Upwardly Mobile - API & App Security News

Approov Limited
Upwardly Mobile - API & App Security News

Dive into the high-stakes world of mobile app development and API security with Upwardly Mobile, your ultimate guide to defending apps in today’s volatile digital landscape. Hosted by Skye Macintyre and George McGregor, and proudly sponsored by Approov, the leaders in mobile app attestation and API security, this podcast unpacks the evolving threats and innovative solutions shaping mobile security.Explore why the built-in protections from tech giants like Apple, Google, and Huawei often fall short, leaving sensitive data vulnerable. Learn how advanced techniques—like runtime attestation and dynamic API security—thwart attackers and secure your app ecosystem. Each episode delivers insights into major data breaches, emerging trends, and actionable strategies to fortify your apps and APIs against ever-advancing cyber threats.From development best practices to navigating compliance and regulation, Upwardly Mobile equips mobile developers, security professionals, and tech enthusiasts with the knowledge to safeguard their creations. Stay informed, stay secure, and stay ahead with expert guidance on the future of mobile cybersecurity.Subscribe now on Spotify and Apple Podcasts, and elevate your security game!

  1. 20 HR AGO

    Google Play Store Crypto Scam | Protecting Your Wallets from Malicious Apps!

    Protecting Your Crypto Wallets from Deceptive Apps A critical cybersecurity threat that has impacted cryptocurrency users on the Google Play Store. In this episode of Upwardly Mobile, we uncover the alarming findings by Cyble Research and Intelligence Labs (CRIL), who identified over 20 malicious applications actively targeting crypto wallet users [1-4]. Key Discoveries and Threat Tactics: • These deceptive apps impersonate legitimate and popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium [2-4]. They even use the icons of legitimate wallets to trick victims into trusting them [5]. • Once installed, the apps prompt users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces [2, 3, 6]. This highly sensitive information is then used by threat actors to access real wallets and drain cryptocurrency funds, leading to irreversible financial losses, as cryptocurrency transactions are not easily reversible [3, 7-9]. • The malicious apps are distributed through the Play Store under compromised or repurposed developer accounts [2-4]. Some of these accounts previously hosted legitimate apps and had amassed over 100,000 downloads, suggesting they were compromised to distribute these new malicious applications [8, 10]. • Threat actors employ consistent patterns, such as embedding phishing URLs within their privacy policies and using similar package names and descriptions [2, 5, 8]. The investigation also revealed that these apps leverage development frameworks like Median to rapidly convert phishing websites into Android apps [6, 11]. • A look into the infrastructure uncovered that the phishing URLs are hosted on IP addresses associated with over 50 other phishing domains, indicating a centralized and well-coordinated operation [7, 12-14]. This large-scale phishing infrastructure, combined with seemingly legitimate applications, makes detection challenging and extends the campaign's reach [7, 14]. The Reality of App Store Security & Why Vigilance is Key: This campaign underscores a critical mobile app security myth: mobile app stores do not guarantee the security of all apps available for download [15, 16]. Despite stringent security measures, malicious apps can and do make their way onto platforms like the Google Play Store [16-21]. Cybersecurity experts, like Jake Moore from ESET, emphasize that users must be extremely cautious and perform due diligence even when downloading from legitimate platforms, especially for apps connected to finances [17]. **Your Defense Strategy:**To safeguard your digital assets and personal information, it's crucial to follow these essential cybersecurity best practices: • Download apps ONLY from verified developers and carefully check app reviews, publisher details, and download statistics before installing [17, 22]. • NEVER enter sensitive information like mnemonic phrases into an app unless you are absolutely certain it's the legitimate application, ideally linked directly from the official website of the crypto wallet itself [9, 22]. Enable biometric security features, such as fingerprint or facial recognition, on your mobile devices [22]. • Be extremely cautious about opening any links received via SMS or emails, as these are common phishing vectors [22]. • Ensure that Google Play Protect is enabled on your Android devices [8, 22]. For developers, it's crucial to prioritize security throughout the mobile app development lifecycle, recognizing that static defenses like code obfuscation are often insufficient [19, 23-27]. Dynamic, runtime security measures such as Runtime Application Self-Protection (RASP), Runtime Secrets Protection, and Dynamic Certificate Pinning are non-negotiable for protecting sensitive data and functionality [27]. Additionally, App Attestation and token-based API access are vital for verifying the integrity of the mobile app itself before granting API access, blocking bots, scripts, and tampered apps [27-29]. Sponsor Spotlight: This episode of "Upwardly Mobile" is proudly sponsored by Approov, the gold standard in mobile app attestation and API security. Approov helps protect mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services, significantly raising the bar against malicious or unauthorized data harvesting and sophisticated attacks. Learn more about securing your mobile apps and APIs at approov.io. Relevant Links: • Excerpts from "Crypto Phishing Applications On The Play Store" [1-3, 5-7, 10-13, 22, 30-42] • Excerpts from "Delete Every App On Your Smartphone That’s On This List" [4, 8, 9, 14, 17, 43-49] • Excerpts from "Mobile App Security Myths" [15, 16, 18-21, 23-26, 50-69] Learn more about protecting your APIs and mobile applications: https://approov.io/ (Please note: Information about Approov.io is external to the provided sources within the "Crypto Phishing Applications On The Play Store", "Delete Every App On Your Smartphone That’s On This List", and "Mobile App Security Myths" documents, and you may want to independently verify that information.) Keywords: Crypto phishing, Play Store, mobile app security, mnemonic phrase, cryptocurrency, scam apps, cyber threat intelligence, cybercrime, phishing attack, digital wallets, Android security, app store security, API security, social engineering, app attestation, runtime security, RASP, brand impersonation, fraudulent domains, threat detection, dark web monitoring, vulnerability management.

