge to safeguard their creations. Stay informed, stay secure, and stay ahead with expert guidance on the future of mobile cybersecurity.Subscribe now on Spotify and Apple Podcasts, and elevate your security game!

  1. 2D AGO

    Google Goes Private: The Future of Android Development

    Podcast Title: Upwardly Mobile Episode Title: Google Goes Private: The Future of Android DevelopmentEpisode Description:In this episode of Upwardly Mobile, we delve into a significant shift in the world of Android development. Google has announced that it will now conduct all Android operating system development internally, moving away from the traditional model where much of the work was visible through the public Android Open Source Project (AOSP). We explore the reasons behind this move, its implications for manufacturers, developers, and the future of the Android ecosystem, especially for non-GMS (Google Mobile Services) devices popular in regions like India and China. Join us as we unpack what this change means for the upwardly mobile tech landscape.Key Discussion Points: Google's Strategic Shift: We discuss Google's decision to move all Android OS development to its internal infrastructure. Previously, Android had two development locations: the public AOSP and Google's internal branch. This change aims to streamline the development workflow and simplify software releases.The End of AOSP-First Development: For over sixteen years, AOSP has been the primary platform for Android development. This shift means that core development will now happen solely within Google. Technologies like the Bluetooth stack and the kernel will now be developed internally.Commitment to Open Source: Despite this change, Google has stated its commitment to the open-source nature of Android. They will continue to publish the source code for new Android versions to AOSP after internal development is complete. Android 16's source code is planned for release in 2025.Reasons for the Change: Maintaining synchronization between the internal and public branches has been challenging, leading to technical difficulties like merge conflicts. Google believes this single internal branch will allow phone makers and developers to work with one consistent version.Impact on Non-GMS Android Forks: This move has significant implications for non-GMS Android operating systems and manufacturers, particularly those in India and China. They will have reduced access to real-time updates and development progress. Source code releases for individual components may also become less frequent.Challenges for Developers: Developers of non-GMS forks will need to rely on finalized release tags, potentially hindering innovation and customization. Ensuring compatibility with future Android versions may also become more difficult.Impact on App Developers: While app developers are largely unaffected, those who relied on AOSP for insights into upcoming changes may face reduced transparency and need to wait for final APIs. This could potentially push developers in regions with many non-GMS devices towards alternative platforms like HarmonyOS.Reactions from the Community: Some Android OS engineers are expressing sadness over this shift, as they believe in the philosophical importance of developing security and privacy-relevant components in public. However, the practical impact for most users and even platform developers working off release branches is expected to be minimal.Relevant Web Links: All Android Developments Circulate In-House.. (India Herald): https://www.indiaherald.com/Technology/Read/994807090/All-Android-Developments-Circulate-InHouseAndroid development moves internally at Google ahead of public releases (Neowin): https://www.neowin.net/news/android-development-moves-internally-at-google-ahead-of-public-releases/Exclusive: Google will...

