Posts about

Android

How to Bypass Certificate Pinning with Frida on an Android App

May 4, 2021

In a previous article we learned how to perform a MitM attack on a mobile app that doesn’t employ certificate pinning as a mechanism of preventing such attacks. Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning. Read Full Story

How to MitM Attack the API of an Android App

May 1, 2021

Performing a MitM attack against an HTTPS channel requires the capability for the attacker to be able to add the proxy server Certificate Authority (CA) into the Trust Store of the device running the mobile app and a popular approach is to manually upload the CA to the device, but this comes with some challenges, that may require to root the device and/or repackage the mobile app. An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app. This is a hands on how to tutorial, that you can easily follow, even if you have not done a MitM attack before or you are just starting your developer Android journey. Read Full Story

React Native Automated Quickstart

April 12, 2021

The new React Native Approov Quickstart provides automated integration of Approov API threat protection for most React Native apps. Read Full Story

Man-in-the-Middle: Myths and Legends

January 6, 2021

Man-in-the-Middle (MitM), or more correctly Person-in-the-Middle, is the technique of inserting yourself into API traffic to observe or manipulate requests and transactions as they pass by. In this article we’ll look at how it’s done and what you should do to prevent it, exploding a few misapprehensions on the way. Read Full Story

Root and Jailbreak - To Ban or Not to Ban?

November 4, 2020

Rooting Android phones and jailbreaking Apple phones are generally considered to be bad things to do and strong indicators of evil intent. In this article we will explore this position a little deeper and dig into the topic. We’ll discover that the truth is much more nuanced than that and one size does indeed not fit all. Finally we will propose the methodology you should consider when setting your security policies. Read Full Story

Securing APIs in React Native

May 14, 2020

ShipFast and ShipRaider made a fresh appearance at the RSA Conference in late February 2020 in San Francisco. This time the focus was on API security for React Native Apps:   Read Full Story

Approov Enhanced App Bundle Support

May 1, 2020

Photo by Digital Buggu from Pexels Google announced Android App Bundles a couple of years ago at I/O 2018. App Bundles are a new app publishing format providing new features that have rapidly driven their adoption. In particular App Bundle delivery enables automatic splitting of various assets within the overall app package, so they are only delivered to a device if they are actually needed. Read Full Story

Approov Android Native Integration QuickStarts

April 28, 2020

Photo by Pathum Danthanarayana on Unsplash Our aim is to make the process of integrating Approov into your mobile app as simple as possible. Our Quickstart guides show you how to Approov into your app, tailored to whatever framework or programming style you’ve already adopted. In this blog we are going to cover the comprehensive options we have for Android Native app development. Read Full Story

Cloner Apps: Playing in a Shared Sandbox

April 27, 2020

Image by Andrew Martin from Pixabay ay The Android app store contains numerous Cloner Apps. These are an increasingly popular category that allow you to have multiple accounts associated with an app, such as a social media or messaging app. Our analysis shows that such apps introduce some really concerning potential security isolation risks that you should be aware of so that you can decide if you want to enable features to block the use of such cloner apps with your own app. Read Full Story

Bypassing Certificate Pinning

August 18, 2019

Editor's note: This post was originally published in August 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how to protect the HTTPS communication channel between a mobile app and an API server with certificate pinning, and in this article we will now see how to bypass that certificate pinning. Read Full Story