    15 min

  2. 5 DAYS AGO

    App Store Fees Exposed: Maximize Your Revenue & Bypass the 30% Cut

    Strategies for App Revenue Success Welcome to "Upwardly Mobile," the podcast that empowers founders to scale their ventures! In this essential episode, we look into the often-challenging world of app store fees, exploring how Apple and Google claim a significant cut from your hard-earned revenue and, more importantly, how you can navigate these charges to maximise your profit. The Reality of App Store Fees: Discover why Apple and Google typically claim up to 30% of revenue from in-app purchases1. While a reduced 15% rate exists for smaller businesses earning under $1 million annually, founders serious about scaling need to understand the broader implications1. We discuss how increasing regulatory pressure, particularly from the EU, is forcing these tech giants to loosen their grip, but often only where legally compelled. Key Regulatory Changes & Exceptions: Learn about Apple's compliance with the EU’s Digital Markets Act (2024), which now permits app distribution outside the App Store and the integration of external payment systems within the EU, albeit with a reduced commission of 10% to 17%4. Crucially, this flexibility does not extend beyond EU borders45. We also examine Google’s User Choice Billing program, which allows developers to offer their own payment methods alongside Google’s, with fees still applying at 11% or 26%4. We explore other exceptions born from legal battles and regulatory requirements, such as reader apps like Netflix and Spotify being able to link to external sign-up pages due to pressure from Japan's Fair Trade Commission6. Additionally, legislation in the Netherlands and South Korea has forced Apple to allow external payments for dating apps, though Apple still collects a slightly reduced cut (27% and 26%, respectively). Mastering the Hybrid Model for Revenue Optimisation: One of the most effective strategies to reduce Apple and Google fees is implementing a hybrid monetisation model3. This approach combines in-app purchases with a web-based payment system, allowing you to bypass the hefty 30% cut for your most loyal users who are willing to take an extra step to pay outside the app37. We illustrate the potential savings: for a health app with a dedicated user base paying $15 a month for premium features, converting just 5% of 100,000 users via your website could save you an incredible $25,000 in monthly fees compared to being locked into Apple’s in-app purchase system8. However, we also highlight the critical importance of careful strategy and clear messaging to avoid losing users who might bounce if they encounter a paywall with no clear way to pay9. This approach requires balancing fee reduction with the potential sacrifice of some organic traction provided by App Store visibility57. Alternative Distribution & The Debate on Fair Fees: While alternative distribution methods like sideloading apps or distributing outside official app stores can help you bypass fees, they come with their own challenges, often sacrificing mainstream adoption and App Store visibility59. For example,  Google’s sideloading flexibility doesn't mean most users will jump through hoops, and Apple’s EU compliance with the Digital Markets Act is limited geographically5. We delve into the compelling argument that app store fees should be low or even zero, as proposed by experts like Damien Geradin10. This perspective suggests that fees should reflect only the intrinsic value the app store brings to developers, rather than the 'lock-in' or 'gatekeeper' value created by restrictions of competition and resulting network effects. Furthermore, it acknowledges the significant value that app developers bring to Apple and Google’s mobile ecosystems by drawing users to their platforms. This synergetic relationship has become conflictual due to imposed restrictions and fees. Ultimately, success comes down to knowing your audience and understanding their willingness to follow your preferred payment process513. By staying informed, agile, and strategically implementing hybrid models, you can take greater control of your revenue stream and transform your app’s profitability. Relevant Links: • The Real Cost Of App Store Fees: A Founder’s Guide To Understanding The Landscape by Lubo Smid, Forbes Technology Council: https://www.forbes.com/sites/forbestechcouncil/2025/05/06/the-real-cost-of-app-store-fees-a-founders-guide-to-understanding-the-landscape/ • Why the Apple App Store and the Google Play Store fees should be low or even zero by Damien Geradin, SSRN: https://ssrn.com/abstract=5272037 Sponsor: This episode of "Upwardly Mobile" is brought to you by Approov.io, experts in API threat protection. Learn more about securing your mobile apps at approov.io. (Please note: Information about Approov.io is external to the provided sources and may need independent verification.) Keywords: App store fees, Apple App Store, Google Play Store, app monetisation, in-app purchases, hybrid model, external payments, Digital Markets Act, EU regulation, sideloading, app developers, mobile ecosystems, gatekeepers, revenue optimisation, profit maximisation, app strategy, scaling apps, startup, founder, technology, competition law.

