Approov Blog

Okay, mobile developers, let's talk about something crucial but often complex: encryption. In the mobile world, protecting user data – both on the device and over the network – isn't just good practice; it's essential for user trust, compliance, and avoiding disastrous breaches. But the world of encryption algorithms can be a minefield. Some are strong and efficient, others are outdated liabilities, and some have led to epic failures. Read Full Story

Companies such as Google and Apple promote hardware-backed key attestation as a security measure for protecting mobile apps and APIs. This approach ensures that cryptographic keys are stored and used within secure hardware components, such as Trusted Execution Environments (TEEs), Secure Elements (SEs), or hardware security modules (HSMs). We will look at the limitations, why this must never be used alone, and explain why if it is used, verification must always be off the device. Read Full Story

Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled "The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information". Comments were requested and over 4000 were received before the comment period ended on March 7 2025. This blog summarizes what the comments covered - and what comes next. Read Full Story

A recent vulnerability discovered in an UK National Health Service HS API has once again highlighted the risks associated with insecure mobile application programming interfaces (APIs). The flaw reportedly allowed unauthorized access to sensitive patient data, raising serious concerns about the security of healthcare applications. Read Full Story

A proposed update to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information was issued in June 2024. Comments were requested and Approov has proposed some changes. This blog outlines the Approov recommendations to strengthen The Rule, specifically around mobile apps on personal mobile devices accessing ePHI. Read Full Story

With a global AI race underway, mobile app security is not optional - it’s a necessity. A recent security audit of the DeepSeek iOS application revealed significant vulnerabilities that put user data at risk. These weaknesses, including unencrypted data transmission, insecure cryptographic practices, and disabled security mechanisms, have exposed users to potential data breaches and cyberattacks. Read Full Story

Man-in-the-middle (MitM) attacks occur when an attacker intercepts or manipulates mobile device communications to gain access to sensitive information. Attackers can extract login information, API keys and useful credentials from messages and can modify messages and intercept sensitive commercial or personal data, or even easily launch a denial of service attack against the service being accessed via a mobile app. Read Full Story

All the key players in cyber-security make predictions at the end of every year and 2025 is no exception, there was a flurry of predictions which are nicely summarized here. Read Full Story

In 2024, a lot has happened to curtail the Apple and Google mobile app monopolies and mobile app developers are exploring exciting opportunities beyond the Google and Apple ecosystems. This blog presents a roundup of some of the key initiatives and how they may evolve in 2025. Read Full Story

The rapid pace of technological advancements, particularly in artificial intelligence (AI), has transformed both the opportunities and threats in the mobile app ecosystem. This blog describes why over-the-air (OTA) updates to security solutions are essential to maintain an effective security posture for apps and APIs in this rapidly evolving threat landscape. Read Full Story