https://cms.megaphone.fm/channel/NPTNI7478936842 en Copyright 2026 Inception Point AI Think the App Store’s built-in security is enough? Think again. Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable. Subscribe now on Spotify and Apple Podcasts to elevate your security game. This content was created in partnership and with the help of Artificial Intelligence AI. https://megaphone.imgix.net/podcasts/cecde2b4-4d9f-11f1-8150-4377d209b0f3/image/4e2b72bee7929035a2324e0e3a613818.jpg?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress https://cms.megaphone.fm/channel/NPTNI7478936842 yes episodic Skye MacIntyre Think the App Store’s built-in security is enough? Think again. Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable. Subscribe now on Spotify and Apple Podcasts to elevate your security game. This content was created in partnership and with the help of Artificial Intelligence AI. Approov Mobile Security info@inceptionpoint.ai https://player.megaphone.fm/NPTNI4660735093 Episode Summary In this episode of Upwardly Mobile, we dive into the high-stakes world of sports betting and prediction markets like Polymarket, where millions of dollars move in mere seconds. Human bettors are increasingly finding themselves outmatched—not by sharper sports fans, but by high-frequency trading (HFT) bots and AI agents. We explore how "cheating" in mobile betting has rapidly evolved from simple "bonus bagging" and multi-accounting to complex API impersonation, where AI scrapes odds across 50 books simultaneously. Discover why AI-driven solvers have rendered CAPTCHAs useless, and learn about the "Human Tax"—the invisible cost human bettors pay when bots clean out the best lines and force them to accept worse odds. Finally, we discuss how a "Positive Security Model" ensures that only genuine, official mobile apps can place a bet, protecting the integrity of the game. Key Data Points Discussed - The Arbitrage Gap: Arbitrage windows on prediction markets have collapsed from 12+ seconds to sub-100ms latencies. - The $40M Loss: A study of Polymarket revealed that "botted" bettors secured over $40 million in risk-free profits by exploiting price lags humans couldn't see. - Bot Dominance: In high-volume markets, automated trading accounts for over 70% of the volume, leaving humans at a severe disadvantage. - Compliance Failures: Over 4,800 underage registration attempts were flagged by major sportsbooks in 2025, many of which were likely automated scripts attempting to scale multi-accounting operations. Sponsor This episode is brought to you by Approov. Ensure your platform operates on a Positive Security Model by cryptographically attesting that only your genuine mobile app is accessing your APIs. Learn how Approov addresses the security trust gap at https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Source Materials & Further Reading (Note: As specific URLs were not provided in the source notes, please search these titles to read the full reports): - GamblingNews: Botted Bettors Earn $40M Exploiting Polymarket - CleanSky: Why Copying Polymarket Whales Will Lose You Money - Approov Whitepaper: https://approov.io/hubfs/WP-How%20Approov%20Adresses%20the%20Security%20Trust%20Gap%204.2.pdf - QuantVPS: Sports Betting Bots on Polymarket Keywords: Sports betting bots, Polymarket exploits, API impersonation, high-frequency trading (HFT) betting, prediction market bots, Positive Security Model, mobile API security, multi-accounting scripts, the Human Tax, arbitrage gaps, cryptograph attestation, mobile app security. This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 01 May 2026 02:00:02 -0000 full Skye MacIntyre Episode Summary In this episode of Upwardly Mobile, we dive into the high-stakes world of sports betting and prediction markets like Polymarket, where millions of dollars move in mere seconds. Human bettors are increasingly finding themselves outmatched—not by sharper sports fans, but by high-frequency trading (HFT) bots and AI agents. We explore how "cheating" in mobile betting has rapidly evolved from simple "bonus bagging" and multi-accounting to complex API impersonation, where AI scrapes odds across 50 books simultaneously. Discover why AI-driven solvers have rendered CAPTCHAs useless, and learn about the "Human Tax"—the invisible cost human bettors pay when bots clean out the best lines and force them to accept worse odds. Finally, we discuss how a "Positive Security Model" ensures that only genuine, official mobile apps can place a bet, protecting the integrity of the game. Key Data Points Discussed - The Arbitrage Gap: Arbitrage windows on prediction markets have collapsed from 12+ seconds to sub-100ms latencies. - The $40M Loss: A study of Polymarket revealed that "botted" bettors secured over $40 million in risk-free profits by exploiting price lags humans couldn't see. - Bot Dominance: In high-volume markets, automated trading accounts for over 70% of the volume, leaving humans at a severe disadvantage. - Compliance Failures: Over 4,800 underage registration attempts were flagged by major sportsbooks in 2025, many of which were likely automated scripts attempting to scale multi-accounting operations. Sponsor This episode is brought to you by Approov. Ensure your platform operates on a Positive Security Model by cryptographically attesting that only your genuine mobile app is accessing your APIs. Learn how Approov addresses the security trust gap at https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Source Materials & Further Reading (Note: As specific URLs were not provided in the source notes, please search these titles to read the full reports): - GamblingNews: Botted Bettors Earn $40M Exploiting Polymarket - CleanSky: Why Copying Polymarket Whales Will Lose You Money - Approov Whitepaper: https://approov.io/hubfs/WP-How%20Approov%20Adresses%20the%20Security%20Trust%20Gap%204.2.pdf - QuantVPS: Sports Betting Bots on Polymarket Keywords: Sports betting bots, Polymarket exploits, API impersonation, high-frequency trading (HFT) betting, prediction market bots, Positive Security Model, mobile API security, multi-accounting scripts, the Human Tax, arbitrage gaps, cryptograph attestation, mobile app security. This content was created in partnership and with the help of Artificial Intelligence AI. 1455 https://player.megaphone.fm/NPTNI5731584352 Welcome to another episode of Upwardly Mobile, your ultimate guide to defending mobile apps in today’s volatile digital landscape. In this episode, hosts Skye and George unpack the high-stakes security implications of Android 17. As smartphones evolve from passive tools to autonomous "agentic" devices powered by on-device AI and AppFunctions, the attack surface for mobile APIs is expanding dramatically. We explore the critical security trade-offs of these new features, including the rising threats of prompt injection, cross-app data leakage, and the massive "blast radius" if AI agents are tricked into executing unintended actions using legitimate permissions. We also break down Google's latest platform hardening measures, specifically how the Advanced Protection Mode (AAPM) will now block non-accessibility apps from abusing the AccessibilityService API to prevent malware and credential theft. Whether you are an iOS, Android, or HarmonyOS developer, learn how to adapt to these secure-by-default changes and implement a "trust chain" by securing your exposed AI surface area with robust API attestation. Sponsor: This episode is proudly sponsored by Approov Mobile Security, the gold standard in zero-trust mobile app attestation and API security. Approov extends platform security by verifying real apps, preventing bot abuse, and eliminating hard-coded secrets to stop API abuse at the source. Visit https://approov.com/ to secure your APIs against ever-advancing cyber threats. Key Topics Discussed: - The Rise of Agentic Phones: How Android 17 shifts intelligence directly to the device with Gemini-powered "Magic Actions" and cross-app workflows. - AI Agent Risks: The dangers of direct and indirect prompt injection, malicious plugins, and lateral movement across systems. - Locking Down the Accessibility API: How Android 17's Advanced Protection Mode enforces stronger least-privilege access by exempting only verified accessibility tools (using the isAccessibilityTool="true" flag) to prevent screen monitoring and automated malware. - Platform Hardening for Developers: Essential updates you need to know, including tighter background activity launch (BAL) rules, safer dynamic code loading (DCL) for native libraries, and mandatory local network permission declarations. - Defensive Strategies: Why developers must scope AI actions narrowly, separate "read" from "act" permissions, and require explicit user consent for high-risk workflows. Resources & Source Materials: - https://www.linkedin.com/ – By Joyce Kuo, Approov Mobile Security - https://thehackernews.com/ – The Hacker News / Cyberyami - https://developer.android.com/ – Android Developers Official Documentation SEO Keywords: Android 17 security, mobile app development, API security, AI agents, Gemini AI risks, prompt injection, Advanced Protection Mode, Accessibility API malware, mobile cybersecurity, AppFunctions, app attestation, zero-trust mobile. This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 28 Apr 2026 18:55:42 -0000 full Skye MacIntyre Welcome to another episode of Upwardly Mobile, your ultimate guide to defending mobile apps in today’s volatile digital landscape. In this episode, hosts Skye and George unpack the high-stakes security implications of Android 17. As smartphones evolve from passive tools to autonomous "agentic" devices powered by on-device AI and AppFunctions, the attack surface for mobile APIs is expanding dramatically. We explore the critical security trade-offs of these new features, including the rising threats of prompt injection, cross-app data leakage, and the massive "blast radius" if AI agents are tricked into executing unintended actions using legitimate permissions. We also break down Google's latest platform hardening measures, specifically how the Advanced Protection Mode (AAPM) will now block non-accessibility apps from abusing the AccessibilityService API to prevent malware and credential theft. Whether you are an iOS, Android, or HarmonyOS developer, learn how to adapt to these secure-by-default changes and implement a "trust chain" by securing your exposed AI surface area with robust API attestation. Sponsor: This episode is proudly sponsored by Approov Mobile Security, the gold standard in zero-trust mobile app attestation and API security. Approov extends platform security by verifying real apps, preventing bot abuse, and eliminating hard-coded secrets to stop API abuse at the source. Visit https://approov.com/ to secure your APIs against ever-advancing cyber threats. Key Topics Discussed: - The Rise of Agentic Phones: How Android 17 shifts intelligence directly to the device with Gemini-powered "Magic Actions" and cross-app workflows. - AI Agent Risks: The dangers of direct and indirect prompt injection, malicious plugins, and lateral movement across systems. - Locking Down the Accessibility API: How Android 17's Advanced Protection Mode enforces stronger least-privilege access by exempting only verified accessibility tools (using the isAccessibilityTool="true" flag) to prevent screen monitoring and automated malware. - Platform Hardening for Developers: Essential updates you need to know, including tighter background activity launch (BAL) rules, safer dynamic code loading (DCL) for native libraries, and mandatory local network permission declarations. - Defensive Strategies: Why developers must scope AI actions narrowly, separate "read" from "act" permissions, and require explicit user consent for high-risk workflows. Resources & Source Materials: - https://www.linkedin.com/ – By Joyce Kuo, Approov Mobile Security - https://thehackernews.com/ – The Hacker News / Cyberyami - https://developer.android.com/ – Android Developers Official Documentation SEO Keywords: Android 17 security, mobile app development, API security, AI agents, Gemini AI risks, prompt injection, Advanced Protection Mode, Accessibility API malware, mobile cybersecurity, AppFunctions, app attestation, zero-trust mobile. This content was created in partnership and with the help of Artificial Intelligence AI. 1292 https://player.megaphone.fm/NPTNI4740577442 Episode Summary: Welcome back to "Upwardly Mobile"! In this episode, we dive deep into the rapidly evolving mobile threat landscape defined by the rise of "Agentic AI." With Android 17 set to transform our smartphones into active, on-device AI orchestrators by Summer 2026, the security stakes have never been higher. We unpack the alarming findings from the 2026 Cloudflare Threat Report, which highlights the total industrialization of cyber threats and how attackers are using AI as a massive force multiplier. We also explore why legacy bot defenses—like rate limiting, CAPTCHAs, and behavioral biometrics—are completely failing against modern AI bots that can dynamically rewrite code and mimic human behavior with 99% accuracy. Finally, we discuss how the integration of Cloudflare's edge network with Approov's deterministic device attestation is providing the ultimate defense-in-depth architecture to stop mobile API abuse at the source. If you are attending the RSA Conference (RSAC) in San Francisco this March 2026, be sure to catch up with our sponsors at Approov to learn how to future-proof your mobile architecture! Key Takeaways: - The Android 17 Revolution: Android 17 shifts the OS from a reactive tool to an active "agent phone" that orchestrates multi-step workflows across apps. While this brings massive benefits in speed and privacy, it also dramatically expands the attack surface for prompt injections and cross-app data leakage. - The Industrialization of Cyber Threats: The 2026 Cloudflare Threat Report reveals that AI has lowered the barrier to entry for highly effective cyber operations, moving the industry toward automated, machine-speed exploits. - The Death of Legacy Bot Defenses: Legacy probabilistic defenses like WAFs and CAPTCHAs are failing because multimodal LLM agents can now solve logic puzzles and mimic human "thumb jitter" perfectly. - Cryptographic Proof of Life: To stop agentic AI, security must shift from asking "Is this a bot?" to demanding deterministic, cryptographic proof of the device and app's integrity. - A New Defense-in-Depth: Combining Cloudflare's global edge network with Approov's deep runtime analysis and "Zero Secrets" architecture ensures that only untampered, legitimate app instances can access your APIs. Sponsor Links: - Secure your Mobile APIs today: Visit https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com to learn how to eliminate hardcoded secrets and implement deterministic device attestation. Source Materials & Further Reading: - Android 17: Android Is Becoming an Agent - Are you ready? - 2026 Cloudflare Threat Report: How adversaries are weaponizing the Internet - When the Bot Has a Brain: Defending Mobile APIs in the Era of Agentic Attackers (Approov RSAC 2026 Presentation) - See You at RSA 2026: Let's Talk Stopping Mobile API Abuse at the Source Keywords for SEO: Agentic AI, Mobile API Security, Android 17, Cloudflare Threat Report 2026, Approov, Bot Mitigation, RSA Conference 202 This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 30 Mar 2026 03:51:39 -0000 full Skye MacIntyre Episode Summary: Welcome back to "Upwardly Mobile"! In this episode, we dive deep into the rapidly evolving mobile threat landscape defined by the rise of "Agentic AI." With Android 17 set to transform our smartphones into active, on-device AI orchestrators by Summer 2026, the security stakes have never been higher. We unpack the alarming findings from the 2026 Cloudflare Threat Report, which highlights the total industrialization of cyber threats and how attackers are using AI as a massive force multiplier. We also explore why legacy bot defenses—like rate limiting, CAPTCHAs, and behavioral biometrics—are completely failing against modern AI bots that can dynamically rewrite code and mimic human behavior with 99% accuracy. Finally, we discuss how the integration of Cloudflare's edge network with Approov's deterministic device attestation is providing the ultimate defense-in-depth architecture to stop mobile API abuse at the source. If you are attending the RSA Conference (RSAC) in San Francisco this March 2026, be sure to catch up with our sponsors at Approov to learn how to future-proof your mobile architecture! Key Takeaways: - The Android 17 Revolution: Android 17 shifts the OS from a reactive tool to an active "agent phone" that orchestrates multi-step workflows across apps. While this brings massive benefits in speed and privacy, it also dramatically expands the attack surface for prompt injections and cross-app data leakage. - The Industrialization of Cyber Threats: The 2026 Cloudflare Threat Report reveals that AI has lowered the barrier to entry for highly effective cyber operations, moving the industry toward automated, machine-speed exploits. - The Death of Legacy Bot Defenses: Legacy probabilistic defenses like WAFs and CAPTCHAs are failing because multimodal LLM agents can now solve logic puzzles and mimic human "thumb jitter" perfectly. - Cryptographic Proof of Life: To stop agentic AI, security must shift from asking "Is this a bot?" to demanding deterministic, cryptographic proof of the device and app's integrity. - A New Defense-in-Depth: Combining Cloudflare's global edge network with Approov's deep runtime analysis and "Zero Secrets" architecture ensures that only untampered, legitimate app instances can access your APIs. Sponsor Links: - Secure your Mobile APIs today: Visit https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com to learn how to eliminate hardcoded secrets and implement deterministic device attestation. Source Materials & Further Reading: - Android 17: Android Is Becoming an Agent - Are you ready? - 2026 Cloudflare Threat Report: How adversaries are weaponizing the Internet - When the Bot Has a Brain: Defending Mobile APIs in the Era of Agentic Attackers (Approov RSAC 2026 Presentation) - See You at RSA 2026: Let's Talk Stopping Mobile API Abuse at the Source Keywords for SEO: Agentic AI, Mobile API Security, Android 17, Cloudflare Threat Report 2026, Approov, Bot Mitigation, RSA Conference 202 This content was created in partnership and with the help of Artificial Intelligence AI. 1322 https://player.megaphone.fm/NPTNI9412573669 Epic Victory: Google Play's Walled Garden Opens Up & What It Means for Developers Episode Summary: In this episode of Upwardly Mobile, we dive deep into the landmark antitrust settlement between Epic Games and Google that is set to fundamentally reshape the Android app ecosystem globally. After years of legal battles sparked by Epic's "Project Liberty" and the removal of Fortnite from the Play Store, a jury found Google guilty of maintaining an illegal monopoly. We break down the newly announced March 2026 settlement, which significantly drops Play Store commission fees and introduces a game-changing "Registered App Stores" program. What does this mean for mobile developers, app revenue, and Android security? Tune in to find out! Brought to you by Approov: As Android opens its doors to third-party "Registered App Stores" and frictionless sideloading, ensuring your mobile app and APIs are protected from malicious clones and tampering is more critical than ever. Secure your mobile business and authenticate your apps natively with https://approov.com/. Key Topics Discussed: - The Origins of the Lawsuit: How Epic Games' Tim Sweeney bypassed Google's standard 30% fee by allowing direct purchases in Fortnite, leading to the game's removal and a massive