    21 min

  3. 9 JUN

    Caught Red-Handed: Meta & Yandex's Covert Android Surveillance!

    Episode Notes: Dive deep into the shocking revelations about covert web-to-app tracking affecting billions of Android users! This episode uncovers a novel tracking method employed by tech giants Meta (Facebook Pixel) and Yandex (Yandex Metrica), which silently links your mobile browsing sessions to your long-lived native app identities. Key Discoveries: • The Localhost Loophole: Learn how Meta and Yandex exploit unrestricted access to localhost sockets on the Android platform. Native apps like Facebook, Instagram, Yandex Maps, Navigator, Browser, and Search listen on fixed local ports (e.g., Meta uses UDP ports 12580-12585; Yandex uses TCP ports 29009, 29010, 30102, 30103) to receive browser metadata, cookies, and commands from scripts embedded on thousands of websites1.... • Bypassing Privacy Protections: This method bypasses typical privacy controls such as clearing cookies, using Incognito Mode, and Android's permission controls4.... It effectively de-anonymises users by linking ephemeral web identifiers (like the _fbp cookie or Android Advertising ID (AAID)) to persistent mobile app IDs, even when users are not logged into the browsers2.... • Meta's Evolution: Discover how Meta Pixel has evolved its techniques, initially using HTTP, then WebSocket, and more recently, WebRTC STUN with SDP Munging to transmit the _fbp cookie. Following disclosure, Meta shifted to WebRTC TURN, and as of early June 2025, the script was no longer sending packets to localhost, with the code responsible for the _fbp cookie almost completely removed. • Yandex's Persistent Method: Yandex Metrica has been using localhost communications since February 2017 via HTTP and HTTPS requests, where their native apps act as a proxy to collect Android-specific identifiers like the AAID and Google's advertising ID, transferring them to the browser context. • Scale of Impact: These trackers are embedded on millions of websites globally. Meta Pixel is present on over 5.8 million websites (2.4 million according to HTTP Archive) and Yandex Metrica on close to 3 million sites (575,448 according to HTTP Archive)2122. Our research found that in a crawl of the top 100k sites, a significant number of sites (over 75% for Meta Pixel, 83-84% for Yandex Metrica) were attempting localhost communications potentially without user consent. • Browsing History Leakage: Yandex's use of HTTP requests for web-to-native ID sharing can expose users' browsing history to malicious third-party apps also listening on the same ports. Browsers like Chrome, Firefox, and Edge were found to be susceptible to this leakage, even in private browsing modes. • Industry Response: While some browsers like Brave and DuckDuckGo were already blocking these practices due to blocklists and existing consent requirements, others like Chrome and Firefox have implemented countermeasures or are actively investigating. Google has stated this behaviour violates Play marketplace terms of service and user privacy expectations, and Meta has paused the feature while discussing with Google. • Lack of Awareness: Neither Meta nor Yandex publicly documented this specific localhost-based communication technique, and website owners and end-users were largely unaware of this covert tracking. Why This Matters: This research highlights a critical vulnerability in Android's design, where unvetted access to localhost sockets breaks the fundamental sandboxing principle between mobile and web contexts10.... Current "fixes" are often specific blocklists, which are temporary solutions in an ongoing "arms race" with trackers. A more comprehensive, long-term solution requires stricter platform policies and user-facing controls on Android to limit this type of access at a fundamental level40.... -------------------------------------------------------------------------------- Special Thanks to our Sponsor: This episode is brought to you by Approov. Approov helps protect your mobile apps and APIs by enforcing trust boundaries between mobile clients and backend services. While it cannot control intentionally collected data, Approov significantly raises the bar for malicious or unauthorized data harvesting by others, mitigating ecosystem-level risks associated with identifier misuse44. Learn more about securing your mobile ecosystem at approov.io. -------------------------------------------------------------------------------- Relevant Links: • Read the full research paper: Link to the research paper "Covert Web-to-App Tracking via Localhost on Android" • Explore the Ars Technica article: Link to the Ars Technica article "Meta and Yandex are de-anonymizing Android users’ web browsing identifiers" • Learn more about mobile security: Link to the "Approov: Mobile Security and Data Protection" source. -------------------------------------------------------------------------------- Keywords: Android tracking, mobile privacy, web-to-app tracking, localhost abuse, Meta Pixel, Yandex Metrica, data de-anonymization, user identity, mobile security, browser privacy, Android security, covert tracking, digital privacy, online tracking, bypass privacy, _fbp cookie, AAID, WebRTC, SDP Munging, STUN, TURN, data protection.