    9 min

  2. 4D AGO

    Unlocked and Unsafe? The Truth About iOS Jailbreaking

    Upwardly Mobile - Episode Title: Jailbreaking iPhones: Risks, Detection, and Staying Secure Welcome to Upwardly Mobile, the podcast exploring the latest trends and security challenges in the mobile landscape. In this episode, we delve into the world of iOS jailbreaking, examining the latest developments, the ongoing battle between jailbreak detection and bypass methods, and the significant security implications for both individual users and organisations. Listen as we discuss:What is Jailbreaking? We explain what it means to jailbreak an iPhone and the motivations behind it, from wanting more customisation and features to accessing third-party apps not available on the official App Store.Dopamine 2.0 and the Detection Landscape: We look at the release of the Dopamine 2.0 jailbreak and how app developers are increasingly catching on, with more apps now detecting jailbroken devices.The Cat and Mouse Game: Bypassing Jailbreak Detection: Discover the various tools and techniques users employ to bypass jailbreak detection, including tweaks like Choicy and vnodebypass, and the practice of downgrading apps using tools like AppStore++. We also touch on methods like hiding the Filza URL scheme.Apps on High Alert: We highlight the types of apps most commonly known to implement jailbreak detection, such as banking applications, social media platforms like Snapchat, and popular games.The Hidden Dangers: Security Risks Amplified: We explore the significantly increased security risks associated with using jailbroken devices, making them much more susceptible to malware infections and total compromise.For Developers: Fortifying Your Apps: We discuss solutions available to mobile app developers to protect their applications from jailbreak detection bypass tools. Learn about platforms like Appdome and their AI-powered features to actively block bypass attempts.Advanced App Security with Approov: We touch upon the capabilities of Approov in providing runtime app shielding, integrity verification, and detection of tampering, emulators, debuggers, and rooting/jailbreaking.Relevant Links:Reddit Discussion - First app I found that detected jailbreak on Dopamine 2.0:HowStuffWorks - How to Jailbreak an iPhone:Appdome - How to Protect iOS Apps from Jailbreak Detection Bypass Tools Using AI:Approov - Mobile App Shielding | Device Attestation:Mobile Jailbreaks Exponentially Increase Corporate Risk:Keywords: iOS, jailbreak, Dopamine 2.0, jailbreak detection, bypass, Choicy, vnodebypass, AppStore++, security, malware, app protection, Appdome, Approov, mobile security, iPhone, banking apps, Snapchat, gaming. Learn more about protecting your mobile apps with our sponsor, Approov: https://approov.io Stay tuned for the next episode of Upwardly Mobile for more insights into the ever-evolving world of mobile technology.

    16 min

  3. MAR 20

    The Man-in-the-Middle Threat: Understanding and Preventing MitM

    Episode Title: Securing Your Connection: A Guide to Preventing MitM AttacksEpisode Description: Man-in-the-Middle (MitM) attacks pose a significant threat to online security, allowing malicious actors to intercept and manipulate communications. This episode delves into what MitM attacks are, how they work, and crucial strategies for prevention, especially for mobile applications. We'll explore the evolving landscape of security measures, including the debate around certificate pinning.Episode Notes: What are Man-in-the-Middle (MitM) attacks? A MiTM attack occurs when a bad actor secretly inserts themselves between two connected parties to read, steal, manipulate, or forward exchanged data. These attacks are also known as "eavesdropping".The potential payoff for attackers can be significant.Popular targets include insecure networks, unencrypted websites, smartphones, and other smart devices.How do MitM attacks work? Attackers can monitor digital activities, conversations, and emails to steal sensitive information like login credentials, credit card numbers, and bank details.Once an insecure access point is found, the attacker positions themselves between the two communicating parties, with all transmissions passing through them in real-time.Example 1: Man-in-the-Mobile (MitMo) attack: A fraudster secretly reroutes text messages between two individuals, seeing all the content shared.Example 2: Malicious Wi-Fi Hotspot: Attackers create unsecured public Wi-Fi hotspots, often named similarly to legitimate locations, to intercept data from connected users.Common Types of MitM Attacks: Adversary-in-the-Middle (AitM): A malicious actor uses a reverse proxy to intercept user credentials and session tokens, often bypassing OTP-based multi-factor authentication. This is common in phishing attempts.Man-in-the-Browser (MitB): Attackers inject JavaScript into a user's browser (e.g., through malicious extensions or downloaded malware) to gain access to sensitive information and perform unauthorised actions.Man-in-the-Mobile (MitMo): Attacks target mobile devices through infected apps and phishing scams, allowing interception of communications and sensitive data, and in severe cases, remote device control. Sophisticated malware can even be installed without user interaction.DNS Spoofing: Attackers infiltrate a DNS server and alter website address records, redirecting users to the attacker's site.Wi-Fi Eavesdropping: Creating fake public Wi-Fi networks to intercept user activity and data.Email Hijacking: Cybercriminals intercept emails (e.g., between banks and customers) to spoof email addresses and send fraudulent instructions to the victim.Session Hijacking: Attackers steal information stored in web browser cookies, such as saved passwords.IP Spoofing: An attacker disguises themselves as an application by altering packet headers, redirecting users to a malicious website.Detecting Man-in-the-Middle Attacks: Be alert for any abnormal activity on your online accounts or devices (e.g., unfamiliar balances or activity).Use antivirus software to scan for malware.Inspect your Wi-Fi connection to ensure it is secure and not open.Only visit HTTPS sites you trust and verify the URL for accuracy and no typos.Be wary of suspicious certificates.Look out for unfamiliar or misspelled URLs in your browser's address bar.Be aware of network connections you don't recognise.Preventing Man-in-the-Middle Attacks: User Best Practices: Avoid connecting to Wi-Fi networks without password protection.Pay attention to browser warnings about unsecure websites and only trust encrypted...