antitrust lawsuit. - The Courtroom Battle: The revealing internal practices uncovered during the trial, including Google's "Project Hug" and millions of dollars spent to prevent developers from abandoning the Play Store. - The 2026 Settlement Details: How Google is dropping its standard Play Store commission to 20% for in-app purchases and 10% for recurring subscriptions. - Registered App Stores Program: A deep dive into Google's new framework that allows alternative Android app stores (like the Epic Games Store) to become "first-class citizens" on Android devices, removing the scary, "doom-laden" security pop-ups previously associated with sideloading. - Global Rollout Timeline: When these major fee changes and developer programs will go live, starting in the US, UK, and European Economic Area in June 2026, and expanding globally by September 2027. Source Materials & Further Reading: - TechCrunch: https://techcrunch.com/ - Wikipedia: https://en.wikipedia.org/w/index.php?title=Epic_Games_v._Google&oldid=1338953412 Targeted SEO Keywords: Epic Games vs Google, Google Play Store settlement, Android app ecosystem, Registered App Stores program, mobile app development, third-party app stores, sideloading Android apps, app store commission fees, Tim Sweeney, Fortnite Android return, mobile app security, API protection. This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 12 Mar 2026 23:35:02 -0000 full Skye MacIntyre Epic Victory: Google Play's Walled Garden Opens Up & What It Means for Developers Episode Summary: In this episode of Upwardly Mobile, we dive deep into the landmark antitrust settlement between Epic Games and Google that is set to fundamentally reshape the Android app ecosystem globally. After years of legal battles sparked by Epic's "Project Liberty" and the removal of Fortnite from the Play Store, a jury found Google guilty of maintaining an illegal monopoly. We break down the newly announced March 2026 settlement, which significantly drops Play Store commission fees and introduces a game-changing "Registered App Stores" program. What does this mean for mobile developers, app revenue, and Android security? Tune in to find out! Brought to you by Approov: As Android opens its doors to third-party "Registered App Stores" and frictionless sideloading, ensuring your mobile app and APIs are protected from malicious clones and tampering is more critical than ever. Secure your mobile business and authenticate your apps natively with https://approov.com/. Key Topics Discussed: - The Origins of the Lawsuit: How Epic Games' Tim Sweeney bypassed Google's standard 30% fee by allowing direct purchases in Fortnite, leading to the game's removal and a massive antitrust lawsuit. - The Courtroom Battle: The revealing internal practices uncovered during the trial, including Google's "Project Hug" and millions of dollars spent to prevent developers from abandoning the Play Store. - The 2026 Settlement Details: How Google is dropping its standard Play Store commission to 20% for in-app purchases and 10% for recurring subscriptions. - Registered App Stores Program: A deep dive into Google's new framework that allows alternative Android app stores (like the Epic Games Store) to become "first-class citizens" on Android devices, removing the scary, "doom-laden" security pop-ups previously associated with sideloading. - Global Rollout Timeline: When these major fee changes and developer programs will go live, starting in the US, UK, and European Economic Area in June 2026, and expanding globally by September 2027. Source Materials & Further Reading: - TechCrunch: https://techcrunch.com/ - Wikipedia: https://en.wikipedia.org/w/index.php?title=Epic_Games_v._Google&oldid=1338953412 Targeted SEO Keywords: Epic Games vs Google, Google Play Store settlement, Android app ecosystem, Registered App Stores program, mobile app development, third-party app stores, sideloading Android apps, app store commission fees, Tim Sweeney, Fortnite Android return, mobile app security, API protection. This content was created in partnership and with the help of Artificial Intelligence AI. 928 https://player.megaphone.fm/NPTNI4277463235 Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security Episode Summary: In this episode of Upwardly Mobile, we dive deep into the digital exploitation landscape of one of the world's largest audio streaming platforms. We break down the massive credential stuffing attack that compromised 350,000 Spotify users, exposing the dangers of poor password hygiene and unsecured databases. We also explore the ongoing controversies surrounding Spotify, including lawsuits over artificial streaming, bot farms, and the platform's "Discovery Mode". Additionally, we highlight a growing trend where malicious actors are weaponizing Spotify's search features to promote pirated software, phishing schemes, and malware. Finally, we pivot to actionable solutions for developers, exploring how Zero Trust Runtime Protection and App Attestation can prevent automated mobile attacks. Brought to you by Approov: Don't let bots, scripts, or fake apps compromise your platform. Learn how to stop credential stuffing and secure your APIs at https://approov.com/. Sponsor Spotlight: Approov Mobile Security Are your mobile apps and APIs safe from automated credential stuffing, emulators, and Man-in-the-Middle (MitM) attacks? Approov ensures that only genuine mobile app instances running in safe environments can access your APIs, blocking scripts, modified apps, and bots in real-time. 👉 Secure your mobile platforms today at https://approov.com/. Source Materials & Further Reading: - https://www.itpro.com/ - https://www.noise11.com/ - https://dig.watch/ - https://approov.com/ Keywords: Credential stuffing, mobile app security, Spotify hack, artificial streaming, bot farms, zero trust runtime protection, API security, mobile malware, phishing schemes, app attestation, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 08 Mar 2026 23:00:02 -0000 full Skye MacIntyre Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security Episode Summary: In this episode of Upwardly Mobile, we dive deep into the digital exploitation landscape of one of the world's largest audio streaming platforms. We break down the massive credential stuffing attack that compromised 350,000 Spotify users, exposing the dangers of poor password hygiene and unsecured databases. We also explore the ongoing controversies surrounding Spotify, including lawsuits over artificial streaming, bot farms, and the platform's "Discovery Mode". Additionally, we highlight a growing trend where malicious actors are weaponizing Spotify's search features to promote pirated software, phishing schemes, and malware. Finally, we pivot to actionable solutions for developers, exploring how Zero Trust Runtime Protection and App Attestation can prevent automated mobile attacks. Brought to you by Approov: Don't let bots, scripts, or fake apps compromise your platform. Learn how to stop credential stuffing and secure your APIs at https://approov.com/. Sponsor Spotlight: Approov Mobile Security Are your mobile apps and APIs safe from automated credential stuffing, emulators, and Man-in-the-Middle (MitM) attacks? Approov ensures that only genuine mobile app instances running in safe environments can access your APIs, blocking scripts, modified apps, and bots in real-time. 👉 Secure your mobile platforms today at https://approov.com/. Source Materials & Further Reading: - https://www.itpro.com/ - https://www.noise11.com/ - https://dig.watch/ - https://approov.com/ Keywords: Credential stuffing, mobile app security, Spotify hack, artificial streaming, bot farms, zero trust runtime protection, API security, mobile malware, phishing schemes, app attestation, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. 1445 https://player.megaphone.fm/NPTNI8525355640 Episode Summary: In this episode of Upwardly Mobile, we dive deep into a shocking new cybersecurity report revealing that millions of users' highly sensitive medical data may be at risk. We discuss the recent discovery of 1,500 vulnerabilities across 10 incredibly popular mental health apps—which have been downloaded over 14 million times. From leaked therapy transcripts and mood logs to the high black-market value of these stolen health records, we unpack the unique risks threatening the digital healthcare space today. Finally, we explore actionable solutions for healthcare providers and developers to lock down their platforms, featuring insights on Runtime Application Self-Protection (RASP), dynamic certificate pinning, and end-to-end API security. Key Topics Discussed in This Episode: - The Mental Health App Crisis: How researchers at Oversecured uncovered 54 high-severity flaws in leading mental health applications, leaving sensitive data like Cognitive Behavioral Therapy (CBT) session notes and medication schedules exposed. - The Black Market for Health Data: Why cybercriminals are targeting therapy records, which can sell for upwards of $1,000 each—far more than stolen credit card numbers. - Common Developer Pitfalls: The dangers of outdated apps, plaintext configuration data, hardcoded Firebase URLs, and insecure encryption keys. - Securing Mobile Health: How technologies like Runtime Application Self-Protection (RASP) and dynamic certificate pinning can prevent Man-in-the-Middle (MitM) attacks, block bots, and ensure HIPAA and GDPR compliance. Sponsor: This episode is brought to you by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Approov provides complete, end-to-end protection for mobile health apps and APIs. Their lightweight SDK and RASP technology can be deployed in just a single sprint to block bot attacks, prevent credential stuffing, and stop API abuse. Ensure your patients' health data is safe, even on jailbroken devices or insecure Wi-Fi networks. Learn how to protect your revenue and patient trust at https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Resources & Source Materials: - TechRadar Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.techradar.com - Approov Mobile Health Security: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com SEO Keywords: Mobile app security, mental health apps, healthcare data breach, API security, mobile health compliance, HIPAA compliance mobile apps, RASP technology, cybersecurity podcast, Oversecured vulnerabilities, patient data protection, Approov mobile security. This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 28 Feb 2026 17:25:33 -0000 full Skye MacIntyre Episode Summary: In this episode of Upwardly Mobile, we dive deep into a shocking new cybersecurity report revealing that millions of users' highly sensitive medical data may be at risk. We discuss the recent discovery of 1,500 vulnerabilities across 10 incredibly popular mental health apps—which have been downloaded over 14 million times. From leaked therapy transcripts and mood logs to the high black-market value of these stolen health records, we unpack the unique risks threatening the digital healthcare space today. Finally, we explore actionable solutions for healthcare providers and developers to lock down their platforms, featuring insights on Runtime Application Self-Protection (RASP), dynamic certificate pinning, and end-to-end API security. Key Topics Discussed in This Episode: - The Mental Health App Crisis: How researchers at Oversecured uncovered 54 high-severity flaws in leading mental health applications, leaving sensitive data like Cognitive Behavioral Therapy (CBT) session notes and medication schedules exposed. - The Black Market for Health Data: Why cybercriminals are targeting therapy records, which can sell for upwards of $1,000 each—far more than stolen credit card numbers. - Common Developer Pitfalls: The dangers of outdated apps, plaintext configuration data, hardcoded Firebase URLs, and insecure encryption keys. - Securing Mobile Health: How technologies like Runtime Application Self-Protection (RASP) and dynamic certificate pinning can prevent Man-in-the-Middle (MitM) attacks, block bots, and ensure HIPAA and GDPR compliance. Sponsor: This episode is brought to you by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Approov provides complete, end-to-end protection for mobile health apps and APIs. Their lightweight SDK and RASP technology can be deployed in just a single sprint to block bot attacks, prevent credential stuffing, and stop API abuse. Ensure your patients' health data is safe, even on jailbroken devices or insecure Wi-Fi networks. Learn how to protect your revenue and patient trust at https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Resources & Source Materials: - TechRadar Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.techradar.com - Approov Mobile Health Security: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com SEO Keywords: Mobile app security, mental health apps, healthcare data breach, API security, mobile health compliance, HIPAA compliance mobile apps, RASP technology, cybersecurity podcast, Oversecured vulnerabilities, patient data protection, Approov mobile security. This content was created in partnership and with the help of Artificial Intelligence AI. 1432 https://player.megaphone.fm/NPTNI5900787952 Welcome to another episode of Upwardly Mobile! In this episode, we take a deep dive into the evolution of runtime security for mobile API access. Traditional methods like API keys are easily stolen because they are static and stored directly inside the user's app. To combat this vulnerability, we explore the groundbreaking "Triangle of Trust" architecture developed by CriticalBlue, the company behind the Approov mobile security service. We unpack the technical details of US Patent 11,163,858 B2, titled "Client Software Attestation," which establishes a Zero Trust proof of software integrity for apps operating on the public internet. This episode breaks down how the patented system calculates a cryptographic hash fingerprint of an executing code image to detect tampering in real-time, ensuring that malicious actors cannot spoof access. We also discuss how Approov's platform-agnostic approach provides a significant competitive advantage over OS-native solutions like Google Play Integrity and Apple App Attest, especially in global markets featuring Huawei's HarmonyOS NEXT and non-GMS Android devices. Key Takeaways from this Episode: - The Triangle of Trust: A tripartite architecture separating the security check from the access itself, involving an Issuer (Approov Cloud Attestation Server), a Holder (the Mobile Client Device), and a Verifier (the Backend Server Device). - Dynamic Code Fingerprinting: How client applications calculate a cryptographic hash of their own executing code image to prove integrity, ensuring no sensitive "master keys" are ever stored on the device where they could be extracted. - Protection Against Advanced Threats: The system's ability to thwart "living-off-the-land" attacks (like memory hooking with Frida) and Man-in-the-Middle (MITM) attacks by verifying code dynamically in memory, rather than just checking the static OS state. - Superiority Over OS-Native Tools: Why a unified, cross-platform attestation approach is critical for the global market, bypassing the latency, platform restrictions, and hardware dependencies of Google Play Integrity and Apple App Attest. - A Defensible Security Moat: An analysis of why CriticalBlue's patent is highly defensible and has been cited over 60 times as prior art, acting as a major technical blocker for competitors in the cybersecurity industry. Sponsor: This episode is brought to you by Approov. Stop relying on static API keys and secure your mobile business with deterministic, zero-trust software integrity. With global reach across iOS, GMS Android, non-GMS Android, and HarmonyOS, Approov ensures your backend APIs are shielded from malicious bots and tampered apps. Visit https://approov.com/ to learn more and secure your mobile ecosystem today. Source Materials & Relevant Links: - US Patent 11,163,858 B2: Client Software Attestation by Richard Michael Taylor / Critical Blue Ltd. (Filed 2015, Granted Nov 2, 2021). - Whitepaper Excerpt: Attestation: The Triangle of Trust. - Approov This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 23 Feb 2026 13:07:49 -0000 full Skye MacIntyre Welcome to another episode of Upwardly Mobile! In this episode, we take a deep dive into the evolution of runtime security for mobile API access. Traditional methods like API keys are easily stolen because they are static and stored directly inside the user's app. To combat this vulnerability, we explore the groundbreaking "Triangle of Trust" architecture developed by CriticalBlue, the company behind the Approov mobile security service. We unpack the technical details of US Patent 11,163,858 B2, titled "Client Software Attestation," which establishes a Zero Trust proof of software integrity for apps operating on the public internet. This episode breaks down how the patented system calculates a cryptographic hash fingerprint of an executing code image to detect tampering in real-time, ensuring that malicious actors cannot spoof access. We also discuss how Approov's platform-agnostic approach provides a significant competitive advantage over OS-native solutions like Google Play Integrity and Apple App Attest, especially in global markets featuring Huawei's HarmonyOS NEXT and non-GMS Android devices. Key Takeaways from this Episode: - The Triangle of Trust: A tripartite architecture separating the security check from the access itself, involving an Issuer (Approov Cloud Attestation Server), a Holder (the Mobile Client Device), and a Verifier (the Backend Server Device). - Dynamic Code Fingerprinting: How client applications calculate a cryptographic hash of their own executing code image to prove integrity, ensuring no sensitive "master keys" are ever stored on the device where they could be extracted. - Protection Against Advanced Threats: The system's ability to thwart "living-off-the-land" attacks (like memory hooking with Frida) and Man-in-the-Middle (MITM) attacks by verifying code dynamically in memory, rather than just checking the static OS state. - Superiority Over OS-Native Tools: Why a unified, cross-platform attestation approach is critical for the global market, bypassing the latency, platform restrictions, and hardware dependencies of Google Play Integrity and Apple App Attest. - A Defensible Security Moat: An analysis of why CriticalBlue's patent is highly defensible and has been cited over 60 times as prior art, acting as a major technical blocker for competitors in the cybersecurity industry. Sponsor: This episode is brought to you by Approov. Stop relying on static API keys and secure your mobile business with deterministic, zero-trust software integrity. With global reach across iOS, GMS Android, non-GMS Android, and HarmonyOS, Approov ensures your backend APIs are shielded from malicious bots and tampered apps. Visit https://approov.com/ to learn more and secure your mobile ecosystem today. Source Materials & Relevant Links: - US Patent 11,163,858 B2: Client Software Attestation by Richard Michael Taylor / Critical Blue Ltd. (Filed 2015, Granted Nov 2, 2021). - Whitepaper Excerpt: Attestation: The Triangle of Trust. - Approov This content was created in partnership and with the help of Artificial Intelligence AI. 1275 https://player.megaphone.fm/NPTNI1746353380 The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis 🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks. 🚀 Key Topics Discussed - The Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking. - How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb. - Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit. - The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register. - API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly. 