    24 min

  4. 6 JUN

    Coinbase Strikes Back: $20M Bounty on Cyber Extortionists

    Coinbase Under Attack: The $20 Million Ransom & The Fight Against Social Engineering Join us on Upwardly Mobile as we unravel the recent cybersecurity incident that rocked Coinbase, one of the world's leading cryptocurrency exchanges. Discover how a sophisticated social engineering scheme led to a significant data breach, a audacious $20 million ransom demand, and Coinbase's bold refusal to pay the extortionists. Learn about the sensitive customer data that was compromised, the financial impact on the company, and crucial advice for users to stay safe in the ever-evolving digital landscape. Episode Highlights: • The Social Engineering Deception: Uncover how cybercriminals managed to persuade a small group of overseas customer support agents to copy sensitive customer data from Coinbase's internal tools in exchange for cash [1-4]. These actions were part of a single, larger campaign to exfiltrate data, despite early detection and termination of involved personnel [3, 5, 6]. • The Criminals' True Aim: Understand that the stolen information was intended to be used by criminals to contact customers and impersonate Coinbase support agents, attempting to trick them into giving up their crypto funds [1, 4, 7, 8]. This highlights the persistent threat of social engineering, which often exploits the "human element" as the weakest link in security [4, 8]. • What Data Was Compromised (and What Wasn't): While less than 1 percent of Coinbase's total customer data was stolen, the compromised information was highly sensitive. This included users' names, email and postal addresses, phone numbers, government ID images, account data and balance snapshots, the last four digits of social security numbers, masked bank account numbers, some bank account identifiers, transaction history, and limited corporate data [2, 7, 9]. Crucially, attackers did not gain access to users' login credentials, private keys, or the ability to move or access customer funds [2, 7, 9]. • Coinbase's Bold Rejection of the Ransom: Hear about the $20 million ransom payment demanded in Bitcoin from the attackers in exchange for not publicly releasing the stolen data [1, 5, 10-12]. However, Coinbase rejected this demand. • The $20 Million Bounty: Instead of paying the extortionists, Coinbase CEO Brian Armstrong announced a $20 million award for any information leading to the arrest and conviction of these attackers. Armstrong publicly stated the company's commitment to prosecute and bring the criminals to justice. Coinbase is also cooperating with law enforcement in the investigation [6, 10]. • Impact and Remediation Costs: The data breach affected approximately 69,461 customers [15, 16]. Coinbase anticipates significant financial outlays, estimating it will spend between $180 million to $400 million on remediation costs and voluntary customer reimbursements related to this incident [6, 16-18]. • Customer Reimbursement and Enhanced Security: Coinbase has pledged to voluntarily reimburse retail customers who mistakenly sent funds to scammers as a direct result of this incident, following a review to confirm the facts. Flagged accounts will also undergo additional ID checks for large withdrawals. The company has also implemented heightened fraud-monitoring protections and warned affected customers. • Essential Customer Advice: Remember, Coinbase will never ask for sensitive information like passwords or 2FA codes, nor will it call or text users to transfer funds to a specific or new address or "safe" wallet. Staying vigilant is key, as scammers may continue to impersonate Coinbase employees. **Learn More & Stay Secure:**For robust mobile app security against sophisticated attacks, visit our sponsor: approov.io

