Approov Blog

Listen up. That digital gold in your crypto wallet? North Korean hackers want it, and they're getting scarily good at snatching it right from under our noses. We're not just talking about just hitting the big exchanges anymore; they're coming after your crypto through the phone in your hand and the invisible digital plumbing – APIs – that makes your apps work. Read Full Story

The recent cyberattack on UK retailer, Marks & Spencer (M&S), along with similar threats to Harrods and the Co-Op, is a stark reminder that no retail channel is immune from compromise. While the M&S breach initially appeared to stem from a social engineering attack on IT help desk staff, new details reveal that hackers gained access through a third-party supplier with system access. Read Full Story

Read Full Story

Okay, mobile developers, let's talk about something crucial but often complex: encryption. In the mobile world, protecting user data – both on the device and over the network – isn't just good practice; it's essential for user trust, compliance, and avoiding disastrous breaches. But the world of encryption algorithms can be a minefield. Some are strong and efficient, others are outdated liabilities, and some have led to epic failures. Read Full Story

Companies such as Google and Apple promote hardware-backed key attestation as a security measure for protecting mobile apps and APIs. This approach ensures that cryptographic keys are stored and used within secure hardware components, such as Trusted Execution Environments (TEEs), Secure Elements (SEs), or hardware security modules (HSMs). We will look at the limitations, why this must never be used alone, and explain why if it is used, verification must always be off the device. Read Full Story

Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled "The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information". Comments were requested and over 4000 were received before the comment period ended on March 7 2025. This blog summarizes what the comments covered - and what comes next. Read Full Story

A recent vulnerability discovered in an UK National Health Service HS API has once again highlighted the risks associated with insecure mobile application programming interfaces (APIs). The flaw reportedly allowed unauthorized access to sensitive patient data, raising serious concerns about the security of healthcare applications. Read Full Story

A proposed update to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information was issued in June 2024. Comments were requested and Approov has proposed some changes. This blog outlines the Approov recommendations to strengthen The Rule, specifically around mobile apps on personal mobile devices accessing ePHI. Read Full Story

With a global AI race underway, mobile app security is not optional - it’s a necessity. A recent security audit of the DeepSeek iOS application revealed significant vulnerabilities that put user data at risk. These weaknesses, including unencrypted data transmission, insecure cryptographic practices, and disabled security mechanisms, have exposed users to potential data breaches and cyberattacks. Read Full Story

Man-in-the-middle (MitM) attacks occur when an attacker intercepts or manipulates mobile device communications to gain access to sensitive information. Attackers can extract login information, API keys and useful credentials from messages and can modify messages and intercept sensitive commercial or personal data, or even easily launch a denial of service attack against the service being accessed via a mobile app. Read Full Story