Upwardly Mobile - API & App Security News

Skye Macintyre
  • 5.0 (5)
  • TECHNOLOGY
  • UPDATED WEEKLY

Think the App Store’s built-in security is enough? Think again. Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable. Subscribe now on Spotify and Apple Podcasts to elevate your security game.

  1. 2D AGO

    Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security

    Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security Episode Summary: In this episode of Upwardly Mobile, we dive deep into the digital exploitation landscape of one of the world's largest audio streaming platforms. We break down the massive credential stuffing attack that compromised 350,000 Spotify users, exposing the dangers of poor password hygiene and unsecured databases. We also explore the ongoing controversies surrounding Spotify, including lawsuits over artificial streaming, bot farms, and the platform's "Discovery Mode". Additionally, we highlight a growing trend where malicious actors are weaponizing Spotify's search features to promote pirated software, phishing schemes, and malware. Finally, we pivot to actionable solutions for developers, exploring how Zero Trust Runtime Protection and App Attestation can prevent automated mobile attacks. Brought to you by Approov: Don't let bots, scripts, or fake apps compromise your platform. Learn how to stop credential stuffing and secure your APIs at approov.com. Sponsor Spotlight: Approov Mobile Security Are your mobile apps and APIs safe from automated credential stuffing, emulators, and Man-in-the-Middle (MitM) attacks? Approov ensures that only genuine mobile app instances running in safe environments can access your APIs, blocking scripts, modified apps, and bots in real-time. 👉 Secure your mobile platforms today at approov.com. Source Materials & Further Reading: 350,000 Spotify users hacked in credential stuffing attack | IT ProSpotify Finds Itself At The Centre Of Payola And Fake Stream Storm | Noise11.comSpotify misused for scams and malware | Digital Watch ObservatoryStrategies to Stop Credential Stuffing Attacks on Mobile Apps | ApproovKeywords: Credential stuffing, mobile app security, Spotify hack, artificial streaming, bot farms, zero trust runtime protection, API security, mobile malware, phishing schemes, app attestation, Approov.  🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    22 min

  2. FEB 28

    Securing Mobile Healthcare | The Hidden Dangers in Mental Health Apps

    Episode Summary: In this episode of Upwardly Mobile, we dive deep into a shocking new cybersecurity report revealing that millions of users' highly sensitive medical data may be at risk. We discuss the recent discovery of 1,500 vulnerabilities across 10 incredibly popular mental health apps—which have been downloaded over 14 million times. From leaked therapy transcripts and mood logs to the high black-market value of these stolen health records, we unpack the unique risks threatening the digital healthcare space today. Finally, we explore actionable solutions for healthcare providers and developers to lock down their platforms, featuring insights on Runtime Application Self-Protection (RASP), dynamic certificate pinning, and end-to-end API security. Key Topics Discussed in This Episode: The Mental Health App Crisis: How researchers at Oversecured uncovered 54 high-severity flaws in leading mental health applications, leaving sensitive data like Cognitive Behavioral Therapy (CBT) session notes and medication schedules exposed.The Black Market for Health Data: Why cybercriminals are targeting therapy records, which can sell for upwards of $1,000 each—far more than stolen credit card numbers.Common Developer Pitfalls: The dangers of outdated apps, plaintext configuration data, hardcoded Firebase URLs, and insecure encryption keys.Securing Mobile Health: How technologies like Runtime Application Self-Protection (RASP) and dynamic certificate pinning can prevent Man-in-the-Middle (MitM) attacks, block bots, and ensure HIPAA and GDPR compliance.Sponsor: This episode is brought to you by Approov. Approov provides complete, end-to-end protection for mobile health apps and APIs. Their lightweight SDK and RASP technology can be deployed in just a single sprint to block bot attacks, prevent credential stuffing, and stop API abuse. Ensure your patients' health data is safe, even on jailbroken devices or insecure Wi-Fi networks. Learn how to protect your revenue and patient trust at approov.com. Resources & Source Materials: TechRadar Report: Multiple mental health apps riddled with high severity security flaws — data of millions put at risk, so be on your guardApproov Mobile Health Security: Ensure Security and Trust for Healthcare AppsSEO Keywords: Mobile app security, mental health apps, healthcare data breach, API security, mobile health compliance, HIPAA compliance mobile apps, RASP technology, cybersecurity podcast, Oversecured vulnerabilities, patient data protection, Approov mobile security.        🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    24 min

  3. FEB 23

    The Triangle of Trust: Mastering Mobile App Attestation & Zero Trust API Security