    15 min

  5. 4 JUN

    Hacking Volkswagen's Mobile App | A Car Security Breach

    Hacking Your Ride: Unpacking Volkswagen's App Flaws & Fortifying Mobility Security In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data. What We Discussed: • The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34. • Serious Vulnerabilities Uncovered: ◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45. ◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56. ◦ Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78. ◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9. • The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10. • Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025. • Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14. • How Approov Secures Mobility Services: ◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15. ◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15. ◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16. ◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17. ◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only. • BMW Group's Adoption of Approov: We discuss how the BMW Group has successfully integrated Approov into their car sharing platform to balance top-class security with excellent customer experience. This software-only solution provides a patented 'DNA test' to attest that API requests are coming from a genuine mobile app instance running in a safe environment, and has even been enhanced to work over Bluetooth for intermittent internet connectivity. Approov's SDK is already deployed in several thousand BMW Group vehicles. Why This Matters: As the transportation market transforms with shared-use models and connected vehicles, API security becomes even more critical to protect both customer data and vehicle systems. Relevant Links: • Read the full write-up on the Volkswagen security flaws: [Excerpts from "Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App | by LoopSec | May, 2025 | InfoSec Write-ups"] • Learn more about mobile app protection for mobility apps: [Excerpts from "Mobile App Protection for Mobility Apps | Approov"] • Explore the BMW Group's case study with Approov: [Excerpts from "https://approov.io/download/Approov-BMW-Story.pdf"] • Sponsor: Protect your mobile apps and APIs. Visit approov.io for more information and to request a demo or free trial! Keywords: mobile app security, car hacking, Volkswagen app, vehicle security, API security, cybersecurity, data privacy, mobility apps, car sharing, Approov, ethical hacking, digital key, automotive security, VIN number, information security, data breaches, connected cars, IoT security.

    12 min

  6. 2 JUN

    Apple vs Samsung vs Xiaomi: Who is Dominating the Smartphone Battle?