    14 min

  4. MAR 18

    Beyond DexGuard: Exploring Advanced Layers of App Protection

    Episode Notes: In this episode, we delve into the crucial topic of mobile app security, focusing on the concept of hardware-backed key attestation and its role in verifying device integrity. We explore what key attestation is, an enabling feature of the Android ecosystem that allows apps to check if the device's operating system, bootloader, and overall environment have been tampered with. This process often involves leveraging the device's KeyStore to retrieve a certificate chain and verifying the integrity of certificates and root certificates. We discuss the potential benefits of key attestation, particularly for applications handling sensitive data in industries like finance, point-of-sale (POS) systems, gaming and entertainment, retail and e-commerce, and healthcare. For instance, key attestation can help ensure that payment environments are uncompromised, aligning with security standards like PCI DSS. It can also be valuable for security-focused SDKs, such as those used for identity verification, by ensuring a device's integrity before providing assurances. DexGuard's OS Integrity feature is mentioned as an example of a product building upon key attestation. However, the episode also critically examines the limitations and challenges associated with relying solely on hardware-backed key attestation. We address concerns that determined attackers can potentially manipulate the device to return false positives, rendering device-based attestation unreliable. The static nature of device-based attestation, making it a fixed target, is also highlighted. Additionally, device compatibility issues, particularly with older devices or those lacking trusted certificates, and the potential for false positives affecting legitimate users with custom ROMs or unlocked bootloaders are important considerations. The discussion contrasts device-based attestation with cloud-based attestation solutions, such as Approov, which make attestation decisions remotely, potentially offering more dynamic security policies and protection for both mobile apps and APIs. The importance of runtime protection against threats that can bypass bootloader verification is also touched upon. Furthermore, the episode considers the role of Secure Elements (SE) and Secure Enclaves in protecting sensitive information. While these hardware-backed solutions offer strong security, the software layers above them can introduce vulnerabilities like hooking attacks and emulation, especially on rooted Android devices and jailbroken iOS devices. Tools like Frida and Xposed Framework that can intercept communication are mentioned. The importance of a holistic approach to mobile security, combining hardware integrity with software hardening and runtime protections, is emphasised. Solutions like Cryptomathic’s Mobile Application Security Core (MASC), which aims to protect against hooking, emulation, and tampering, are noted. Links to Relevant Sites:Guardsquare: https://www.guardsquare.com/Guardsquare Blog: https://www.guardsquare.com/blogDexGuard: https://www.guardsquare.com/dexguardProGuard Manual: Available via Guardsquare websiteCryptomathic: https://www.cryptomathic.com/Cryptomathic Blog: https://www.cryptomathic.com/blogApproov: https://approov.io/Android Developers - Verify hardware-backed key pairs with key attestation: a...

