Posts about

Android (2)

Securing HTTPS with Certificate Pinning on Android

June 26, 2019

Editor's note: This post was originally published in June 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the HTTPS traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning. Read Full Story

Apple DeviceCheck and CriticalBlue Approov

April 27, 2019

We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here. Read Full Story

Google SafetyNet and CriticalBlue Approov

April 27, 2019

We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here. Read Full Story

Preventing Mobile App and API Abuse

March 21, 2019

This post includes a video of SKip Hovsmith's talk on preventing mobile app and API abuse at the 2019 AppSec California Conference.   Read Full Story

How to Pin Mobile gRPC Channels

March 4, 2019

Last-mile Security for gRPC-connected mobile APIs Read Full Story

Consider gRPC for Mobile APIs

February 5, 2019

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems. Read Full Story

Strengthen TLS in React Native Through Certificate Pinning

August 14, 2018

Beginning in July 2018 with the 68 release, Chrome began marking all sites not running HTTPS (TLS over HTTP) as “not secure”. TLS uses site certificates to establish a chain of trust and encrypt communication at the transport layer. Read Full Story