    This episode delves into the recent dynamics of the global smartphone market based on the latest reports from IDC and Counterpoint Research. After two challenging years of decline, 2024 marked a significant recovery, showing the resilience of the market despite lingering macroeconomic pressures. We explore the factors driving this growth, the changing landscape among major players, the rise of new manufacturing hubs like India, and the exciting role of AI in shaping the future of mobile. Key Highlights:Market Recovery: Global smartphone shipments increased by 6.4% year-over-year in 2024, reaching 1.24 billion units. This follows a period of decline since the market peaked in 2016 at 1.47 billion units. The recovery saw smartphone sales grow 4% YoY in 2024, following the weakest year in a decade in 2023. The strong growth in 2024 occurred despite lingering macro challenges, forex concerns in emerging markets, ongoing inflation, and lukewarm demand, proving the market's resilience. Consumer sentiment fared better than in previous years following macroeconomic improvements. Almost all markets showed growth, led by Europe, China and Latin America.Top Players & Shifting Shares: Apple and Samsung remained the top two players globally in 2024. According to IDC, both leaders experienced a YoY decline in Q4 2024 due to the aggressive growth of Chinese vendors. Samsung continued to lead the market in 2024 overall, while Apple took the #2 spot with an 18% share according to Counterpoint Research. According to another source, Apple led global shipments in 2024 at 232.1 million units, followed by Samsung at 223.4 million units. Samsung saw strong demand for its S24 and A-series lines, with the S24 performing well as the first phone positioned as an AI device, particularly in Western Europe and the USA. Apple’s iPhone 16 series received a mixed response, partly due to the initial lack of Apple Intelligence availability, although Apple continued to grow strongly in non-core markets like Latin America, Africa and Asia-Pacific-Others.Rise of Chinese Vendors: Chinese vendors achieved a historic milestone in Q4 2024, shipping the highest combined volume ever in a single quarter, representing 56% of global smartphone shipments in Q4. Xiaomi secured the 3rd position for the year, with total shipments of 168.5 million units and the highest YoY growth rate (15.4%) among the top 5 players. Xiaomi's growth was helped by its portfolio realignment, premium push, and aggressive expansion activities. Transsion (including itel, Infinix, and Tecno) held the 4th position for the year with a 12.7% growth rate, and claimed the fourth spot globally for the first time. OPPO was 4th but saw a YoY decline, though it ended the year with stronger momentum. vivo rounded off the top five, driven by strong performance in India and China, ending the year as the top-ranked OEM in those markets. Challenger brands like HONOR and Motorola also contributed to the market recovery with aggressive global expansion. Huawei also made a resurgence in China, notably in the high-end segment. While their core markets remain China and Asia, Chinese brands are rapidly expanding their footprint throughout Europe and Africa.Growth Drivers: The growth is attributed to brands' strategic moves like promotions, launching devices across multiple price segments, interest-free financing, and aggressive trade-ins. These strategies fuelled premiumisation and boosted sales of low-end devices, especially in China and emerging markets. Device subsidies in developed markets and the easy availability of low-cost finance in emerging markets enabled the growth of ultra-premium smartphones.India as a Manufacturing Hub: India has emerged as a critical market and manufacturing hub. iPhone exports from India hit a record $12.8 billion in 2024, marking a 42% YoY increase. In FY 2024-25, iPhone exports contributed about ₹1.5 lakh crore to overall smartphone exports exceeding ₹2 lakh crore. Apple is targeting a potential 32% share of its global iPhone production from India by 2026-27, aiming to double its current capacity of 4-4.1 crore iPhones per annum to around 8-8.5 crore units annually. India is seen as a "China Plus One" source for Apple, driven not just by cost, but also capability, trained workforce, and quality control. Key vendors like Foxconn, Pegatron, and Tata Electronics manufacture iPhones primarily in Tamil Nadu, with Wistron handling production in Karnataka. Tamil Nadu is considered the smartphone manufacturing capital of India, with the state government actively preparing land and infrastructure near Chennai and Tier 2 locations like Trichy, providing industrial housing, tertiary treated water, and developing a skilled workforce through schemes like Naan Mudhalvan and upgrading ITIs.Innovation and the Future: AI is a potentially revolutionary technology being integrated into smartphones to drive future growth. GenAI features, currently limited to premium segments, are expected to become common in mid-range devices by 2028. Major players like Apple ("Apple Intelligence") and Samsung are unveiling AI-driven features, with Google also expected to do so. Samsung's S24 series is positioned as an AI device. Premiumisation is also a key trend, with sales of ultra-premium phones (above $1000) growing fastest in 2024 as consumers showed a preference for spending more on their next smartphone. Continued growth is expected in 2025, with revenues potentially growing faster than volume (8% YoY revenue growth vs 4% volume growth expected in 2025).Sources Referenced:The episode draws on reports and analysis from various sources, including IDC (International Data Corporation), Counterpoint Research, Statista, Reuters, Business Wire, Visual Capitalist, WSJ (The Wall Street Journal), WIRED, The Times of India, Canalys, FoneArena, Unbox Diaries, Financial Times, and Business Insider. Please note that direct URLs to the specific source excerpts used were not provided in the source material.We remain optimistic about continued growth in the market.(Note: Information about the sponsor's website, approov.io, was not found in the provided source materials and thus cannot be included in these notes based on the sources.) Keywords: Smartphone market, global shipments, 2024 recovery, Chinese vendors, Apple, Samsung, Xiaomi, Transsion, India manufacturing, iPhone exports, AI in smartphones, GenAI, premiumisation, market trends, technology, electronics, mobile industry, IDC, Counterpoint Research