🔗 Resources & Links Dopamine Jailbreak: - Official Project: https://github.com/opa334/Dopamine - Installation Guide: https://ios.cfw.guide/installing-dopamine/ - Technical Insight: https://ellekit.space/dopamine/ EBT & Mobile Fraud Analysis: - The Mechanics of Theft: https://www.propel.app/ebt-theft/how-are-ebt-benefits-being-stolen/ - Systemic Vulnerabilities: https://www.pa.gov/agencies/osig/what-we-do/bureau-of-fraud-prevention-and-prosecution/snap-skimming 🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: https://approov.com/ 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation. This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 06 Feb 2026 02:30:02 -0000 full Skye MacIntyre The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis 🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks. 🚀 Key Topics Discussed - The Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking. - How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb. - Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit. - The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register. - API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly. 🔗 Resources & Links Dopamine Jailbreak: - Official Project: https://github.com/opa334/Dopamine - Installation Guide: https://ios.cfw.guide/installing-dopamine/ - Technical Insight: https://ellekit.space/dopamine/ EBT & Mobile Fraud Analysis: - The Mechanics of Theft: https://www.propel.app/ebt-theft/how-are-ebt-benefits-being-stolen/ - Systemic Vulnerabilities: https://www.pa.gov/agencies/osig/what-we-do/bureau-of-fraud-prevention-and-prosecution/snap-skimming 🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: https://approov.com/ 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation. This content was created in partnership and with the help of Artificial Intelligence AI. 946 https://player.megaphone.fm/NPTNI2217264637 Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy In this episode of Upwardly Mobile, we dive deep into the often-misunderstood world of mobile app security to debunk the myth that hardware-backed key attestation is a "silver bullet." Drawing from expert analysis by Approov, Oasis, and community discussions, we explore why relying solely on Apple’s App Attest or Google’s Play Integrity can leave your APIs vulnerable to sophisticated attacks like device farming and runtime instrumentation. We explain why attestation is merely a "snapshot" in time and how to implement a true defense-in-depth strategy. Key Takeaways: - The Hardware Myth: Companies like Google and Apple promote hardware-backed key attestation (using TEEs or Secure Elements) as a primary security measure, but this approach has critical limitations when used in isolation. While it proves a cryptographic key is stored in secure hardware, it does not guarantee the integrity of the app calling that key or the user operating it. - The "Receipt" Analogy: Remote attestation is effectively just a receipt proving that a specific binary ran on specific hardware at a specific moment. It fails to prove that the state hasn't been rolled back, that the operator isn't malicious, or that the inputs haven't been manipulated since that snapshot was taken. - The Threat of Device Farms: Attackers can physically amass legitimate iPhones in "Device Farms" to generate valid App Attest tokens. These tokens are then sold via APIs to bots, allowing scripts to impersonate genuine devices and bypass standard hardware checks. - Runtime Manipulation: Tools like Frida and Magisk allow hackers to hook into API calls and forge attestation results or manipulate the application's behavior after the boot process. Without Runtime Application Self Protection (RASP), a validly attested device can still run a compromised app. - The Solution is Multi-Layered: Effective security requires moving verification off the device to the cloud and implementing dynamic checks. A robust strategy includes RASP, dynamic certificate pinning, and cloud-based mobile attestation that verifies the app's integrity continuously, not just at boot. Featured Resources & Source Material: - Article: https://approov.io/blog/limitations-of-hardware-backed-key-attestation-in-mobile-security – An analysis of why verification must always occur off-device. - Article: https://approov.io/blog/how-to-defeat-apple-devicecheck-and-appattest – A technical look at how hackers bypass iOS security using instrumentation and device farms. - Community Insight: https://dev.to/adityasingh_32/tee-attestation-isnt-trust-its-just-a-receipt-2m3k – A breakdown of why attestation does not equal trust. - Deep Dive: https://oasis.net/blog/tee-attestation-is-not-enough – Exploring the nuances of remote attestation within trust systems. - Definition: https://en.wikipedia.org/wiki/Trusted_execution_environment – Understanding the history an This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 30 Jan 2026 02:33:20 -0000 full Skye MacIntyre Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy In this episode of Upwardly Mobile, we dive deep into the often-misunderstood world of mobile app security to debunk the myth that hardware-backed key attestation is a "silver bullet." Drawing from expert analysis by Approov, Oasis, and community discussions, we explore why relying solely on Apple’s App Attest or Google’s Play Integrity can leave your APIs vulnerable to sophisticated attacks like device farming and runtime instrumentation. We explain why attestation is merely a "snapshot" in time and how to implement a true defense-in-depth strategy. Key Takeaways: - The Hardware Myth: Companies like Google and Apple promote hardware-backed key attestation (using TEEs or Secure Elements) as a primary security measure, but this approach has critical limitations when used in isolation. While it proves a cryptographic key is stored in secure hardware, it does not guarantee the integrity of the app calling that key or the user operating it. - The "Receipt" Analogy: Remote attestation is effectively just a receipt proving that a specific binary ran on specific hardware at a specific moment. It fails to prove that the state hasn't been rolled back, that the operator isn't malicious, or that the inputs haven't been manipulated since that snapshot was taken. - The Threat of Device Farms: Attackers can physically amass legitimate iPhones in "Device Farms" to generate valid App Attest tokens. These tokens are then sold via APIs to bots, allowing scripts to impersonate genuine devices and bypass standard hardware checks. - Runtime Manipulation: Tools like Frida and Magisk allow hackers to hook into API calls and forge attestation results or manipulate the application's behavior after the boot process. Without Runtime Application Self Protection (RASP), a validly attested device can still run a compromised app. - The Solution is Multi-Layered: Effective security requires moving verification off the device to the cloud and implementing dynamic checks. A robust strategy includes RASP, dynamic certificate pinning, and cloud-based mobile attestation that verifies the app's integrity continuously, not just at boot. Featured Resources & Source Material: - Article: https://approov.io/blog/limitations-of-hardware-backed-key-attestation-in-mobile-security – An analysis of why verification must always occur off-device. - Article: https://approov.io/blog/how-to-defeat-apple-devicecheck-and-appattest – A technical look at how hackers bypass iOS security using instrumentation and device farms. - Community Insight: https://dev.to/adityasingh_32/tee-attestation-isnt-trust-its-just-a-receipt-2m3k – A breakdown of why attestation does not equal trust. - Deep Dive: https://oasis.net/blog/tee-attestation-is-not-enough – Exploring the nuances of remote attestation within trust systems. - Definition: https://en.wikipedia.org/wiki/Trusted_execution_environment – Understanding the history an This content was created in partnership and with the help of Artificial Intelligence AI. 953 https://player.megaphone.fm/NPTNI6412547661 Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds. We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions. This episode is sponsored by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2F. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices. Key Topics & Takeaways: • The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025. • How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders. • The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase. • The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems. • Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited. Featured Stories & Data: • Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features. • Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks. • State Data: Top states for reported fraud include Georgia, New York, and California. Relevant Links & Resources: • USDA SNAP Replacement of Stolen Benefits Dashboard • Report Fraud: USDA Office of Inspector General Hotline [(800) This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 17 Jan 2026 07:46:35 -0000 full Skye MacIntyre Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds. We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions. This episode is sponsored by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2F. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices. Key Topics & Takeaways: • The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025. • How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders. • The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase. • The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems. • Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited. Featured Stories & Data: • Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features. • Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks. • State Data: Top states for reported fraud include Georgia, New York, and California. Relevant Links & Resources: • USDA SNAP Replacement of Stolen Benefits Dashboard • Report Fraud: USDA Office of Inspector General Hotline [(800) This content was created in partnership and with the help of Artificial Intelligence AI. 934 https://player.megaphone.fm/NPTNI2142670294 In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps: - The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling. - AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks. - Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications. - Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability. - Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey. - The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS. Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released. - Visit https://approov.com/ to learn more about comprehensive mobile app security. Relevant Links & Source Materials: - ZDNET Review: https://www.zdnet.com/article/punkt-mc03-phone-ces-2026/ – Coverage of the US launch, pricing, and removable battery features. - Android Police Coverage: https://www.androidauthority.com/punkt-mc03-hands-on-ces-2026-3630101/ – An in-depth look at the onboarding improvements and specs. - Punkt Official Site: https://www.punkt.ch/products/mc03-premium-secure-smartphone – Direct specs and philosophy from the manufacturer. - Murena / /e/OS: https://thisgetthoughts.bearblog.dev/fairphone-5-murena-eos-review-part-2-the-os/ – Context on the competitor mentioned in the episode. Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security.  Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026. This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 13 Jan 2026 09:55:07 -0000 full Skye MacIntyre In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps: - The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling. - AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks. - Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications. - Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability. - Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey. - The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS. Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released. - Visit https://approov.com/ to learn more about comprehensive mobile app security. Relevant Links & Source Materials: - ZDNET Review: https://www.zdnet.com/article/punkt-mc03-phone-ces-2026/ – Coverage of the US launch, pricing, and removable battery features. - Android Police Coverage: https://www.androidauthority.com/punkt-mc03-hands-on-ces-2026-3630101/ – An in-depth look at the onboarding improvements and specs. - Punkt Official Site: https://www.punkt.ch/products/mc03-premium-secure-smartphone – Direct specs and philosophy from the manufacturer. - Murena / /e/OS: https://thisgetthoughts.bearblog.dev/fairphone-5-murena-eos-review-part-2-the-os/ – Context on the competitor mentioned in the episode. Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security.  Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026. This content was created in partnership and with the help of Artificial Intelligence AI. 747 https://player.megaphone.fm/NPTNI7561949104 In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed: - The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads. - Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests. - The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents. - Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs. - Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns. Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io/ Relevant Links & Source Materials: - The Hacker News: https://thehackernews.com/2025/12/android-malware-operations-merge.html - SC Media: https://www.scworld.com/brief/android-malware-wonderland-evolves-with-dropper-apps-targeting-uzbekistan - Cypro: https://www.cypro.se/2025/12/22/android-malware-operations-merge-droppers-sms-theft-and-rat-capabilities-at-scale/ Keywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 06 Jan 2026 18:48:11 -0000 full Skye MacIntyre In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed: - The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads. - Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests. - The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents. - Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs. - Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns. Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io/ Relevant Links & Source Materials: - The Hacker News: https://thehackernews.com/2025/12/android-malware-operations-merge.html - SC Media: https://www.scworld.com/brief/android-malware-wonderland-evolves-with-dropper-apps-targeting-uzbekistan - Cypro: https://www.cypro.se/2025/12/22/android-malware-operations-merge-droppers-sms-theft-and-rat-capabilities-at-scale/ Keywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. 687 https://player.megaphone.fm/NPTNI1961863534 2026 Mobile API and AI Security Predictions Episode Summary: In this episode of Upwardly Mobile, we audit the accuracy of Approov’s 2025 cybersecurity forecast. Of the seven trends predicted, four proved to be "absolutely correct." We break down these key hits: the dual-use of AI by attackers and defenders, the undeniable dominance of cross-platform development, the crackdown on open-source supply chain risks, and the heavy impact of new global breach reporting mandates. The 4 Mobile Security Trends That Defined the Year Key Topics — The 4 Correct Predictions: • 1. AI’s Double-Edged Sword: We discuss how 2025 wasn't just about AI hype—it was about operational impact. Attackers utilized LLMs to lower the bar for API abuse and generate scripts to bypass WAFs, while defenders leaned on AI for anomaly detection and scan interpretation to speed up code reviews. • 2. Cross-Platform is King: The prediction that cross-platform development would be "the way forward" held true. We analyze how Flutter and React Native maintained dominance in 2025, becoming the norm for enterprise and fintech apps, though Huawei’s HarmonyOS remained a regional outlier. • 3. The Open Source Crackdown: Scrutiny on open-source software (OSS) intensified as predicted. With attackers targeting ecosystems like npm and PyPI, and regulations like the EU CRA enforcing SBOMs, organizations were forced to verify their supply chains and adopt runtime protection to catch tampering. • 4. The Breach Reporting Crunch: Approov correctly forecasted that breach reporting would demand massive investment. With the EU NIS2 Directive and PCI DSS 4.0 coming into full effect, the focus shifted from simple disclosure to operational resilience—requiring companies to report incidents in hours, not days. Featured Resources & Links: • Approov Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fblog%2Fapproov-predicted-7-mobile-cybersecurity-trends-for-2025-did-they-happen – The full retrospective on which predictions hit the mark and which were too optimistic (like the adoption of certificate pinning). • Expert Insights: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.lastwatchdog.com%2Flw-roundtable-part-2-mandates-surge-guardrails-lag-intel-from-the-messy-middle%2F – Further reading on the friction between compliance mandates and security realities. Sponsor: This episode is brought to you by Approov. Don’t let your mobile app be the weak link. Approov provides comprehensive runtime security, ensuring that only your genuine app communicates with your API. • Visit: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io • Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fruntime-secrets-protection and https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fapi-security. Keywords: Mobile Security, Cybersecurity Predictions, AI Threats, Flutter, ReactNative, Open Source Security, SBOM, NIS2 Compliance, Supp This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 29 Dec 2025 01:55:07 -0000 full Skye MacIntyre 2026 Mobile API and AI Security Predictions Episode Summary: In this episode of Upwardly Mobile, we audit the accuracy of Approov’s 2025 cybersecurity forecast. Of the seven trends predicted, four proved to be "absolutely correct." We break down these key hits: the dual-use of AI by attackers and defenders, the undeniable dominance of cross-platform development, the crackdown on open-source supply chain risks, and the heavy impact of new global breach reporting mandates. The 4 Mobile Security Trends That Defined the Year Key Topics — The 4 Correct Predictions: • 1. AI’s Double-Edged Sword: We discuss how 2025 wasn't just about AI hype—it was about operational impact. Attackers utilized LLMs to lower the bar for API abuse and generate scripts to bypass WAFs, while defenders leaned on AI for anomaly detection and scan interpretation to speed up code reviews. • 2. Cross-Platform is King: The prediction that cross-platform development would be "the way forward" held true. We analyze how Flutter and React Native maintained dominance in 2025, becoming the norm for enterprise and fintech apps, though Huawei’s HarmonyOS remained a regional outlier. • 3. The Open Source Crackdown: Scrutiny on open-source software (OSS) intensified as predicted. With attackers targeting ecosystems like npm and PyPI, and regulations like the EU CRA enforcing SBOMs, organizations were forced to verify their supply chains and adopt runtime protection to catch tampering. • 4. The Breach Reporting Crunch: Approov correctly forecasted that breach reporting would demand massive investment. With the EU NIS2 Directive and PCI DSS 4.0 coming into full effect, the focus shifted from simple disclosure to operational resilience—requiring companies to report incidents in hours, not days. Featured Resources & Links: • Approov Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fblog%2Fapproov-predicted-7-mobile-cybersecurity-trends-for-2025-did-they-happen – The full retrospective on which predictions hit the mark and which were too optimistic (like the adoption of certificate pinning). • Expert Insights: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.lastwatchdog.com%2Flw-roundtable-part-2-mandates-surge-guardrails-lag-intel-from-the-messy-middle%2F – Further reading on the friction between compliance mandates and security realities. Sponsor: This episode is brought to you by Approov. Don’t let your mobile app be the weak link. Approov provides comprehensive runtime security, ensuring that only your genuine app communicates with your API. • Visit: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io • Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fruntime-secrets-protection and https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fapi-security. Keywords: Mobile Security, Cybersecurity Predictions, AI Threats, Flutter, ReactNative, Open Source Security, SBOM, NIS2 Compliance, Supp This content was created in partnership and with the help of Artificial Intelligence AI. 734 https://player.megaphone.fm/NPTNI5212694520 The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed: - The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries. - The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked. - The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks. - The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting. Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs. - Visit the Sponsor: https://approov.io/ Featured Sources & Further Reading: - BleepingComputer: https://www.bleepingcomputer.com/ – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape. - Malwarebytes: https://www.malwarebytes.com/ – Analysis of the privacy implications, including the exposure of users in restrictive regimes. - Privacy Guides: https://www.privacyguides.org/ – Discussing the patch and how alternative messengers handle contact discovery. Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 22 Dec 2025 08:15:07 -0000 full Skye MacIntyre The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed: - The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries. - The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked. - The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks. - The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting. Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs. - Visit the Sponsor: https://approov.io/ Featured Sources & Further Reading: - BleepingComputer: https://www.bleepingcomputer.com/ – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape. - Malwarebytes: https://www.malwarebytes.com/ – Analysis of the privacy implications, including the exposure of users in restrictive regimes. - Privacy Guides: https://www.privacyguides.org/ – Discussing the patch and how alternative messengers handle contact discovery. Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. This content was created in partnership and with the help of Artificial Intelligence AI. 799 https://player.megaphone.fm/NPTNI6609619725 Apple's DMA Non-Compliance: An Open Letter In this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees. We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?. Key Topics Discussed: *   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store. *   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals. *   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model. *   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%. *   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement. **Sponsor:** This episode is brought to you by **Approov**. Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps. **Visit: [https://approov.io](https://approov.io)** **Resources & Source Materials:** *   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices. *   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez. *   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance. *   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations. Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 15 Dec 2025 16:23:38 -0000 full Skye MacIntyre Apple's DMA Non-Compliance: An Open Letter In this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees. We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?. Key Topics Discussed: *   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store. *   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals. *   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model. *   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%. *   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement. **Sponsor:** This episode is brought to you by **Approov**. Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps. **Visit: [https://approov.io](https://approov.io)** **Resources & Source Materials:** *   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices. *   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez. *   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance. *   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations. Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust. This content was created in partnership and with the help of Artificial Intelligence AI. 493 https://player.megaphone.fm/NPTNI3857328356 Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and L This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 08 Dec 2025 22:40:07 -0000 full Skye MacIntyre Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and L This content was created in partnership and with the help of Artificial Intelligence AI. 883 https://player.megaphone.fm/NPTNI9107353104 Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance Firestorm In this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. Snooping - The Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates. - Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages. - Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'. Technical Deep Dive into Privacy Risks - The Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions. - The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph. - It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking. - If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall. - The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature. Industry Resistance - Tech giants were given 90 days to comply with the pre-installation mandate. - Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration. - The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market. Keywords Sanchar Saathi, India digital privacy, state surveillanc This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 02 Dec 2025 20:14:56 -0000 full Skye MacIntyre Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance Firestorm In this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. Snooping - The Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates. - Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages. - Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'. Technical Deep Dive into Privacy Risks - The Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions. - The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph. - It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking. - If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall. - The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature. Industry Resistance - Tech giants were given 90 days to comply with the pre-installation mandate. - Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration. - The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market. Keywords Sanchar Saathi, India digital privacy, state surveillanc This content was created in partnership and with the help of Artificial Intelligence AI. 659 https://player.megaphone.fm/NPTNI2237770526 Supply Chain Security Unpacked: Combating Dependency Confusion, Poisoned Pipelines Episode Notes: The software supply chain, the "backbone of modern software development," is under unprecedented assault, with attacks aimed at libraries and development tools soaring by an astounding 633% year-over-year. This episode explores the evolution of supply chain threats, examining everything from software vulnerabilities and malicious maintainers to hidden risks lurking in hardware and commercial binaries, and details the cutting-edge defenses developers are deploying to fight back. The Evolving Threat Landscape: Implicit Trust Exploited Modern attacks exploit the implicit trust developers place in package managers and public repositories. Key threats discussed include: - Dependency Confusion: First identified by Alex Birsan, this attack exploits package managers that prioritize packages found in public repositories (especially those with a higher version number) over identically named private packages. Attackers use reconnaissance to pinpoint internal package names (often by examining manifest files like package.json), publish a malicious package with the same name and a higher version to a public repository, and wait for the target application's build process to pull and execute the malicious code. Vectors for this attack include exploiting namespaces, DNS Spoofing, and manipulating CI/CD security settings. - Widespread Malware and Stolen Secrets: The npm ecosystem was recently hit by the self-replicating "Shai-Hulud" worm, which compromised over 500 packages and harvested sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, GCP, and Microsoft Azure. Stolen credentials remain a reliable attack vector, leading to incidents where attackers published malicious code on behalf of trusted entities (e.g., Nx, rspack). - Poisoned Pipelines and Malicious Maintainers: Highly sophisticated attackers are compromising build and distribution systems directly, bypassing code reviews. This includes notorious attacks like SolarWinds and compromises targeting GitHub Actions pipelines (e.g., Ultralytics and reviewdog/actions-setup). Furthermore, the XZ Utils backdoor highlighted the risk of malicious maintainers who build trust over years before inserting sophisticated backdoors into critical open-source projects. - Code Rot and Vulnerable Open Source: A survey of popular open-source packages found them rife with vulnerabilities, with an average of 68 vulnerabilities across 30 packages scanned, including many critical and high-severity flaws. Even actively maintained, high-traffic packages like Torchvision contained dozens of vulnerabilities, despite frequent updates. Defense and Verification: Making Trust Explicit To counter these escalating threats, the industry is focusing on making trust assumptions explicit and verifiable: - Supply-chain Levels for Software Artifacts (SLSA): SLSA is a security standard tha This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 27 Nov 2025 17:15:07 -0000 full Skye MacIntyre Supply Chain Security Unpacked: Combating Dependency Confusion, Poisoned Pipelines Episode Notes: The software supply chain, the "backbone of modern software development," is under unprecedented assault, with attacks aimed at libraries and development tools soaring by an astounding 633% year-over-year. This episode explores the evolution of supply chain threats, examining everything from software vulnerabilities and malicious maintainers to hidden risks lurking in hardware and commercial binaries, and details the cutting-edge defenses developers are deploying to fight back. The Evolving Threat Landscape: Implicit Trust Exploited Modern attacks exploit the implicit trust developers place in package managers and public repositories. Key threats discussed include: - Dependency Confusion: First identified by Alex Birsan, this attack exploits package managers that prioritize packages found in public repositories (especially those with a higher version number) over identically named private packages. Attackers use reconnaissance to pinpoint internal package names (often by examining manifest files like package.json), publish a malicious package with the same name and a higher version to a public repository, and wait for the target application's build process to pull and execute the malicious code. Vectors for this attack include exploiting namespaces, DNS Spoofing, and manipulating CI/CD security settings. - Widespread Malware and Stolen Secrets: The npm ecosystem was recently hit by the self-replicating "Shai-Hulud" worm, which compromised over 500 packages and harvested sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, GCP, and Microsoft Azure. Stolen credentials remain a reliable attack vector, leading to incidents where attackers published malicious code on behalf of trusted entities (e.g., Nx, rspack). - Poisoned Pipelines and Malicious Maintainers: Highly sophisticated attackers are compromising build and distribution systems directly, bypassing code reviews. This includes notorious attacks like SolarWinds and compromises targeting GitHub Actions pipelines (e.g., Ultralytics and reviewdog/actions-setup). Furthermore, the XZ Utils backdoor highlighted the risk of malicious maintainers who build trust over years before inserting sophisticated backdoors into critical open-source projects. - Code Rot and Vulnerable Open Source: A survey of popular open-source packages found them rife with vulnerabilities, with an average of 68 vulnerabilities across 30 packages scanned, including many critical and high-severity flaws. Even actively maintained, high-traffic packages like Torchvision contained dozens of vulnerabilities, despite frequent updates. Defense and Verification: Making Trust Explicit To counter these escalating threats, the industry is focusing on making trust assumptions explicit and verifiable: - Supply-chain Levels for Software Artifacts (SLSA): SLSA is a security standard tha This content was created in partnership and with the help of Artificial Intelligence AI. 755 https://player.megaphone.fm/NPTNI9603408870 The Multi-Terabit Battlefield: How Aisura 'Turbo Mirai' Botnet Reshaped Mobile DDoS Warfare On November 18, 2025, a massive Cloudflare service interruption took down major platforms worldwide, including X, ChatGPT, Shopify, and various critical transit services. Given the intense, ongoing cyber conflict, initial speculation immediately pointed toward a successful, hyper-volumetric Distributed Denial-of-Service (DDoS) attack. Cloudflare has recently been at the forefront of blocking unprecedented assaults from notorious botnets, including Mirai and the newer, "TurboMirai-class" Aisuru botnet. The company successfully mitigated record-breaking Mirai-variant attacks measured at 5.6 Tbps (October 2024) and 7.3 Tbps (May 2025). Furthermore, the Aisuru botnet, which is responsible for hitting Microsoft Azure with a 15.72 Tbps DDoS attack, was also linked to a 22.2 Tbps attack mitigated by Cloudflare in September 2025. Aisuru operators were even caught attempting to manipulate Cloudflare’s public domain rankings using malicious query traffic. This track record provided a clear motive for a potential reprisal. However, Cloudflare’s official investigation quickly dispelled fears of a successful cyberattack. Cloudflare CTO Dane Knecht confirmed that the incident was not an attack, but rather an internal issue. The cause was identified as a "latent bug" in a service underpinning Cloudflare’s bot mitigation capability that started to crash following a routine configuration change. This technical flaw cascaded into a broad degradation across the network. Cloudflare CEO Matthew Prince later noted that this was the worst outage the company had experienced since 2019. This incident highlights that while automated security platforms like Cloudflare can defend against 20+ Tbps DDoS attacks, they remain vulnerable to complex internal technical flaws and configuration management errors. Keywords Cloudflare outage, DDoS, Aisuru Botnet, Mirai, Configuration error, Latent bug, Dane Knecht, November 2025, IoT security, Incident Response, Cyberattack, Network Security, Cloud Security. Hashtags       #ConfigurationManagement #IncidentResponse #CloudSecurity #IoT Related Links & Sources To read more about the incident and the cyber threat landscape, please refer to the following: - Cloudflare Outage Not Caused by Cyberattack (SecurityWeek): - Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses: - Cloudflare’s official report on the November 18, 2025 outage: - Discussion on the configuration file bug: - TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks: Sponsor Message Today’s episode is brought to you by https://approov.com. In an era where botnets like Aisuru are exploiting every vulnerability, securing your APIs and endpoints is paramount. Approov provides essential mobile app and API protection, ensuring that only trusted, legitimate clients can connect to your back-end services, providing a crucial layer of defense against sophi This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 24 Nov 2025 16:10:07 -0000 full Skye MacIntyre The Multi-Terabit Battlefield: How Aisura 'Turbo Mirai' Botnet Reshaped Mobile DDoS Warfare On November 18, 2025, a massive Cloudflare service interruption took down major platforms worldwide, including X, ChatGPT, Shopify, and various critical transit services. Given the intense, ongoing cyber conflict, initial speculation immediately pointed toward a successful, hyper-volumetric Distributed Denial-of-Service (DDoS) attack. Cloudflare has recently been at the forefront of blocking unprecedented assaults from notorious botnets, including Mirai and the newer, "TurboMirai-class" Aisuru botnet. The company successfully mitigated record-breaking Mirai-variant attacks measured at 5.6 Tbps (October 2024) and 7.3 Tbps (May 2025). Furthermore, the Aisuru botnet, which is responsible for hitting Microsoft Azure with a 15.72 Tbps DDoS attack, was also linked to a 22.2 Tbps attack mitigated by Cloudflare in September 2025. Aisuru operators were even caught attempting to manipulate Cloudflare’s public domain rankings using malicious query traffic. This track record provided a clear motive for a potential reprisal. However, Cloudflare’s official investigation quickly dispelled fears of a successful cyberattack. Cloudflare CTO Dane Knecht confirmed that the incident was not an attack, but rather an internal issue. The cause was identified as a "latent bug" in a service underpinning Cloudflare’s bot mitigation capability that started to crash following a routine configuration change. This technical flaw cascaded into a broad degradation across the network. Cloudflare CEO Matthew Prince later noted that this was the worst outage the company had experienced since 2019. This incident highlights that while automated security platforms like Cloudflare can defend against 20+ Tbps DDoS attacks, they remain vulnerable to complex internal technical flaws and configuration management errors. Keywords Cloudflare outage, DDoS, Aisuru Botnet, Mirai, Configuration error, Latent bug, Dane Knecht, November 2025, IoT security, Incident Response, Cyberattack, Network Security, Cloud Security. Hashtags       #ConfigurationManagement #IncidentResponse #CloudSecurity #IoT Related Links & Sources To read more about the incident and the cyber threat landscape, please refer to the following: - Cloudflare Outage Not Caused by Cyberattack (SecurityWeek): - Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses: - Cloudflare’s official report on the November 18, 2025 outage: - Discussion on the configuration file bug: - TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks: Sponsor Message Today’s episode is brought to you by https://approov.com. In an era where botnets like Aisuru are exploiting every vulnerability, securing your APIs and endpoints is paramount. Approov provides essential mobile app and API protection, ensuring that only trusted, legitimate clients can connect to your back-end services, providing a crucial layer of defense against sophi This content was created in partnership and with the help of Artificial Intelligence AI. 603 https://player.megaphone.fm/NPTNI5075196096 Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits The biggest shopping days of the year—Black Friday and Cyber Monday—have also become the prime hunting grounds for cybercriminals, with global financial losses from attacks predicted to hit $10 billion in 2024. In this episode, we dive deep into the rising statistics shaping financial cybersecurity during the holiday shopping season, focusing on how sophisticated, AI-driven scams and mobile app vulnerabilities are creating a perfect storm for retailers and consumers alike. Episode Highlights: The State of Financial Cybercrime Cybercriminal activity spikes by 70% during Black Friday compared to regular shopping days. Statistics show that cyberattacks during this period were projected to rise by 20% in 2024, following a 15% increase in 2023. Key Threats and Data: - The Rise of Fake Shops: Scammers are evolving at an unprecedented pace, using AI to generate persuasive copy and fully functional storefront templates that mimic legitimate communication flawlessly. A recent analysis found a 250% jump in fake Black Friday shops leading up to the sales weekend. - Targeting E-commerce: E-commerce platforms experience a 65% surge in phishing attacks. Phishing scams remain the most common threat, accounting for 42% of attacks on financial transactions during the 2023 holiday shopping period. - Prevalent Fraud Types: Financial institutions report detecting 30% more fraudulent transactions during Cyber Monday. Card-not-present fraud was the leading method used by cybercriminals in 2023, accounting for over 75% of online fraud cases. Credential stuffing incidents surged by 80% during Cyber Monday in 2023, affecting over 40 million accounts globally. - The Cost: Financial fraud cases during holiday shopping periods account for nearly $8.5 billion annually. Small and medium-sized businesses (SMBs) are highly vulnerable, reporting an average loss of $120,000 per cyberattack. The Mobile Frontline: While many focus on suspicious websites, the true cybersecurity frontline for e-commerce is increasingly within mobile apps. Attacks on mobile apps used for shopping increased by 50% in 2023, often involving malicious app clones. Attackers exploit vulnerabilities like Man-in-the-middle (MitM) attacks intercepting API traffic and extracting API keys reverse-engineered from app binaries. Standard defenses like TLS encryption and certificate pinning offer necessary but incomplete protection. Industry Response: Financial institutions are bolstering security by integrating biometric authentication into 50% of mobile banking apps, adopting real-time transaction monitoring (reducing fraud by 40%), and using tokenization technology in 65% of online transactions. Furthermore, Zero Trust architecture is gaining traction, with 55% of organizations adopting it to secure financial systems. Sponsor Spotlight This episode is brought to you by Approov, the mobile security platform addressing vulnerabil This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 21 Nov 2025 19:20:07 -0000 full Skye MacIntyre Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits The biggest shopping days of the year—Black Friday and Cyber Monday—have also become the prime hunting grounds for cybercriminals, with global financial losses from attacks predicted to hit $10 billion in 2024. In this episode, we dive deep into the rising statistics shaping financial cybersecurity during the holiday shopping season, focusing on how sophisticated, AI-driven scams and mobile app vulnerabilities are creating a perfect storm for retailers and consumers alike. Episode Highlights: The State of Financial Cybercrime Cybercriminal activity spikes by 70% during Black Friday compared to regular shopping days. Statistics show that cyberattacks during this period were projected to rise by 20% in 2024, following a 15% increase in 2023. Key Threats and Data: - The Rise of Fake Shops: Scammers are evolving at an unprecedented pace, using AI to generate persuasive copy and fully functional storefront templates that mimic legitimate communication flawlessly. A recent analysis found a 250% jump in fake Black Friday shops leading up to the sales weekend. - Targeting E-commerce: E-commerce platforms experience a 65% surge in phishing attacks. Phishing scams remain the most common threat, accounting for 42% of attacks on financial transactions during the 2023 holiday shopping period. - Prevalent Fraud Types: Financial institutions report detecting 30% more fraudulent transactions during Cyber Monday. Card-not-present fraud was the leading method used by cybercriminals in 2023, accounting for over 75% of online fraud cases. Credential stuffing incidents surged by 80% during Cyber Monday in 2023, affecting over 40 million accounts globally. - The Cost: Financial fraud cases during holiday shopping periods account for nearly $8.5 billion annually. Small and medium-sized businesses (SMBs) are highly vulnerable, reporting an average loss of $120,000 per cyberattack. The Mobile Frontline: While many focus on suspicious websites, the true cybersecurity frontline for e-commerce is increasingly within mobile apps. Attacks on mobile apps used for shopping increased by 50% in 2023, often involving malicious app clones. Attackers exploit vulnerabilities like Man-in-the-middle (MitM) attacks intercepting API traffic and extracting API keys reverse-engineered from app binaries. Standard defenses like TLS encryption and certificate pinning offer necessary but incomplete protection. Industry Response: Financial institutions are bolstering security by integrating biometric authentication into 50% of mobile banking apps, adopting real-time transaction monitoring (reducing fraud by 40%), and using tokenization technology in 65% of online transactions. Furthermore, Zero Trust architecture is gaining traction, with 55% of organizations adopting it to secure financial systems. Sponsor Spotlight This episode is brought to you by Approov, the mobile security platform addressing vulnerabil This content was created in partnership and with the help of Artificial Intelligence AI. 871 https://player.megaphone.fm/NPTNI1365320647 In this pivotal episode of https://approov.io/podcast, we dive into the significance of https://x.com (formerly known as Twitter) joining the https://appfairness.org/(CAF). This move signals growing momentum in the global effort to reform the mobile app ecosystem, currently dominated by Apple and Google, whose practices are alleged to harm consumers and developers alike. We examine X's commitment to dismantling monopolistic practices and fostering a digital future where competition thrives and innovation is rewarded. Furthermore, we discuss the context of this fight, including the recent U.S. Department of Justice (DOJ) antitrust complaint filed against Apple. CAF asserts that Apple’s alleged illegal conduct—including abusing App Store guidelines to increase prices and choke off competition—must be addressed, urging Congress to pass legislation like the Open App Markets Act. Tune in to understand how companies are pushing back against the "shackles on developers" to create a level playing field for the more than 80 members of this independent nonprofit organization. Discussion Points - Dismantling Monopolies: X’s Head of Global Government Affairs stated that joining CAF is a testament to their commitment to dismantling monopolistic practices and building a mobile ecosystem that truly serves its users and fosters growth. - The Problem with Gatekeepers: The current mobile app ecosystem is dominated by Apple and Google, who use their power to harm developers and users through excessive costs and restrictions on innovation. Global Policy Counsel for CAF noted that businesses on platforms like X are harmed by these anticompetitive app store practices. - The Antitrust Fight: The DOJ, along with 16 attorneys general, filed an antitrust complaint against Apple, accusing the company of illegally monopolizing smartphone markets. CAF supports this strong stand against Apple’s "stranglehold over the mobile app ecosystem". - The Path Forward: CAF advocates for legislation, like the Open App Markets Act, to create a free and open mobile app marketplace and put an end to the anticompetitive practices of all mobile app gatekeepers. - About CAF: The Coalition for App Fairness is an independent nonprofit organization focused on protecting consumer choice, fostering competition, and creating a level playing field for app and game developers globally. https://approov.comSponsored Segment:  The increasing regulatory and commercial pressures are weakening app store monopolies. As the mobile ecosystem decentralizes, the need for robust, independent security is crucial. Our sponsor, Approov, provides strong, app-centric security solutions that operate independently of basic app store protections. Approov helps mobile app developers reduce security dependencies on app stores by delivering runtime protection and attestation for mobile apps and their APIs, shielding against tampering and unauthorized access. Approov’s approach decentralizes security, ensuring developers ar This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 17 Nov 2025 12:20:07 -0000 full Skye MacIntyre In this pivotal episode of https://approov.io/podcast, we dive into the significance of https://x.com (formerly known as Twitter) joining the https://appfairness.org/(CAF). This move signals growing momentum in the global effort to reform the mobile app ecosystem, currently dominated by Apple and Google, whose practices are alleged to harm consumers and developers alike. We examine X's commitment to dismantling monopolistic practices and fostering a digital future where competition thrives and innovation is rewarded. Furthermore, we discuss the context of this fight, including the recent U.S. Department of Justice (DOJ) antitrust complaint filed against Apple. CAF asserts that Apple’s alleged illegal conduct—including abusing App Store guidelines to increase prices and choke off competition—must be addressed, urging Congress to pass legislation like the Open App Markets Act. Tune in to understand how companies are pushing back against the "shackles on developers" to create a level playing field for the more than 80 members of this independent nonprofit organization. Discussion Points - Dismantling Monopolies: X’s Head of Global Government Affairs stated that joining CAF is a testament to their commitment to dismantling monopolistic practices and building a mobile ecosystem that truly serves its users and fosters growth. - The Problem with Gatekeepers: The current mobile app ecosystem is dominated by Apple and Google, who use their power to harm developers and users through excessive costs and restrictions on innovation. Global Policy Counsel for CAF noted that businesses on platforms like X are harmed by these anticompetitive app store practices. - The Antitrust Fight: The DOJ, along with 16 attorneys general, filed an antitrust complaint against Apple, accusing the company of illegally monopolizing smartphone markets. CAF supports this strong stand against Apple’s "stranglehold over the mobile app ecosystem". - The Path Forward: CAF advocates for legislation, like the Open App Markets Act, to create a free and open mobile app marketplace and put an end to the anticompetitive practices of all mobile app gatekeepers. - About CAF: The Coalition for App Fairness is an independent nonprofit organization focused on protecting consumer choice, fostering competition, and creating a level playing field for app and game developers globally. https://approov.comSponsored Segment:  The increasing regulatory and commercial pressures are weakening app store monopolies. As the mobile ecosystem decentralizes, the need for robust, independent security is crucial. Our sponsor, Approov, provides strong, app-centric security solutions that operate independently of basic app store protections. Approov helps mobile app developers reduce security dependencies on app stores by delivering runtime protection and attestation for mobile apps and their APIs, shielding against tampering and unauthorized access. Approov’s approach decentralizes security, ensuring developers ar This content was created in partnership and with the help of Artificial Intelligence AI. 634 https://player.megaphone.fm/NPTNI2955473563 Standing Up to Extortion: Lessons from the Checkout.com Breach and the Rise of Vishing Attacks Description This week on Upwardly Mobile, we dive deep into the tactics of the prolific criminal group ShinyHunters and explore how global enterprises are responding to sophisticated cyber extortion attempts in 2025. We analyze two major security incidents that highlight critical vulnerabilities in legacy systems and modern OAuth ecosystems. The Extortion Dilemma: Checkout.com Stands Firm We detail the incident where https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion was contacted by ShinyHunters, who demanded a ransom after gaining unauthorized access to a legacy, third-party cloud file storage system. This system was used in 2020 and prior years for internal operational documents and merchant onboarding materials, affecting less than 25% of their current merchant base. Critically, the threat actors did not access merchant funds or card numbers, and the live payment processing platform was not impacted. Checkout.com publicly stated they would not be extorted and refused to pay the ransom. Instead, they are turning this attack into an investment for the entire security industry by donating the ransom amount to https://www.cmu.edu/ and the https://gcscc.ox.ac.uk/home-page to fund cybercrime research. The company accepted full responsibility for the legacy system not being properly decommissioned. The 2025 OAuth and Vishing Wave The episode also examines ShinyHunters' 2025 campaign targeting mobile and web-based enterprise applications, particularly those connected to Salesforce and integrated platforms like Salesloft and Drift. These attacks were characterized by sophisticated social engineering and voice phishing ("vishing"), where attackers impersonated IT staff (sometimes using AI-generated voices) to persuade employees to authorize malicious versions of Salesforce tools via mobile or web apps. By exploiting OAuth tokens, ShinyHunters compromised sensitive internal APIs and data from high-profile victims, including Google, Cloudflare, Qantas, Allianz Life, and Adidas. Analysts noted that these techniques bypassed technical controls by abusing human trust, enabling the theft of over 1.5 billion Salesforce records from approximately 760 organizations. These incidents underscore that modern mobile application security is deeply dependent on robust cloud and OAuth ecosystem safeguards. Sponsor This episode of Upwardly Mobile is brought to you by approov.io, helping protect your mobile API access and application endpoints from sophisticated attacks like those utilizing stolen OAuth tokens. Sponsor Link: https://notebooklm.google.com/notebook/approov.io Keywords: ShinyHunters, Cyber Extortion, Ransomware, Legacy System Vulnerability, OAuth Exploitation, Vishing, Voice Phishing, Salesforce Security, Checkout.com, Cybercrime Research, Cloud Security, Supply Chain Attack, Mobile Application Security, Digital Economy Security, D This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 15 Nov 2025 00:55:47 -0000 full Skye MacIntyre Standing Up to Extortion: Lessons from the Checkout.com Breach and the Rise of Vishing Attacks Description This week on Upwardly Mobile, we dive deep into the tactics of the prolific criminal group ShinyHunters and explore how global enterprises are responding to sophisticated cyber extortion attempts in 2025. We analyze two major security incidents that highlight critical vulnerabilities in legacy systems and modern OAuth ecosystems. The Extortion Dilemma: Checkout.com Stands Firm We detail the incident where https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion was contacted by ShinyHunters, who demanded a ransom after gaining unauthorized access to a legacy, third-party cloud file storage system. This system was used in 2020 and prior years for internal operational documents and merchant onboarding materials, affecting less than 25% of their current merchant base. Critically, the threat actors did not access merchant funds or card numbers, and the live payment processing platform was not impacted. Checkout.com publicly stated they would not be extorted and refused to pay the ransom. Instead, they are turning this attack into an investment for the entire security industry by donating the ransom amount to https://www.cmu.edu/ and the https://gcscc.ox.ac.uk/home-page to fund cybercrime research. The company accepted full responsibility for the legacy system not being properly decommissioned. The 2025 OAuth and Vishing Wave The episode also examines ShinyHunters' 2025 campaign targeting mobile and web-based enterprise applications, particularly those connected to Salesforce and integrated platforms like Salesloft and Drift. These attacks were characterized by sophisticated social engineering and voice phishing ("vishing"), where attackers impersonated IT staff (sometimes using AI-generated voices) to persuade employees to authorize malicious versions of Salesforce tools via mobile or web apps. By exploiting OAuth tokens, ShinyHunters compromised sensitive internal APIs and data from high-profile victims, including Google, Cloudflare, Qantas, Allianz Life, and Adidas. Analysts noted that these techniques bypassed technical controls by abusing human trust, enabling the theft of over 1.5 billion Salesforce records from approximately 760 organizations. These incidents underscore that modern mobile application security is deeply dependent on robust cloud and OAuth ecosystem safeguards. Sponsor This episode of Upwardly Mobile is brought to you by approov.io, helping protect your mobile API access and application endpoints from sophisticated attacks like those utilizing stolen OAuth tokens. Sponsor Link: https://notebooklm.google.com/notebook/approov.io Keywords: ShinyHunters, Cyber Extortion, Ransomware, Legacy System Vulnerability, OAuth Exploitation, Vishing, Voice Phishing, Salesforce Security, Checkout.com, Cybercrime Research, Cloud Security, Supply Chain Attack, Mobile Application Security, Digital Economy Security, D This content was created in partnership and with the help of Artificial Intelligence AI. 545 https://player.megaphone.fm/NPTNI2262947153 Remote Attestation vs. RASP: Securing Mobile APIs at the Edge (Zscaler vs. Approov/Cloudflare) On this episode of Upwardly Mobile, we dive deep into the most critical architectural debate in mobile API security today: Does security enforcement belong on the client device (RASP) or off-device at the network edge (Remote Attestation)? We break down the philosophical and technical differences between the integrated Zscaler ZSDK approach, which bundles Runtime Application Self-Protection (RASP), and the specialized, edge-native partnership between Approov and Cloudflare. Discover why security experts argue that because the attacker ultimately controls the client environment, remote attestation is superior for defense against sophisticated, targeted attacks. Episode Highlights & Key Concepts The Philosophical Divide: RASP vs. Remote Attestation The core of the debate centers on where security decision logic is insulated. - RASP (Runtime Application Self-Protection): This approach implements security logic within the application code to detect threats locally during runtime, often used for real-time overlay fraud, app tampering, and emulator abuse detection. - The Risk: Any locally enforced logic provides a target for advanced adversaries. Attackers can potentially reverse-engineer RASP checks and bypass local controls to execute API requests