Posts about

Mobile App Development (3)

Let's Fight COVID-19 With Apps - Privately

April 3, 2020

Photo by CDC on Unsplash In recent weeks we have been following the race to build contact tracing smartphone apps in the worldwide fight against COVID-19. Such apps are a powerful weapon in controlling the growth of infection by automating the scaling of the contact tracing process. By tracking interactions between people, the apps allow instant user notification if they have recently been in close proximity with anyone later diagnosed with COVID-19. This allows immediate social distancing or self isolation measures to be instituted for that potential infected user, slowing the spread of the virus. It would have been better if these apps were widely available during the initial phase of the pandemic, but they may still have a crucial role to play as we eventually emerge from full lockdown We have some specific suggestions about how this can be achieved while maintaining citizen anonymity. Read Full Story

Bypassing Certificate Pinning

August 18, 2019

Editor's note: This post was originally published in August 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how to protect the HTTPS communication channel between a mobile app and an API server with certificate pinning, and in this article we will now see how to bypass that certificate pinning. Read Full Story

Improve the Security of API Keys

July 24, 2019

Securely identify your API Caller Read Full Story

Securing HTTPS with Certificate Pinning on Android

June 26, 2019

Editor's note: This post was originally published in June 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the HTTPS traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning. Read Full Story

Steal That API Key with a Man in the Middle Attack

April 4, 2019

Editor's note: This post was originally published in April 2019 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in November 2021. As I promised in my previous article, here is the follow up article about performing a man-in-the-middle (MitM) attack to steal an API key, and to follow this article you will need to become the man sitting in the middle of the actual channel, using mitmproxy to help you with the task of stealing the API key. Now it should be clear why MitM stands for man in the middle! Read Full Story

Preventing Mobile App and API Abuse

March 21, 2019

This post includes a video of SKip Hovsmith's talk on preventing mobile app and API abuse at the 2019 AppSec California Conference.   Read Full Story

How to Pin Mobile gRPC Channels

March 4, 2019

Last-mile Security for gRPC-connected mobile APIs Read Full Story

Why Does Your Mobile App Need an API Key?

March 1, 2019

Mobile apps are becoming increasingly important in the strategy of any company. As a result, companies need to release new application versions at a fast pace, and this puts developers under pressure with tight deadlines to complete and release new features very quickly. Read Full Story

Consider gRPC for Mobile APIs

February 5, 2019

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems. Read Full Story

Approov Cordova QuickStart

June 15, 2018

Editor's note: This post was originally published in June 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in July 2020. Our aim is to make the process of integrating Approov into your mobile app easy. Our Cordova Advanced-HTTP Quickstart  allows you to get up and running with Approov easily, whether you are building a new Cordova app that uses Cordova Advanced HTTP or are adapting an existing one to have an improved security posture. Read Full Story