    12 min

  5. MAR 14

    Secrets Sprawl: The Mobile Security Threat

    Episode Notes: In this episode, we delve into the growing threat of secrets sprawl, particularly for mobile developers. The recent State of Secrets Sprawl 2025 report revealed a concerning 25% increase in hardcoded secrets exposed on GitHub in 2024, with 23.7 million new secrets leaked. We explore why mobile apps are particularly vulnerable, as they often contain API keys, authentication tokens, and other sensitive data that can be easily extracted from hardcoded source code, leading to API abuse, data breaches, and supply chain attacks. We discuss how hardcoded secrets are a major attack vector, with 58% of all leaked credentials in 2024 being generic secrets like passwords and database connection strings. The BeyondTrust API key breach, used by Chinese state-sponsored hackers to infiltrate the U.S. Treasury Department, highlights the real-world consequences. We examine the limitations of existing security measures: GitHub’s Push Protection is a good start but only prevents specific patterns of API keys from being pushed, missing many secrets like database credentials and encryption keys.Private repositories are not inherently safe, being 8x more likely to contain secrets than public ones.While helpful, secrets management tools alone are not a complete solution, with 5.1% of repositories using them still leaking secrets.Threats extend beyond source code, with 38% of exposed credentials in collaboration tools like Slack and Jira being classified as highly critical.The episode then focuses on how mobile developers can protect their apps with runtime secrets protection: Dynamic API Key Injection: Using a server-side mechanism to inject keys at runtime instead of hardcoding. Solutions like Approov use mobile app attestation to deliver keys only to trusted app instances.Mobile App Attestation: Verifying that API requests come from genuine, untampered app instances, preventing abuse from repackaged apps and bots.Dynamic Certificate Pinning: Ensuring apps automatically update to the latest certificate pins to block Man-in-the-Middle (MitM) attacks.Detecting and Blocking Rooted or Jailbroken Devices: Using RASP (Runtime Application Self-Protection) to detect and respond to unauthorised modifications.Monitoring and Revoking Compromised Secrets: Automating secret rotation and revocation, as 70% of valid secrets detected in 2022 were still active in 2024.Key Takeaway: Your app's security is only as strong as its weakest secret. Protecting API keys at runtime is crucial. Links: The State of Secrets Sprawl 2025 Report (GitGuardian):Securing Mobile Apps Analyst Guide for Approov (Intellyx): https://intellyx.com/wp-content/uploads/2024/09/Securing-Mobile-Apps-Analyst-Guide-for-Approov-FINAL.pdf Approov Website: www.approov.io

    32 min

  6. MAR 10

    Unpacking Mobile Malware: Earth Minotaur, Gamaredon, and GodLoader Threats

    Details the emerging threats posed by three distinct cybercriminal groups – Earth Minotaur, Gamaredon, and the developers behind GodLoader – as they increasingly target mobile devices running Android and iOS. It outlines the specific malware tools each group employs, such as Earth Minotaur's MOONSHINE exploit kit and DarkNimbus backdoor, Gamaredon's BoneSpy and PlainGnome spyware, and the cross-platform GodLoader malware built using the Godot Engine. The text raises concerns about data theft, audio surveillance, sophisticated social engineering tactics, and the challenges of detecting these evolving threats, ultimately urging users to adopt proactive cybersecurity measures to protect their devices.

    19 min

  7. MAR 2

    Samsung Galaxy S25 | A Quantum Leap in Mobile Security?

    This episode explores the groundbreaking security features of the Samsung Galaxy S25, focusing on its implementation of post-quantum cryptography (PQC)1.... Learn how the Galaxy S25 is setting a new standard for mobile security by integrating PQC to protect against future quantum-based cyber attacks1. Key Discussion Points: • The Galaxy S25 is the first smartphone to feature post-quantum cryptography, using the ML-KEM algorithm to protect sensitive data2. • Post-quantum cryptography (PQC) consists of cryptographic algorithms that should be secure against cryptanalytic attacks performed by a quantum computer3. • Knox Vault on the Galaxy S25 employs post-quantum cryptography to secure personalized AI data3. • The Personal Data Engine analyzes data on-device for personalized experiences, ensuring data is securely locked behind Knox Vault3.... • The Galaxy S25 includes a new Knox Matrix dashboard, additional Maximum Restriction settings, and enhanced Theft Protection5. • App developers need to prepare for the transition to PQC to ensure their applications remain secure against future quantum threats6.... • NIST has approved CRYSTALS-Kyber as the standard KEM, replacing the widely used Diffie-Hellman algorithm8. Relevant Links: • Galaxy S25 News: Stay updated on the Galaxy S259. • Post-Quantum Cryptography (PQC) & Mobile App Security: Learn more about PQC and its implications for mobile app security1.... • NowSecure Platform: Explore mobile application security testing solutions10.... • NIST’s PQC Algorithms: Find information on NIST-approved quantum-resistant cryptographic algorithms15. • CRYSTALS-Kyber: Reference implementations for CRYSTALS-Kyber are available for evaluation8.... • App Developer's Guide: Key considerations for app developers to transition to post-quantum cryptography (PQC)