    11 min
  7. North Korea's Crypto Heists | Mobile App and API Threats

    23 MAY

    North Korea's Crypto Heists | Mobile App and API Threats

    North Korean Crypto Heists: Mobile and API Threats In this episode of Upwardly Mobile, we delve into the alarming tactics employed by North Korean state-sponsored hackers to siphon billions from the cryptocurrency world. Moving beyond targeting just large exchanges, these sophisticated actors, most notably the infamous Lazarus Group, are increasingly focusing on vulnerabilities in mobile devices and Application Programming Interfaces (APIs), the digital connectors powering our apps. We discuss how your phone, the device you carry everywhere, has become a prime target. Hackers are using sophisticated social engineering and phishing campaigns delivered via messaging apps and social media to trick users into compromising their devices. They develop or infect malicious cryptocurrency apps and fake wallets to steal private keys and transaction data. Furthermore, exploiting vulnerabilities in mobile operating systems and apps, or deploying Remote Access Trojans (RATs) through various mobile vectors, allows them persistent access to steal credentials and control crypto accounts. Reports indicate attackers have even leveraged remote collaboration tools to gain control.APIs, the unseen connectors that enable apps to communicate, are also major targets. North Korean hackers actively seek to steal API keys from developers and employees within crypto firms through phishing and malware. Campaigns like "Operation 99" specifically target developers for sensitive data, including API keys. Exploiting flaws in the design or implementation of exchange and wallet APIs allows them to bypass security or manipulate data. They also utilise supply chain attacks, compromising third-party vendors with API access to gain a foothold and exploit trusted connections. Attacks like the ByBit hack reportedly involved exploiting supplier vulnerabilities and altering wallet addresses, potentially involving API manipulations.These tactics have been linked to high-profile heists against major exchanges like KuCoin and WazirX, and DeFi protocols such as the Ronin Bridge. Stolen funds are then put through complex, multi-stage laundering processes involving mixers, DEXs, and cross-chain bridges to obscure their origin. We also cover essential defence strategies for both individuals and organisations in the crypto space. For individuals, this includes being hyper-vigilant against unsolicited messages, securing your mobile device with updates and trusted app sources, using hardware wallets for significant holdings, implementing strong, unique passwords and 2FA, and diligently verifying wallet addresses. For organisations, robust API security, regular security audits, employee training, supply chain risk management, and advanced threat detection are crucial.This battle is an ongoing arms race, but understanding these evolving threats is the first step to bolstering your defences. Sponsor: This episode is brought to you by Approov, a leader in API and mobile app security. Learn more about protecting your APIs and mobile applications from sophisticated threats by visiting approov.io. Keywords: North Korea, hackers, cryptocurrency, crypto, mobile security, API security, Lazarus Group, phishing, social engineering, malware, vulnerabilities, cybercrime, cyberattack, state-sponsored hacking, API key theft, supply chain attack, cold storage, hardware wallet, 2FA, MFA, security audit, threat detection, Ronin Bridge, KuCoin, WazirX, ByBit, Operation 99, fast flux, bulletproof hosting, OWASP API Security Top Ten, Approov.

    12 min

  8. 18 MAY

    Beyond Code Obfuscation | The Non-Negotiable Shift to Dynamic Mobile App Security

