We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In the first article, Alissa provided a plain English explanation of FHIR from the perspective of a hacker. In this blog, Alissa covers mobile API authentication and authorization. Read Full Story

The Azure API Management Platform aims to be the front door to APIs hosted in Azure, on premises, or even in other clouds. The managed platform allows developers to secure, monitor, transform and maintain APIs published through it, using the Azure portal or the Azure CLI. Read Full Story

Photo credit: iStock.com/Evkaz We are all very aware of the issues around phishing of user credentials. But it is not only users that can be phished, apps can be too. In previous blogs we’ve shown you how you can make a MITM attack against an app. In this blog we’ll demonstrate that a MITM attack against an app is analogous to a phishing attack against a human. Moreover, there are some similar characteristics to the protections required. Read Full Story

In a previous article we learned how to perform a MitM attack on a mobile app that doesn’t employ certificate pinning as a mechanism of preventing such attacks. Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning. Read Full Story

Performing a MitM attack against an HTTPS channel requires the capability for the attacker to be able to add the proxy server Certificate Authority (CA) into the Trust Store of the device running the mobile app and a popular approach is to manually upload the CA to the device, but this comes with some challenges, that may require to root the device and/or repackage the mobile app. An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app. This is a hands on how to tutorial, that you can easily follow, even if you have not done a MitM attack before or you are just starting your developer Android journey. Read Full Story

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight who will be writing on the topic of healthcare API security. In this blog, Alissa provides a plain English explanation of FHIR from the perspective of a hacker. Enjoy! Read Full Story

The new React Native Approov Quickstart provides automated integration of Approov API threat protection for most React Native apps. Read Full Story

In this article we will look at the challenges of making sure that bots and other automated traffic can’t gain access to your backend systems, no matter how they try. Most enterprises offer services through their website and their mobile app and both attack surfaces must be considered. Ensuring that both channels are properly defended will prevent DDoS, credential stuffing, data scraping and other fraudulent exploits from occurring. Read Full Story

Python FastAPI framework’s first commit dates from 5th December 2018, followed by the first release on 25th December 2018. It was created by Sebastián Ramírez as a direct reflection of his several years of experience in creating APIs with complex requirements. Read Full Story

Even if you only have a vague interest in app security I’m sure the recent furore around Clubhouse hasn’t escaped your attention. There is significant buzz around this invite-only iOS app. Enabling live audio chat rooms between participants, it sets the expectation that these interactions are somewhat private and certainly not recorded.  With big celebrity names such as Elon Musk, Kanye West and Oprah Winfrey as users there is a significant demand for a coveted invite. Read Full Story