from a tampered application instance. - Remote Attestation (Approov/Cloudflare): This specialized approach verifies that only a genuine, untampered app can access APIs, protecting backend systems from unauthorized or rogue applications. - Superior Resilience: Approov’s architecture minimizes local enforcement, ensuring attestation decisions are made entirely in the cloud service. This insulates the enforcement logic on the backend, offering superior resilience against sophisticated, targeted attacks. - Zero Feedback Loop: A key security advantage is that the attacker receives no feedback from the client on why the token validation failed at the edge, significantly raising the cost and complexity of a successful attack bypass. Architectural and Operational Advantages The comparison between the integrated Zscaler Zero Trust Exchange (ZTNA/SSE) model and the Approov/Cloudflare Edge-First (WAAP) model highlights major differences in deployment, performance, and operational cost. - Enforcement Location and TCO: The Approov/Cloudflare model focuses enforcement entirely at the Cloudflare edge using serverless functions (Workers or API Shield). This is described as a zero-operations deployment model that removes the need for customer-managed infrastructure components like Zscaler’s required App Connectors. The serverless model accelerates time-to-value and minimizes maintenance overhead. - API Key Protection: Approov provides a critical security layer by leveraging attestation guarantees to securely deliver secrets, such as API keys, just-in-time to the application only when the environment is verified a This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 07 Nov 2025 02:50:07 -0000 full Skye MacIntyre Remote Attestation vs. RASP: Securing Mobile APIs at the Edge (Zscaler vs. Approov/Cloudflare) On this episode of Upwardly Mobile, we dive deep into the most critical architectural debate in mobile API security today: Does security enforcement belong on the client device (RASP) or off-device at the network edge (Remote Attestation)? We break down the philosophical and technical differences between the integrated Zscaler ZSDK approach, which bundles Runtime Application Self-Protection (RASP), and the specialized, edge-native partnership between Approov and Cloudflare. Discover why security experts argue that because the attacker ultimately controls the client environment, remote attestation is superior for defense against sophisticated, targeted attacks. Episode Highlights & Key Concepts The Philosophical Divide: RASP vs. Remote Attestation The core of the debate centers on where security decision logic is insulated. - RASP (Runtime Application Self-Protection): This approach implements security logic within the application code to detect threats locally during runtime, often used for real-time overlay fraud, app tampering, and emulator abuse detection. - The Risk: Any locally enforced logic provides a target for advanced adversaries. Attackers can potentially reverse-engineer RASP checks and bypass local controls to execute API requests from a tampered application instance. - Remote Attestation (Approov/Cloudflare): This specialized approach verifies that only a genuine, untampered app can access APIs, protecting backend systems from unauthorized or rogue applications. - Superior Resilience: Approov’s architecture minimizes local enforcement, ensuring attestation decisions are made entirely in the cloud service. This insulates the enforcement logic on the backend, offering superior resilience against sophisticated, targeted attacks. - Zero Feedback Loop: A key security advantage is that the attacker receives no feedback from the client on why the token validation failed at the edge, significantly raising the cost and complexity of a successful attack bypass. Architectural and Operational Advantages The comparison between the integrated Zscaler Zero Trust Exchange (ZTNA/SSE) model and the Approov/Cloudflare Edge-First (WAAP) model highlights major differences in deployment, performance, and operational cost. - Enforcement Location and TCO: The Approov/Cloudflare model focuses enforcement entirely at the Cloudflare edge using serverless functions (Workers or API Shield). This is described as a zero-operations deployment model that removes the need for customer-managed infrastructure components like Zscaler’s required App Connectors. The serverless model accelerates time-to-value and minimizes maintenance overhead. - API Key Protection: Approov provides a critical security layer by leveraging attestation guarantees to securely deliver secrets, such as API keys, just-in-time to the application only when the environment is verified a This content was created in partnership and with the help of Artificial Intelligence AI. 716 https://player.megaphone.fm/NPTNI6304679632 Upwardly Mobile: Episode Notes Episode Title: App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Summary: In this episode of Upwardly Mobile, we break down the monumental shift in the Android ecosystem following the Supreme Court’s refusal to hear Google's final appeal. Google has finally opened its Google Play app store to third-party payment options for U.S. developers, settling a multi-year legal battle initiated by Epic Games. We discuss what this means for developers seeking to maximize revenue, the new freedom to direct users to cheaper external payment options, and the resulting challenges in maintaining app integrity and security now that developers are operating outside Google Play Billing exclusivity. Plus, we explore crucial security solutions, like Approov, that can help developers protect their apps when relying less on Google Mobile Services (GMS) for integrity checks. Key Takeaways - Policy Shift: Following years of legal challenges, Google is now required to allow U.S. app developers to use alternative payment methods and link users directly to external payment sources. This means developers can process payments outside of Google’s ecosystem and inform users about alternative pricing. - End of Exclusivity: Previously, Google generally mandated the use of Google Play Billing and collected a commission on nearly every in-app purchase. Now, developers can provide direct links to external checkout pages and offer options like PayPal or their own payment systems. - Timeline and Scope: This change became effective immediately as of October 29, 2025. However, the new rules currently apply only in the U.S. and the District Court order is set to expire on November 1, 2027. - Security Challenges: While developers gain freedom and potential revenue maximization by avoiding Play Store commissions, distributing and processing payments externally requires implementing their own robust security, update, and analytics systems, as Play services like integrity verification may not be available. - App Attestation Alternative: For developers building non-GMS Android apps or those seeking customizable security outside of Google’s structure, Approov provides a solution. Approov is a runtime application self-protection (RASP) tool that offers app attestation—verifying the integrity and authenticity of an app and the device it runs on—without relying on Google PlayIntegrity or SafetyNet. Sponsored by Approov Protect your app and APIs regardless of your payment processing choices. Approov offers comprehensive runtime application self-protection (RASP) and serves as a reliable, GMS-independent alternative to Google PlayIntegrity for robust app attestation and real-time threat detection. Learn more or start a free trial today: https://notebooklm.google.com/notebook/approov.io Relevant Links & Resources - Google Opens App Store to Third-Party Payment Systems (PaymentsJournal): https://www.paymentsjournal.com/google This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 03 Nov 2025 10:40:07 -0000 full Skye MacIntyre Upwardly Mobile: Episode Notes Episode Title: App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Summary: In this episode of Upwardly Mobile, we break down the monumental shift in the Android ecosystem following the Supreme Court’s refusal to hear Google's final appeal. Google has finally opened its Google Play app store to third-party payment options for U.S. developers, settling a multi-year legal battle initiated by Epic Games. We discuss what this means for developers seeking to maximize revenue, the new freedom to direct users to cheaper external payment options, and the resulting challenges in maintaining app integrity and security now that developers are operating outside Google Play Billing exclusivity. Plus, we explore crucial security solutions, like Approov, that can help developers protect their apps when relying less on Google Mobile Services (GMS) for integrity checks. Key Takeaways - Policy Shift: Following years of legal challenges, Google is now required to allow U.S. app developers to use alternative payment methods and link users directly to external payment sources. This means developers can process payments outside of Google’s ecosystem and inform users about alternative pricing. - End of Exclusivity: Previously, Google generally mandated the use of Google Play Billing and collected a commission on nearly every in-app purchase. Now, developers can provide direct links to external checkout pages and offer options like PayPal or their own payment systems. - Timeline and Scope: This change became effective immediately as of October 29, 2025. However, the new rules currently apply only in the U.S. and the District Court order is set to expire on November 1, 2027. - Security Challenges: While developers gain freedom and potential revenue maximization by avoiding Play Store commissions, distributing and processing payments externally requires implementing their own robust security, update, and analytics systems, as Play services like integrity verification may not be available. - App Attestation Alternative: For developers building non-GMS Android apps or those seeking customizable security outside of Google’s structure, Approov provides a solution. Approov is a runtime application self-protection (RASP) tool that offers app attestation—verifying the integrity and authenticity of an app and the device it runs on—without relying on Google PlayIntegrity or SafetyNet. Sponsored by Approov Protect your app and APIs regardless of your payment processing choices. Approov offers comprehensive runtime application self-protection (RASP) and serves as a reliable, GMS-independent alternative to Google PlayIntegrity for robust app attestation and real-time threat detection. Learn more or start a free trial today: https://notebooklm.google.com/notebook/approov.io Relevant Links & Resources - Google Opens App Store to Third-Party Payment Systems (PaymentsJournal): https://www.paymentsjournal.com/google This content was created in partnership and with the help of Artificial Intelligence AI. 612 https://player.megaphone.fm/NPTNI3910451808 The Billion-Download Backdoor: Defending Client-Side Supply Chains Against Crypto-Draining NPM Attacks -------------------------------------------------------------------------------- Episode Notes In early September 2025, the open-source software ecosystem faced a massive supply chain attack when attackers compromised trusted maintainer accounts on npm using targeted phishing emails. This security breach led to the injection of malicious code into 18 widely used npm packages—such as chalk, debug, and ansi-styles—which together account for more than 2 billion downloads per week. This episode dives into the mechanics of the attack, the threat posed by the complex malware deployed, and the role of advanced AI-powered defenses in preventing client-side disaster. Key Takeaways The Threat Landscape The attackers' primary goal was crypto-stealing or wallet draining. The compromised packages contained obfuscated JavaScript, which, when included in end-user applications (including web projects and mobile apps built with frameworks like React Native or Ionic), was activated at the browser level. This malware would intercept network traffic and API requests, ultimately swapping legitimate cryptocurrency addresses (including Bitcoin, Ethereum, and Solana) with the attackers' wallets. The attack leveraged the human factor, as maintainers were tricked by phishing emails urging them to update two-factor authentication credentials via a fake domain, npmjs[.]help. The Evolution of Malware: Shai-Hulud Beyond crypto-hijacking, researchers detected a complex self-replicating worm dubbed Shai-Hulud. This advanced payload targets development and CI/CD environments: • Autonomous Propagation: Shai-Hulud uses existing trust relationships to automatically infect additional NPM packages and projects. • Credential Theft: Using stolen GitHub access tokens, the worm lists and clones private repositories to attacker-controlled accounts. • Secret Harvesting: It downloads and utilizes the secret-scanning tool TruffleHog to harvest secrets, keys, and high-entropy strings from the compromised environment. • Malicious Workflows: Shai-Hulud establishes persistence by injecting malicious GitHub Actions workflows into repositories, enabling automated secret exfiltration. Automated Defense with AI Security Cloudflare’s client-side security offering, Page Shield, proved critical in mitigating this threat. Page Shield assesses 3.5 billion scripts per day (40,000 scripts per second) using machine learning (ML) based malicious script detection. • Page Shield utilizes a message-passing graph convolutional network (MPGCN). This graph-based model learns hacker patterns purely from the structure (e.g., function calling) and syntax of the code, making it resilient against advanced techniques like code obfuscation used in the npm compromise. • Cloudflare verified that Page Shield would have successfully detected all 18 compromised npm packages as malicious, despite the attack being novel and This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 31 Oct 2025 07:00:08 -0000 full Skye MacIntyre The Billion-Download Backdoor: Defending Client-Side Supply Chains Against Crypto-Draining NPM Attacks -------------------------------------------------------------------------------- Episode Notes In early September 2025, the open-source software ecosystem faced a massive supply chain attack when attackers compromised trusted maintainer accounts on npm using targeted phishing emails. This security breach led to the injection of malicious code into 18 widely used npm packages—such as chalk, debug, and ansi-styles—which together account for more than 2 billion downloads per week. This episode dives into the mechanics of the attack, the threat posed by the complex malware deployed, and the role of advanced AI-powered defenses in preventing client-side disaster. Key Takeaways The Threat Landscape The attackers' primary goal was crypto-stealing or wallet draining. The compromised packages contained obfuscated JavaScript, which, when included in end-user applications (including web projects and mobile apps built with frameworks like React Native or Ionic), was activated at the browser level. This malware would intercept network traffic and API requests, ultimately swapping legitimate cryptocurrency addresses (including Bitcoin, Ethereum, and Solana) with the attackers' wallets. The attack leveraged the human factor, as maintainers were tricked by phishing emails urging them to update two-factor authentication credentials via a fake domain, npmjs[.]help. The Evolution of Malware: Shai-Hulud Beyond crypto-hijacking, researchers detected a complex self-replicating worm dubbed Shai-Hulud. This advanced payload targets development and CI/CD environments: • Autonomous Propagation: Shai-Hulud uses existing trust relationships to automatically infect additional NPM packages and projects. • Credential Theft: Using stolen GitHub access tokens, the worm lists and clones private repositories to attacker-controlled accounts. • Secret Harvesting: It downloads and utilizes the secret-scanning tool TruffleHog to harvest secrets, keys, and high-entropy strings from the compromised environment. • Malicious Workflows: Shai-Hulud establishes persistence by injecting malicious GitHub Actions workflows into repositories, enabling automated secret exfiltration. Automated Defense with AI Security Cloudflare’s client-side security offering, Page Shield, proved critical in mitigating this threat. Page Shield assesses 3.5 billion scripts per day (40,000 scripts per second) using machine learning (ML) based malicious script detection. • Page Shield utilizes a message-passing graph convolutional network (MPGCN). This graph-based model learns hacker patterns purely from the structure (e.g., function calling) and syntax of the code, making it resilient against advanced techniques like code obfuscation used in the npm compromise. • Cloudflare verified that Page Shield would have successfully detected all 18 compromised npm packages as malicious, despite the attack being novel and This content was created in partnership and with the help of Artificial Intelligence AI. 899 https://player.megaphone.fm/NPTNI3205003167 The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authe This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 27 Oct 2025 07:30:10 -0000 full Skye MacIntyre The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authe This content was created in partnership and with the help of Artificial Intelligence AI. 841 https://player.megaphone.fm/NPTNI8613819811 UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms. - SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms. - Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities: - Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit). - Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink). - Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels. - Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period. - Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming. What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 22 Oct 2025 17:20:49 -0000 full Skye MacIntyre UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms. - SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms. - Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities: - Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit). - Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink). - Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels. - Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period. - Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming. What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored This content was created in partnership and with the help of Artificial Intelligence AI. 758 https://player.megaphone.fm/NPTNI5540300209 API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps The F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials: - Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities. - Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws. - Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups. Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action: - Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities. - Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure. - Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network. - Change Credentials: Change all default credentials immediately. Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore https://approov.io/mobile-app-securit This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 20 Oct 2025 03:10:52 -0000 full Skye MacIntyre API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps The F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials: - Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities. - Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws. - Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups. Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action: - Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities. - Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure. - Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network. - Change Credentials: Change all default credentials immediately. Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore https://approov.io/mobile-app-securit This content was created in partnership and with the help of Artificial Intelligence AI. 719 https://player.megaphone.fm/NPTNI3420933692 Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions: - https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details. - https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses. Tactics and Targets The group employs sophisticated tactics, including exploiting zero-day vulnerabilitie This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 14 Oct 2025 07:45:07 -0000 full Skye MacIntyre Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions: - https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details. - https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses. Tactics and Targets The group employs sophisticated tactics, including exploiting zero-day vulnerabilitie This content was created in partnership and with the help of Artificial Intelligence AI. 724 https://player.megaphone.fm/NPTNI8912961719 Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, https://www.businesswire.com/news/home/20251007833296/en/Approov-Launches-Next-Generation-Attestation-to-Secure-Mobile-Apps-Against-Threats-from-AI-and-Meet-New-EU-Regulations, including AI-driven attacks and new regulatory pressures. The Mobile Tipping Point: 64% and Rising The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone. • This shift is not just a trend; it is the new normal. • Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth. • Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones. • The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%). The Security Gap in a Mobile-First World The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps. Approov 3.5: Protecting the Critical Connection Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data. The latest platform update, Approov 3.5, delivers next-generation attestation: • Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs. • Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible. • Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update. • Immutable App S This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 11 Oct 2025 00:20:15 -0000 full Skye MacIntyre Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, https://www.businesswire.com/news/home/20251007833296/en/Approov-Launches-Next-Generation-Attestation-to-Secure-Mobile-Apps-Against-Threats-from-AI-and-Meet-New-EU-Regulations, including AI-driven attacks and new regulatory pressures. The Mobile Tipping Point: 64% and Rising The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone. • This shift is not just a trend; it is the new normal. • Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth. • Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones. • The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%). The Security Gap in a Mobile-First World The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps. Approov 3.5: Protecting the Critical Connection Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data. The latest platform update, Approov 3.5, delivers next-generation attestation: • Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs. • Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible. • Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update. • Immutable App S This content was created in partnership and with the help of Artificial Intelligence AI. 692 https://player.megaphone.fm/NPTNI3267942227 In this episode of Upwardly Mobile, we dive into the significant legal challenges facing major technology companies—Apple, Google (Alphabet), and Meta Platforms—as they are forced to defend themselves against class action lawsuits alleging that they promoted and profited from illegal social casino gambling apps. A recent ruling by U.S. District Judge Edward Davila in San Jose, California, denied the companies' requests to dismiss the lawsuits. The plaintiffs, numbering in the dozens, contend that the companies' platforms—Apple’s App Store, Google’s Play Store, and Meta’s Facebook—promoted an “authentic Vegas-style experience of slot machine gambling” through an allegedly illegal racketeering conspiracy. Key Takeaways from the Litigation: - The Liability Claim: The core claim is that the defendants "willingly assist, promote and profit from" allegedly illegal gambling. This is achieved by: - Offering users access to the apps through their stores. - Taking a substantial percentage of consumer purchases (estimated at 30% commission, totaling over $2 billion) on in-app transactions for items like Game Coins and Sweeps Coins. - Processing these allegedly illicit transactions using proprietary payment systems. - Using targeted advertising to "shepherd the most vulnerable customers" to the casino apps. - The Section 230 Defense Rejected: Apple, Google, and Meta argued that Section 230 of the federal Communications Decency Act protected them from liability because this law shields online platforms from lawsuits over third-party content. Judge Davila rejected this argument, finding that the companies did not act as "publishers" when processing payments. The judge emphasized that the "crux of plaintiffs’ theory is that defendants improperly processed payments for social casino apps". - "Neutral Tools" Argument Undercut: The court called it irrelevant that the companies provided "neutral tools" (like payment processing) to support the apps. - Damages Sought: The lawsuits seek unspecified compensatory and triple damages, among other remedies. - Appeals and Case History: Judge Davila allowed the defendants to immediately appeal his decision to the 9th U.S. Circuit Court of Appeals, acknowledging the importance of the Section 230 issues. The litigation against the Silicon Valley-based companies began in 2021. - Additional Suits: Separately, a new lawsuit was filed against Apple and Google by lead Plaintiff Bargo (not naming the social casino operators), alleging the distribution of "patently illegal gambling software" in New Jersey and New York. This complaint includes legal claims under NJ and NY gambling loss recovery statutes, consumer protection laws, and RICO laws. Sponsor Message: This episode of Upwardly Mobile is brought to you by our sponsor. Learn how to secure your mobile app business today. Visit https://approov.io/. Relevant Source Materials & Case Information: - Article Reference (Legal Analysis): Excerpts from "Apple and Go This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 05 Oct 2025 17:00:07 -0000 full Skye MacIntyre In this episode of Upwardly Mobile, we dive into the significant legal challenges facing major technology companies—Apple, Google (Alphabet), and Meta Platforms—as they are forced to defend themselves against class action lawsuits alleging that they promoted and profited from illegal social casino gambling apps. A recent ruling by U.S. District Judge Edward Davila in San Jose, California, denied the companies' requests to dismiss the lawsuits. The plaintiffs, numbering in the dozens, contend that the companies' platforms—Apple’s App Store, Google’s Play Store, and Meta’s Facebook—promoted an “authentic Vegas-style experience of slot machine gambling” through an allegedly illegal racketeering conspiracy. Key Takeaways from the Litigation: - The Liability Claim: The core claim is that the defendants "willingly assist, promote and profit from" allegedly illegal gambling. This is achieved by: - Offering users access to the apps through their stores. - Taking a substantial percentage of consumer purchases (estimated at 30% commission, totaling over $2 billion) on in-app transactions for items like Game Coins and Sweeps Coins. - Processing these allegedly illicit transactions using proprietary payment systems. - Using targeted advertising to "shepherd the most vulnerable customers" to the casino apps. - The Section 230 Defense Rejected: Apple, Google, and Meta argued that Section 230 of the federal Communications Decency Act protected them from liability because this law shields online platforms from lawsuits over third-party content. Judge Davila rejected this argument, finding that the companies did not act as "publishers" when processing payments. The judge emphasized that the "crux of plaintiffs’ theory is that defendants improperly processed payments for social casino apps". - "Neutral Tools" Argument Undercut: The court called it irrelevant that the companies provided "neutral tools" (like payment processing) to support the apps. - Damages Sought: The lawsuits seek unspecified compensatory and triple damages, among other remedies. - Appeals and Case History: Judge Davila allowed the defendants to immediately appeal his decision to the 9th U.S. Circuit Court of Appeals, acknowledging the importance of the Section 230 issues. The litigation against the Silicon Valley-based companies began in 2021. - Additional Suits: Separately, a new lawsuit was filed against Apple and Google by lead Plaintiff Bargo (not naming the social casino operators), alleging the distribution of "patently illegal gambling software" in New Jersey and New York. This complaint includes legal claims under NJ and NY gambling loss recovery statutes, consumer protection laws, and RICO laws. Sponsor Message: This episode of Upwardly Mobile is brought to you by our sponsor. Learn how to secure your mobile app business today. Visit https://approov.io/. Relevant Source Materials & Case Information: - Article Reference (Legal Analysis): Excerpts from "Apple and Go This content was created in partnership and with the help of Artificial Intelligence AI. 648 https://player.megaphone.fm/NPTNI8105741576 In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings. We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps , has become a liability risk when developers neglect configuration best practices. What was exposed and the devastating scope of the leak: The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based . These affected apps spanned categories including health, fitness, education, and finance. The highly sensitive user data exposed included: • Plaintext passwords (unencrypted) • Usernames, email addresses, and phone numbers • Billing information • High-privilege API tokens, AWS root access tokens, and private chat logs • Millions of user ID photos . The Failure of Security as an Afterthought: Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless" . The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access. This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought. -------------------------------------------------------------------------------- 🛡️ Sponsor: Approov Protect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up. Learn more and protect your platform at https://approov.io/podcast -------------------------------------------------------------------------------- Source Materials & Links • Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025). • Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025). -------------------------------------------------------------------------------- Keywords: Data Leak, This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 03 Oct 2025 08:15:07 -0000 full Skye MacIntyre In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings. We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps , has become a liability risk when developers neglect configuration best practices. What was exposed and the devastating scope of the leak: The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based . These affected apps spanned categories including health, fitness, education, and finance. The highly sensitive user data exposed included: • Plaintext passwords (unencrypted) • Usernames, email addresses, and phone numbers • Billing information • High-privilege API tokens, AWS root access tokens, and private chat logs • Millions of user ID photos . The Failure of Security as an Afterthought: Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless" . The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access. This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought. -------------------------------------------------------------------------------- 🛡️ Sponsor: Approov Protect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up. Learn more and protect your platform at https://approov.io/podcast -------------------------------------------------------------------------------- Source Materials & Links • Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025). • Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025). -------------------------------------------------------------------------------- Keywords: Data Leak, This content was created in partnership and with the help of Artificial Intelligence AI. 655 https://player.megaphone.fm/NPTNI3859038233 Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went Dark In this urgent episode of https://approov.io/podcast, we break down the spectacular rise and immediate fall of the highly controversial mobile application, Neon. The app, which recently topped the charts and went viral on platforms like TikTok, promised users payment in exchange for recording their phone calls. These recordings were then sold to AI companies for training. However, less than 24 hours after gaining widespread attention, a significant security flaw was discovered. According to reports from TechCrunch, this flaw allowed public access to extremely sensitive user data. The Security Catastrophe The call-recording app had rapidly climbed the App Store ranks, reporting 75,000 downloads in a single day. Despite its rapid growth, Neon was forced offline after the security issue was discovered by TechCrunch. The flaw was so severe that it allowed anyone utilizing a network analysis tool to access private information belonging to other users. Exposed data included: - Users' phone numbers. - Call recordings and accessible URLs to the raw audio files. - Text transcripts of the recorded calls. - Detailed metadata connected to the calls, including the phone number of the person called, the time and duration of the call, and the amount earned from the call. The Company Response Following the discovery, Neon founder Alex Kiam sent an email to customers notifying them of the app's temporary shutdown. Kiam stated that they were taking the app down to "add extra layers of security" because "Your data privacy is our number one priority". However, it is crucial to note that the email failed to warn users about the specific security issue or that their phone numbers, call recordings, and transcripts had been exposed. TechCrunch noted that although the app's servers were taken down, rendering the app useless, it remained available in the App Store. If Neon does make a comeback, it will certainly receive increased scrutiny regarding its security protocols. Secure Your Mobile Infrastructure with Our Sponsor In a world where mobile app security flaws can rapidly expose millions of data points, protecting your back-end servers and APIs is non-negotiable. Our episode today highlights the critical importance of mobile app protection from the get-go. Learn how to implement proactive mobile security measures. Visit: https://approov.io/ Relevant Source Materials & Further Reading - Excerpts from "Neon, the viral app that pays users to record calls, goes offline after exposing data | Mashable" - Excerpts from "Viral call-recording app Neon goes dark after exposing users' phone numbers, call recordings, and transcripts | TechCrunch" Keywords: Neon app security flaw, AI training data, call recording app, data privacy, cybersecurity, mobile app data exposure, Alex Kiam, App Store security, TechCrunch exclusive, data breach, viral app failure, mobile security. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 29 Sep 2025 07:05:07 -0000 full Skye MacIntyre Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went Dark In this urgent episode of https://approov.io/podcast, we break down the spectacular rise and immediate fall of the highly controversial mobile application, Neon. The app, which recently topped the charts and went viral on platforms like TikTok, promised users payment in exchange for recording their phone calls. These recordings were then sold to AI companies for training. However, less than 24 hours after gaining widespread attention, a significant security flaw was discovered. According to reports from TechCrunch, this flaw allowed public access to extremely sensitive user data. The Security Catastrophe The call-recording app had rapidly climbed the App Store ranks, reporting 75,000 downloads in a single day. Despite its rapid growth, Neon was forced offline after the security issue was discovered by TechCrunch. The flaw was so severe that it allowed anyone utilizing a network analysis tool to access private information belonging to other users. Exposed data included: - Users' phone numbers. - Call recordings and accessible URLs to the raw audio files. - Text transcripts of the recorded calls. - Detailed metadata connected to the calls, including the phone number of the person called, the time and duration of the call, and the amount earned from the call. The Company Response Following the discovery, Neon founder Alex Kiam sent an email to customers notifying them of the app's temporary shutdown. Kiam stated that they were taking the app down to "add extra layers of security" because "Your data privacy is our number one priority". However, it is crucial to note that the email failed to warn users about the specific security issue or that their phone numbers, call recordings, and transcripts had been exposed. TechCrunch noted that although the app's servers were taken down, rendering the app useless, it remained available in the App Store. If Neon does make a comeback, it will certainly receive increased scrutiny regarding its security protocols. Secure Your Mobile Infrastructure with Our Sponsor In a world where mobile app security flaws can rapidly expose millions of data points, protecting your back-end servers and APIs is non-negotiable. Our episode today highlights the critical importance of mobile app protection from the get-go. Learn how to implement proactive mobile security measures. Visit: https://approov.io/ Relevant Source Materials & Further Reading - Excerpts from "Neon, the viral app that pays users to record calls, goes offline after exposing data | Mashable" - Excerpts from "Viral call-recording app Neon goes dark after exposing users' phone numbers, call recordings, and transcripts | TechCrunch" Keywords: Neon app security flaw, AI training data, call recording app, data privacy, cybersecurity, mobile app data exposure, Alex Kiam, App Store security, TechCrunch exclusive, data breach, viral app failure, mobile security. This content was created in partnership and with the help of Artificial Intelligence AI. 723 https://player.megaphone.fm/NPTNI2597525234 Google's Legal Gauntlet: Antitrust Battles and the Future of the App Ecosystem  This week on Upwardly Mobile, we dissect the flurry of major legal decisions facing Google in September 2025, from its desperate plea to the Supreme Court to halt the Epic Games injunction to the final ruling in the federal search monopoly case. We explore the massive shifts coming to the Android app ecosystem and Google's mandated business practice changes. Episode Notes September 2025: A Critical Month for Google's Antitrust Defense Google is challenging two massive antitrust rulings simultaneously, initiating what the sources describe as its "last hope" to