Posts about

Threats (5)

The Top 6 Mobile API Protection Techniques - Are They Enough?

December 22, 2018

APIs are a necessary and central part of the strategy of any digital business that wants to stay competitive and monetize its assets. Additionally, end users’ form factor of choice when using digital services is now firmly mobile. The trend towards APIs and mobile devices has moved the attack surface in a significant way and digital businesses must adapt and evolve their security policies accordingly. Read Full Story

API Abuse in 2017 (Part 3)

February 19, 2018

Two particularly challenging forms of API abuse are Aggregation and Cheating as a Service. In both these cases your own users are enabling and sometimes funding the individuals and organizations abusing your APIs. Read Full Story

API Abuse in 2017 (Part 2)

February 13, 2018

Our first batch of business level attacks are Data Scrapers and Account Hijack. We also take a look at the lucrative business of Fake Account Factories. Read Full Story

API Abuse in 2017 (Part 1)

February 9, 2018

2017 has seen our customers tackling a wide range of abuse and misuse of their Mobile APIs. We are seeing multiple approaches where the business process transparency provided by APIs has resulted in exploitation. Time for a retrospective... Read Full Story

The Spectre of the Zygote

January 10, 2018

In part1 of this blog I provided an overview of the Meltdown and Spectre and in this blog I look at the potential impact for mobile security. Read Full Story

You Just Need to Speculate to Exfiltrate

January 9, 2018

There is much to discuss in the wake of the security news flow last week. It was dominated by the Meltdown and Spectre CPU bug announcements — 2018 has certainly got off to an interesting start. In part one of this two part blog I will look at these bugs from a high level. In part two I shine the spotlight on the implications for mobile security, and for Android in particular. Read Full Story

If You Can't Make It, Fake It

November 22, 2017

As many social media platforms continue to experience incredible growth in popularity, the supporting apps, and the APIs that service them, remain top targets for bad actors. The ability to communicate quickly and indirectly with the platforms’ vast user bases make them ideal for spreading malware, phishing attacks, or fake news. Networks of automated accounts, gaining artificial levels of popularity and influence are often used to instigate attacks and the recent admission by Facebook that Kremlin linked propaganda may have been seen by as many as 126 million users gives us some idea of the scale of the threat and the ambition of the attackers. Read Full Story

Capitalising on Uber's London Misadventure

October 17, 2017

Rival Cab Companies Are Quick to Move, But Cyber Criminals May be Quicker Read Full Story

Unintentional Unpinning with Firebase

August 28, 2017

Google's Firebase provides comprehensive set of analytics services for developers to integrate with their apps. On Android the basic functionality is enabled simply by integrating the desired plugins. No code changes required. Read Full Story

Swipe Left to Scrape

May 2, 2017

Yesterday morning security forums reported news that an AI researcher had published a dataset of 40,000 photos that had been scraped from the dating app Tinder. The purpose was simply to extract a real world data set that can be used for training Convolutional Neural Networks (CNN) to tell the difference between men and women. This seems innocent enough, although the author's choice of variable naming caused a bit of a stir. He quickly changed the variable name "hoe" to "subject" soon after the story broke. Apparently this original naming was inherited from the Tinder Auto-Liker code. Read Full Story