    21 min

  8. FEB 26

    TgToxic Android Trojan: A Masterclass in Banking Malware

    Episode Notes: In this episode of Upwardly Mobile, we dive deep into the world of Android banking trojans, focusing on the rising threats of ToxicPanda and TgToxic. These sophisticated pieces of malware are targeting mobile users across the globe, aiming to steal credentials, cryptocurrency, and funds from banking and finance apps [1, 2].We explore how these trojans operate, their evolution, and most importantly, how you can protect yourself [3, 4].Key Discussion Points: The Threat Landscape: Understanding the basics of mobile banking trojans and their increasing prevalence [2, 5].ToxicPanda: Discover the tactics used by this relatively new trojan, including social engineering and on-device fraud to bypass security features like two-factor authentication [6].TgToxic: Uncover the advanced anti-analysis techniques used by TgToxic, including code obfuscation, payload encryption, and dynamic command-and-control (C2) strategies [7-9].Geographical Targets: Identifying the regions most affected by these threats, including Europe, Latin America, and Southeast Asia [10-12].Technical Analysis: Examining how TgToxic abuses legitimate automation frameworks like Easyclick to hijack user interfaces and automate malicious activities [13, 14].防禦 Strategy: Practical steps you can take to protect your Android devices from these banking trojans, including disabling "Allow from Unknown Sources", being wary of suspicious emails and links, and monitoring app permissions [3, 4].The Role of Social Engineering: Recognising how social engineering remains a primary method for distributing malware and how to avoid falling victim to these attacks [10].Real-World Impact: Understanding the potential financial losses and the importance of staying informed about emerging cyber threats [10].C2 (Command and Control) Strategies: Understanding the dynamic C2 strategies used by TgToxic, including domain generation algorithms (DGA) and dead drop locations [7, 15].Sponsor: This episode is brought to you by Approov (https://www.approov.io/). Approov helps protect your mobile apps from abuse and fraud. Learn more about their runtime application self-protection (RASP) and device attestation solutions [7].Relevant Links: Avoiding Social Engineering and Phishing Attacks: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks [16]Android Banking Trojan ToxicPanda Targets Europe: https://www.securityweek.com/android-banking-trojan-toxicpanda-targets-europe/ [16]ToxicPanda: a new banking trojan from Asian hits Europe and LATAM: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam [16]TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users: https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html [16]Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users:https://thehackernews.com/2023/02/enigma-vector-and-tgtoxic-new-threats.html [17]Keywords: Android...

    15 min
See All (45)

    About

    Dive into the high-stakes world of mobile app development and API security with Upwardly Mobile, your ultimate guide to defending apps in today’s volatile digital landscape. Hosted by Skye Macintyre and George McGregor, and proudly sponsored by Approov, the leaders in mobile app attestation and API security, this podcast unpacks the evolving threats and innovative solutions shaping mobile security.Explore why the built-in protections from tech giants like Apple, Google, and Huawei often fall short, leaving sensitive data vulnerable. Learn how advanced techniques—like runtime attestation and dynamic API security—thwart attackers and secure your app ecosystem. Each episode delivers insights into major data breaches, emerging trends, and actionable strategies to fortify your apps and APIs against ever-advancing cyber threats.From development best practices to navigating compliance and regulation, Upwardly Mobile equips mobile developers, security professionals, and tech enthusiasts with the knowledge to safeguard their creations. Stay informed, stay secure, and stay ahead with expert guidance on the future of mobile cybersecurity.Subscribe now on Spotify and Apple Podcasts, and elevate your security game!

    Information

    Content Restricted

    This episode can’t be played on the web in your country or region.

    To listen to explicit episodes, sign in.

    Stay up to date with this show

    Sign in or sign up to follow shows, save episodes and get the latest updates.
    Select a country or region

    Africa, Middle East, and India

    Asia Pacific

    Europe

    Latin America and the Caribbean

    The United States and Canada