    Podcast Title: Upwardly Mobile Episode Title: Beyond Obfuscation: Dynamic Defenses for Modern Mobile Security Episode Summary: In this episode, we dive deep into the evolving landscape of mobile application security. While traditional methods like code obfuscation once offered a basic layer of defense, they are proving increasingly inadequate against today's sophisticated threats. We explore the findings of recent security analyses highlighting widespread vulnerabilities, such as weak cryptography and exposed credentials, even in enterprise apps.  We discuss why static defenses like obfuscation fall short , especially against the rise of AI-powered attacks and the relentless targeting of APIs. Attackers are leveraging AI for everything from hyper-personalized phishing to adaptive malware and automated vulnerability discovery, while APIs present a direct path to backend systems and sensitive data.  The core of our discussion focuses on the critical need to shift towards dynamic, runtime security measures. We break down key technologies essential for modern mobile defense: Runtime Application Self-Protection (RASP): How apps can monitor their own execution and environment in real-time to detect and block threats like tampering, debugging, and compromised devices.  Runtime Secrets Protection: Moving beyond hardcoded secrets by delivering API keys and credentials securely, just-in-time, only to validated, genuine app instances.  Dynamic Certificate Pinning: Securing communication channels against Man-in-the-Middle attacks with more flexibility and less operational risk than traditional static pinning.  App Attestation & Token-Based API Access: Verifying the integrity of the mobile app itself (the 'what') before granting API access, using short-lived tokens to block bots, scripts, and tampered apps.  We compare static vs. dynamic approaches , emphasizing that while static analysis has its place early in development, dynamic defenses are non-negotiable for protecting sensitive data and functionality in today's threat environment. Learn why embracing these advanced, runtime-aware strategies is crucial for building truly resilient mobile applications.  Keywords:Mobile Security, Application Security, API Security, Code Obfuscation, Dynamic Security, Runtime Application Self-Protection, RASP, App Attestation, Runtime Secrets, Dynamic Certificate Pinning, OWASP Mobile Top 10, API Attacks, AI Security, Cybersecurity, DevSecOps, Mobile App Development, Data Protection, Reverse Engineering, Tampering, Man-in-the-Middle Attack, Credential Stuffing, Secure Coding Source Material Links: Infosecurity Magazine Article: https://www.infosecurity-magazine.com/news/92-mobile-apps-insecure/  OWASP Resources (API Security, Mobile Security, Cheatsheets, MASTG):https://owasp.org/www-project-api-security/  https://owasp.org/www-project-mobile-top-10/  https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning  Approov Resources (Runtime Secrets, Dynamic Pinning, API Security, Attestation, Obfuscation Limitations):https://approov.io/  https://securityboulevard.com/2022/07/hands-on-mobile-app-and-api-security-runtime-secrets-protection/  https://approov.io/knowledge/owasp-top-10-mobile-risks-m5-insecure-communication  https://approov.io/mobile-app-security/rasp/runtime-secrets/  https://approov.io/mobile-app-security/rasp/api-security/  https://approov.io/blog/mobile-api-security-best-practices  https://approov.io/blog/is-code-obfuscation-worth-it  https://approov.io/blog/why-the-owasp-mobile-application-security-project-is-critical  Promon Resources (API Protection, Obfuscation, App Shielding):https://promon.io/products/api-protection  https://promon.io/resources/downloads/guide-app-code-obfuscation  AI Attack Techniques & Mobile Security:https://www.nowsecure.com/blog/2024/11/13/the-ai-expansion-of-the-mobile-app-attack-surface-2/  https://symmetrium.io/how-hackers-use-ai-to-target-corporate-mobile-devices/  https://www.akamai.com/blog/security/attacks-and-strategies-for-securing-ai-applications  https://securityboulevard.com/2024/12/why-over-the-air-updates-are-key-for-mobile-app-security-in-the-ai-era/  https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/ai-powered-cyberattacks/  https://cyberpress.org/ai-driven-bad-bots-now-make-up/  https://perception-point.io/guides/ai-security/ai-malware-types-real-life-examples-defensive-measures/  General Security & Testing Resources:https://brilliancesecuritymagazine.com/cybersecurity/runtime-secrets-protection/  https://www.cobalt.io/blog/owasp-mobile-top-10-2024-update  https://www.devopsdigest.com/avoiding-the-top-mobile-api-security-weaknesses  https://www.guardsquare.com/  https://www.cyberdefensemagazine.com/rasp-runtime-application-self-protection-in-mobile-application-security-a-strategic-imperative-for-the-modern-threat-landscape/  Sponsor Link:This episode is brought to you in part by Approov. Secure your mobile apps and APIs against modern threats. Learn more at https://approov.io/.

    8 min
See All (64)

About

Dive into the high-stakes world of mobile app development and API security with Upwardly Mobile, your ultimate guide to defending apps in today’s volatile digital landscape. Hosted by Skye Macintyre and George McGregor, and proudly sponsored by Approov, the leaders in mobile app attestation and API security, this podcast unpacks the evolving threats and innovative solutions shaping mobile security.Explore why the built-in protections from tech giants like Apple, Google, and Huawei often fall short, leaving sensitive data vulnerable. Learn how advanced techniques—like runtime attestation and dynamic API security—thwart attackers and secure your app ecosystem. Each episode delivers insights into major data breaches, emerging trends, and actionable strategies to fortify your apps and APIs against ever-advancing cyber threats.From development best practices to navigating compliance and regulation, Upwardly Mobile equips mobile developers, security professionals, and tech enthusiasts with the knowledge to safeguard their creations. Stay informed, stay secure, and stay ahead with expert guidance on the future of mobile cybersecurity.Subscribe now on Spotify and Apple Podcasts, and elevate your security game!

Information

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes and get the latest updates.
Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada