Mobile App Security

Introduction Data breaches have become a persistent threat for organizations across the globe, with cybercriminals relentlessly targeting valuable data, sensitive customer information, and proprietary business data. The data below is alarming, but the key takeaway is through prevention, monitoring, and rapid remediation, costs can be eliminated or highly mitigated. Read Full Story

Mobile apps and APIs are increasingly being targeted by cybercriminals using sophisticated techniques to exploit vulnerabilities and gain access to sensitive data. To stay ahead of these threats, real-time analytics on the security state of mobile apps and devices is critical. Read Full Story

In a previous article, we saw how to use code obfuscation to make it more difficult for an attacker to extract a secret through static binary analysis of the ChatGPT demo mobile app. However, it's important to note that code obfuscation is not always as effective in protecting secrets as we might hope. It can give a false sense of security, similar to the Maginot Line that the French built during World War II to deter the German invasion of France. As many know, the German military simply went around the Maginot Line and quickly invaded France, rendering it useless. This event is now often used as an analogy for situations where something provides a false sense of security rather than actual security. Read Full Story

"Bank-grade security" is a term often used to describe a high level of security measures implemented in mobile applications to protect sensitive data, transactions, and user privacy. It implies that the app's security measures are at par with or comparable to the security standards employed by financial institutions, such as banks, which are known for their rigorous security practices. In this post, we will examine what is meant by this term and whether or not you should be comforted by it. Read Full Story

E-scooters are becoming an increasingly popular mode of transportation in cities around the world, offering a convenient and eco-friendly alternative to traditional forms of transport. However, as their popularity grows, so does the risk of vandalism and fraud, which can lead to significant financial losses for companies that operate e-scooter sharing programs. Read Full Story

In today's digital landscape, securing mobile apps and APIs is of paramount importance. Among the various security solutions available, Approov stands out as truly unique. What sets Approov apart is its combination of Mobile App Security and Mobile API Security, within a single product. With this innovative approach, Approov enables the lockdown of the Mobile API solely to clean mobile devices running authentic instances of the mobile app that have passed the Approov remote mobile app attestation process. This continuous verification process ensures the device and mobile app integrity, without any impact on user experience. Read Full Story

Mobile app usage has grown significantly in recent years, and with this growth comes an increased need for mobile app security. Unfortunately, many mobile app developers hold misconceptions and myths about mobile app security, which can lead to a false sense of security that can result in security breaches and compromises of sensitive information. We will cover a range of myths including the belief that mobile app stores guarantee secure apps, that Android mobile apps are more insecure, that iOS is more secure, and that using HTTPS to call the API backend is enough to ensure security. Additionally, we will explore the myth that only popular and public-facing apps require security measures and the belief that only root or jail-broken devices are a concern in terms of mobile app security. Read Full Story

One of the most well-known checklists for mobile app security is found in the OWASP Mobile Application Security Verification Standard (MASVS). If you implement the OWASP Mobile App Security Checklist thoroughly and meet all the requirements, your mobile app will have a good security foundation. However, there are still some potential security gaps to consider. First, the app itself is responsible for conducting security checks and making decisions about its own security, which could allow an attacker to use an instrumentation framework to bypass or modify these checks and decisions. Second, the API backend is not necessarily restricted to serving requests solely from genuine, unmodified instances of the mobile app that are not under attack or running on a compromised device and environment. Read Full Story