    Welcome to another episode of Upwardly Mobile! In this episode, we take a deep dive into the evolution of runtime security for mobile API access. Traditional methods like API keys are easily stolen because they are static and stored directly inside the user's app. To combat this vulnerability, we explore the groundbreaking "Triangle of Trust" architecture developed by CriticalBlue, the company behind the Approov mobile security service. We unpack the technical details of US Patent 11,163,858 B2, titled "Client Software Attestation," which establishes a Zero Trust proof of software integrity for apps operating on the public internet. This episode breaks down how the patented system calculates a cryptographic hash fingerprint of an executing code image to detect tampering in real-time, ensuring that malicious actors cannot spoof access. We also discuss how Approov's platform-agnostic approach provides a significant competitive advantage over OS-native solutions like Google Play Integrity and Apple App Attest, especially in global markets featuring Huawei's HarmonyOS NEXT and non-GMS Android devices. Key Takeaways from this Episode:The Triangle of Trust: A tripartite architecture separating the security check from the access itself, involving an Issuer (Approov Cloud Attestation Server), a Holder (the Mobile Client Device), and a Verifier (the Backend Server Device).Dynamic Code Fingerprinting: How client applications calculate a cryptographic hash of their own executing code image to prove integrity, ensuring no sensitive "master keys" are ever stored on the device where they could be extracted.Protection Against Advanced Threats: The system's ability to thwart "living-off-the-land" attacks (like memory hooking with Frida) and Man-in-the-Middle (MITM) attacks by verifying code dynamically in memory, rather than just checking the static OS state.Superiority Over OS-Native Tools: Why a unified, cross-platform attestation approach is critical for the global market, bypassing the latency, platform restrictions, and hardware dependencies of Google Play Integrity and Apple App Attest.A Defensible Security Moat: An analysis of why CriticalBlue's patent is highly defensible and has been cited over 60 times as prior art, acting as a major technical blocker for competitors in the cybersecurity industry.Sponsor: This episode is brought to you by Approov. Stop relying on static API keys and secure your mobile business with deterministic, zero-trust software integrity. With global reach across iOS, GMS Android, non-GMS Android, and HarmonyOS, Approov ensures your backend APIs are shielded from malicious bots and tampered apps. Visit approov.com to learn more and secure your mobile ecosystem today. Source Materials & Relevant Links:US Patent 11,163,858 B2: Client Software Attestation by Richard Michael Taylor / Critical Blue Ltd. (Filed 2015, Granted Nov 2, 2021).Whitepaper Excerpt: Attestation: The Triangle of Trust.Approov Official Website: approov.comSEO Keywords: Mobile API security, Zero Trust architecture, App attestation, Approov, CriticalBlue, Cryptographic hash fingerprint, Google Play Integrity alternative, Apple App Attest alternative, Man-in-the-Middle protection, US Patent 11163858, Mobile app tampering, Cybersecurity podcast.  🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    21 min
  4. The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis

    FEB 6

    The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis

    The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis 🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks. 🚀 Key Topics Discussed The Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking.How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb.Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit.The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register.API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly.🔗 Resources & Links Dopamine Jailbreak: Official Project: Dopamine GitHub (opa334)Installation Guide: iOS CFW GuideTechnical Insight: ElleKit - Tweak InjectionEBT & Mobile Fraud Analysis: The Mechanics of Theft: Propel: How EBT Benefits are StolenSystemic Vulnerabilities: Pennsylvania Office of State Inspector General🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: approov.com 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    14 min
  5. Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy

    JAN 30

    Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy

    Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy In this episode of Upwardly Mobile, we dive deep into the often-misunderstood world of mobile app security to debunk the myth that hardware-backed key attestation is a "silver bullet." Drawing from expert analysis by Approov, Oasis, and community discussions, we explore why relying solely on Apple’s App Attest or Google’s Play Integrity can leave your APIs vulnerable to sophisticated attacks like device farming and runtime instrumentation. We explain why attestation is merely a "snapshot" in time and how to implement a true defense-in-depth strategy. Key Takeaways: The Hardware Myth: Companies like Google and Apple promote hardware-backed key attestation (using TEEs or Secure Elements) as a primary security measure, but this approach has critical limitations when used in isolation. While it proves a cryptographic key is stored in secure hardware, it does not guarantee the integrity of the app calling that key or the user operating it.The "Receipt" Analogy: Remote attestation is effectively just a receipt proving that a specific binary ran on specific hardware at a specific moment. It fails to prove that the state hasn't been rolled back, that the operator isn't malicious, or that the inputs haven't been manipulated since that snapshot was taken.The Threat of Device Farms: Attackers can physically amass legitimate iPhones in "Device Farms" to generate valid App Attest tokens. These tokens are then sold via APIs to bots, allowing scripts to impersonate genuine devices and bypass standard hardware checks.Runtime Manipulation: Tools like Frida and Magisk allow hackers to hook into API calls and forge attestation results or manipulate the application's behavior after the boot process. Without Runtime Application Self Protection (RASP), a validly attested device can still run a compromised app.The Solution is Multi-Layered: Effective security requires moving verification off the device to the cloud and implementing dynamic checks. A robust strategy includes RASP, dynamic certificate pinning, and cloud-based mobile attestation that verifies the app's integrity continuously, not just at boot.Featured Resources & Source Material: Article: Limitations of Hardware-Backed Key Attestation in Mobile Security – An analysis of why verification must always occur off-device.Article: How to Defeat Apple DeviceCheck and AppAttest – A technical look at how hackers bypass iOS security using instrumentation and device farms.Community Insight: TEE Attestation Isn’t Trust It’s Just a Receipt – A breakdown of why attestation does not equal trust.Deep Dive: Attestation Is not Enough – Exploring the nuances of remote attestation within trust systems.Definition: Trusted Execution Environment (Wikipedia) – Understanding the history and hardware behind TEEs.Sponsored By: This episode is brought to you by Approov. Approov Mobile Security provides a comprehensive solution that goes beyond simple attestation. By combining RASP, dynamic certificate pinning, and cloud-based verification, Approov ensures that only genuine, untampered instances of your app can access your APIs. Website: approov.comTalk to an Expert: Schedule a CallCheck Your Security: Approov Mobile App AssessmentKeywords: Mobile Security, API Security, App Attestation, RASP, Device Farms, Man-in-the-Middle Attacks, Jailbreak Detection, Apple App Attest, Google Play Integrity, Approov, Cybersecurity, Trusted Execution Environment (TEE).  🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    14 min
  6. SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud?

    JAN 17

    SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud?

    Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds. We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions. This episode is sponsored by Approov. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices. Key Topics & Takeaways: • The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025. • How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders. • The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase. • The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems. • Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited. Featured Stories & Data: • Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features. • Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks. • State Data: Top states for reported fraud include Georgia, New York, and California. Relevant Links & Resources: • USDA SNAP Replacement of Stolen Benefits Dashboard • Report Fraud: USDA Office of Inspector General Hotline [(800) 424-9121] • Technical Deep Dive: Security Vulnerabilities and Fraud Mechanics in EBT Systems • News Coverage: WSB-TV: Georgia officials say state SNAP system subject to cyberattack • Propel App Resource: How are EBT benefits being stolen? Keywords: SNAP fraud, EBT skimming, food stamp theft, mobile app security, Approov, ConnectEBT, cybercrime, magnetic stripe vulnerability, USDA, social safety net, financial fraud, IVR bot attacks. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    14 min
  7. The Punkt MC03: Can You De-Google Without the Headache?

    JAN 13

    The Punkt MC03: Can You De-Google Without the Headache?

    In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps:The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling.AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks.Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications.Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability.Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey.The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS.Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released.Visit approov.com to learn more about comprehensive mobile app security.Relevant Links & Source Materials:ZDNET Review: Want real phone privacy? This $700 handset promises it – Coverage of the US launch, pricing, and removable battery features.Android Police Coverage: Can you de-Google without the headache? – An in-depth look at the onboarding improvements and specs.Punkt Official Site: The MC03 Product Page – Direct specs and philosophy from the manufacturer.Murena / /e/OS: The Murena Fairphone Review – Context on the competitor mentioned in the episode.Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security.  Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    11 min
  8. Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers

    JAN 6

    Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers

    In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed:The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads.Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests.The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents.Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs.Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns.Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io Relevant Links & Source Materials:The Hacker News: Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at ScaleSC Media: Android malware Wonderland evolves with dropper apps targeting UzbekistanCypro: Security Analysis of Android Malware OperationsKeywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov.      🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast This episode includes AI-generated content.

    11 min
See All (120)

Ratings & Reviews

5
out of 5
5 Ratings

About

Think the App Store’s built-in security is enough? Think again. Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable. Subscribe now on Spotify and Apple Podcasts to elevate your security game.

Information