maintain control over core business functions. Part 1: The Epic Games Showdown at the Supreme Court Google has asked the U.S. Supreme Court to intervene and pause the injunction it received following a major legal loss to Epic Games in October 2024. The company is seeking a decision on the stay by October 17, just days before the injunction is scheduled to take effect around October 20 or 22. The injunction, upheld by the Ninth Circuit Court of Appeals, requires Google to make several fundamental changes to the Google Play Store and the Android app ecosystem: - Open the Play Store: Google must allow users to download and use third-party app stores for a period of three years. - External Billing: Google is no longer allowed to force developers to use its billing system; developers must be allowed to include external links in apps, enabling users to bypass Google’s billing system. - End Pre-Install Deals: Google can no longer make deals around pre-installing the Play Store on phones. Google argues that this "unprecedented antitrust injunction" will "[create] enormous security and safety risks" by allowing the proliferation of stores that stock "malicious, deceptive or pirated content". Furthermore, Google claims the injunction burdens developers with constantly monitoring numerous stores and makes it substantially easier for developers to avoid compensating Google for services. Epic Games strongly disagrees, stating that Google continues to rely on "flawed security claims" rejected by the jury and the Ninth Circuit. Epic maintains that the injunction should go into effect so consumers and developers can benefit from competition, choices, and lower prices. Part 2: The Search Monopoly Ruling In a separate, long-running federal monopoly case, U.S. District Judge Amit Mehta ruled on remedies following his earlier decision that Google had acted illegally to maintain a monopoly in internet search. Key aspects of Judge Mehta's September 2025 ruling include: - No Divestiture of Chrome/Android: The judge denied the Department of Justice's proposal to force Google to sell its Chrome browser or divest the Android operating system, ruling that the government had "overreached". - End Exclusive Deals: Google is no longer permitted to strike exclusive deals around the distribution of search, Google Assistant, Gemini, or Chrome. This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 26 Sep 2025 14:18:44 -0000 full Skye MacIntyre Google's Legal Gauntlet: Antitrust Battles and the Future of the App Ecosystem  This week on Upwardly Mobile, we dissect the flurry of major legal decisions facing Google in September 2025, from its desperate plea to the Supreme Court to halt the Epic Games injunction to the final ruling in the federal search monopoly case. We explore the massive shifts coming to the Android app ecosystem and Google's mandated business practice changes. Episode Notes September 2025: A Critical Month for Google's Antitrust Defense Google is challenging two massive antitrust rulings simultaneously, initiating what the sources describe as its "last hope" to maintain control over core business functions. Part 1: The Epic Games Showdown at the Supreme Court Google has asked the U.S. Supreme Court to intervene and pause the injunction it received following a major legal loss to Epic Games in October 2024. The company is seeking a decision on the stay by October 17, just days before the injunction is scheduled to take effect around October 20 or 22. The injunction, upheld by the Ninth Circuit Court of Appeals, requires Google to make several fundamental changes to the Google Play Store and the Android app ecosystem: - Open the Play Store: Google must allow users to download and use third-party app stores for a period of three years. - External Billing: Google is no longer allowed to force developers to use its billing system; developers must be allowed to include external links in apps, enabling users to bypass Google’s billing system. - End Pre-Install Deals: Google can no longer make deals around pre-installing the Play Store on phones. Google argues that this "unprecedented antitrust injunction" will "[create] enormous security and safety risks" by allowing the proliferation of stores that stock "malicious, deceptive or pirated content". Furthermore, Google claims the injunction burdens developers with constantly monitoring numerous stores and makes it substantially easier for developers to avoid compensating Google for services. Epic Games strongly disagrees, stating that Google continues to rely on "flawed security claims" rejected by the jury and the Ninth Circuit. Epic maintains that the injunction should go into effect so consumers and developers can benefit from competition, choices, and lower prices. Part 2: The Search Monopoly Ruling In a separate, long-running federal monopoly case, U.S. District Judge Amit Mehta ruled on remedies following his earlier decision that Google had acted illegally to maintain a monopoly in internet search. Key aspects of Judge Mehta's September 2025 ruling include: - No Divestiture of Chrome/Android: The judge denied the Department of Justice's proposal to force Google to sell its Chrome browser or divest the Android operating system, ruling that the government had "overreached". - End Exclusive Deals: Google is no longer permitted to strike exclusive deals around the distribution of search, Google Assistant, Gemini, or Chrome. This content was created in partnership and with the help of Artificial Intelligence AI. 777 https://player.megaphone.fm/NPTNI9646627417 Episode Notes Description: In this episode of Upwardly Mobile, we dive into one of the most pressing cybersecurity threats facing mobile carriers and their subscribers: eSIM swap fraud. While digital SIMs offer superior security against physical theft, they remain vulnerable to sophisticated credential-based attacks and social engineering that target the carrier's systems. We explain how this critical fraud operates and reveal the advanced, cloud-based technologies—App Attestation and Device Binding—that mobile operators are now deploying to verify user identity and device integrity in real time, effectively blocking fraudsters before a swap can be completed. The eSIM Swap Threat eSIM swapping is a form of identity fraud where an attacker convinces a mobile carrier to transfer a victim's phone number to a new eSIM under the attacker's control, often by impersonating the legitimate user remotely. • Attack Method: Attackers often gather personal details from public sources or breaches, then contact the carrier, claiming they need to transfer their number to a new device. Since no physical access is needed, the fraud relies entirely on weaknesses in the carrier’s authentication process. • The Impact: Once a swap is successful, the criminal gains full control over the victim's phone number. They can intercept calls, texts, and, critically, one-time security codes (OTPs) sent via SMS, allowing them to bypass two-factor authentication (2FA) for online banking, cryptocurrency exchanges, and other sensitive accounts, leading to massive financial loss. https://approov.io/blog/why-hackers-love-phones-keep-your-eye-on-the-device To counter these remote, identity-based attacks, carriers are adopting a multi-layered verification approach focused on establishing the trustworthiness of the application and the hardware initiating the swap request. 1. App Attestation This technology focuses on verifying the integrity and legitimacy of the carrier's mobile application. • Verification: App Attestation confirms that the carrier's app being used is the genuine, untampered version downloaded directly from an official app store. • Prevention: It detects if the app has been modified with malicious code or is running in a compromised environment, such as an emulator. If an attacker attempts to use a fake or compromised version of the carrier’s app to initiate a fraudulent eSIM swap request, https://approov.io/mobile-app-security/rasp/app-attestation/ detects and blocks that request. 2. Device Binding Device Binding provides a cryptographic link between a user's account and the unique hardware characteristics of their trusted device. • Secure Link: When a user first logs in, a secure link is created between the app and the device's hardware IDs. • Suspicion Flagging: If a request for an eSIM swap is later initiated from a different, unverified device, the system flags the activity as suspicious, regardless of whether the attacker has stolen credentials. The system can the This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 22 Sep 2025 06:20:07 -0000 full Skye MacIntyre Episode Notes Description: In this episode of Upwardly Mobile, we dive into one of the most pressing cybersecurity threats facing mobile carriers and their subscribers: eSIM swap fraud. While digital SIMs offer superior security against physical theft, they remain vulnerable to sophisticated credential-based attacks and social engineering that target the carrier's systems. We explain how this critical fraud operates and reveal the advanced, cloud-based technologies—App Attestation and Device Binding—that mobile operators are now deploying to verify user identity and device integrity in real time, effectively blocking fraudsters before a swap can be completed. The eSIM Swap Threat eSIM swapping is a form of identity fraud where an attacker convinces a mobile carrier to transfer a victim's phone number to a new eSIM under the attacker's control, often by impersonating the legitimate user remotely. • Attack Method: Attackers often gather personal details from public sources or breaches, then contact the carrier, claiming they need to transfer their number to a new device. Since no physical access is needed, the fraud relies entirely on weaknesses in the carrier’s authentication process. • The Impact: Once a swap is successful, the criminal gains full control over the victim's phone number. They can intercept calls, texts, and, critically, one-time security codes (OTPs) sent via SMS, allowing them to bypass two-factor authentication (2FA) for online banking, cryptocurrency exchanges, and other sensitive accounts, leading to massive financial loss. https://approov.io/blog/why-hackers-love-phones-keep-your-eye-on-the-device To counter these remote, identity-based attacks, carriers are adopting a multi-layered verification approach focused on establishing the trustworthiness of the application and the hardware initiating the swap request. 1. App Attestation This technology focuses on verifying the integrity and legitimacy of the carrier's mobile application. • Verification: App Attestation confirms that the carrier's app being used is the genuine, untampered version downloaded directly from an official app store. • Prevention: It detects if the app has been modified with malicious code or is running in a compromised environment, such as an emulator. If an attacker attempts to use a fake or compromised version of the carrier’s app to initiate a fraudulent eSIM swap request, https://approov.io/mobile-app-security/rasp/app-attestation/ detects and blocks that request. 2. Device Binding Device Binding provides a cryptographic link between a user's account and the unique hardware characteristics of their trusted device. • Secure Link: When a user first logs in, a secure link is created between the app and the device's hardware IDs. • Suspicion Flagging: If a request for an eSIM swap is later initiated from a different, unverified device, the system flags the activity as suspicious, regardless of whether the attacker has stolen credentials. The system can the This content was created in partnership and with the help of Artificial Intelligence AI. 670 https://player.megaphone.fm/NPTNI5117243215 In this episode, we're diving deep into Apple's groundbreaking Memory Integrity Enforcement (MIE), an unprecedented effort poised to redefine the landscape of mobile security, and we'll also explore the broader spectrum of threats targeting the iOS ecosystem. Apple's Memory Integrity Enforcement (MIE) is the culmination of a half-decade of intensive design and engineering, combining the unique strengths of Apple silicon hardware with advanced operating system security. Apple believes MIE represents the most significant upgrade to memory safety in the history of consumer operating systems. This comprehensive, always-on protection is designed to provide industry-first memory safety across Apple devices, all without compromising device performance. The Driving Force: Combating Mercenary Spyware While the iPhone has never experienced a successful, widespread malware attack, Apple's focus for MIE is primarily on the mercenary spyware and surveillance industry. These highly sophisticated threats, often associated with state actors, utilize exploit chains that can cost millions of dollars to target a small number of specific individuals. A common denominator in these advanced attacks, whether targeting iOS, Windows, or Android, is their reliance on memory safety vulnerabilities. MIE aims to disrupt these highly effective exploitation techniques that have been prevalent for the last 25 years. How MIE Works: A Three-Pronged Defense MIE is built on a robust foundation of hardware and software innovations: 1. Secure Memory Allocators: Apple's efforts in memory safety include developing with safe languages like Swift and deploying mitigations at scale. Key to MIE are its secure memory allocators, such as kalloc_type (introduced in iOS 15 for the kernel) and xzone malloc (for user-level in iOS 17), alongside WebKit's libpas. These allocators use type information to organize memory, thwarting attackers' goals of creating overlapping interpretations of memory to exploit use-after-free and out-of-bounds bugs. 2. Enhanced Memory Tagging Extension (EMTE): Building on Arm's 2019 Memory Tagging Extension (MTE) specification, Apple conducted deep evaluations and collaborated with Arm to address weaknesses, leading to the Enhanced Memory Tagging Extension (EMTE) specification in 2022. MIE rigorously implements EMTE in strictly synchronous, always-on mode, a crucial factor for real-time defensive measures in adversarial contexts. EMTE prevents common memory corruption types:     ◦ Buffer Overflows: The allocator tags neighboring allocations with different secrets. If memory access spills over into an adjacent allocation with a different tag, the hardware blocks it, and the operating system can terminate the process.     ◦ Use-After-Free Vulnerabilities: Memory is retagged when reused. If a request uses an older, invalid tag for retagged memory, the hardware blocks it. EMTE also specifies that accessing non-tagged memory from a tagged region requires knowing that reg This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 14 Sep 2025 21:00:59 -0000 full Skye MacIntyre In this episode, we're diving deep into Apple's groundbreaking Memory Integrity Enforcement (MIE), an unprecedented effort poised to redefine the landscape of mobile security, and we'll also explore the broader spectrum of threats targeting the iOS ecosystem. Apple's Memory Integrity Enforcement (MIE) is the culmination of a half-decade of intensive design and engineering, combining the unique strengths of Apple silicon hardware with advanced operating system security. Apple believes MIE represents the most significant upgrade to memory safety in the history of consumer operating systems. This comprehensive, always-on protection is designed to provide industry-first memory safety across Apple devices, all without compromising device performance. The Driving Force: Combating Mercenary Spyware While the iPhone has never experienced a successful, widespread malware attack, Apple's focus for MIE is primarily on the mercenary spyware and surveillance industry. These highly sophisticated threats, often associated with state actors, utilize exploit chains that can cost millions of dollars to target a small number of specific individuals. A common denominator in these advanced attacks, whether targeting iOS, Windows, or Android, is their reliance on memory safety vulnerabilities. MIE aims to disrupt these highly effective exploitation techniques that have been prevalent for the last 25 years. How MIE Works: A Three-Pronged Defense MIE is built on a robust foundation of hardware and software innovations: 1. Secure Memory Allocators: Apple's efforts in memory safety include developing with safe languages like Swift and deploying mitigations at scale. Key to MIE are its secure memory allocators, such as kalloc_type (introduced in iOS 15 for the kernel) and xzone malloc (for user-level in iOS 17), alongside WebKit's libpas. These allocators use type information to organize memory, thwarting attackers' goals of creating overlapping interpretations of memory to exploit use-after-free and out-of-bounds bugs. 2. Enhanced Memory Tagging Extension (EMTE): Building on Arm's 2019 Memory Tagging Extension (MTE) specification, Apple conducted deep evaluations and collaborated with Arm to address weaknesses, leading to the Enhanced Memory Tagging Extension (EMTE) specification in 2022. MIE rigorously implements EMTE in strictly synchronous, always-on mode, a crucial factor for real-time defensive measures in adversarial contexts. EMTE prevents common memory corruption types:     ◦ Buffer Overflows: The allocator tags neighboring allocations with different secrets. If memory access spills over into an adjacent allocation with a different tag, the hardware blocks it, and the operating system can terminate the process.     ◦ Use-After-Free Vulnerabilities: Memory is retagged when reused. If a request uses an older, invalid tag for retagged memory, the hardware blocks it. EMTE also specifies that accessing non-tagged memory from a tagged region requires knowing that reg This content was created in partnership and with the help of Artificial Intelligence AI. 1063 https://player.megaphone.fm/NPTNI1407601743 The App Store Freedom Act Episode Description: In this episode of Upwardly Mobile, we unpack the App Store Freedom Act, a landmark bipartisan bill aiming to reform the highly concentrated mobile app marketplace dominated by tech giants like Apple and Google. Introduced by Representative Kat Cammack (R-FL) and co-sponsored by Representative Lori Trahan (D-MA), this legislation addresses significant concerns about anti-competitive practices, consumer choice, and developer freedom. The https://appfairness.org/, an independent nonprofit advocating for consumer choice and a level playing field for app developers, applauds the bill's bipartisan support, seeing it as a crucial step to dismantle "mobile walled gardens". We explore the bill's key provisions, which include allowing users to choose third-party app stores, install apps outside of official stores, and delete pre-installed applications. The Act also seeks to remove limitations on communication between developers and users, cap commissions on payments outside default systems, and mandate data sharing for app developers. However, the App Store Freedom Act isn't without its critics. We delve into the concerns raised by the American Action Forum, particularly regarding potential overlaps with existing antitrust law and recent rulings like Apple v. Epic Games. A major point of contention is the security implications: opening up app stores could lead to a significant influx of fraudulent apps, data theft, and unverified third-party providers, potentially compromising the "walled garden" security benefits that currently protect users. We also discuss how while the bill might expedite FTC enforcement, it could bypass crucial antitrust requirements, potentially overlooking pro-consumer behaviors by app store providers. Join us as we explore the multifaceted debate surrounding this pivotal piece of tech legislation. Key Discussion Points: • The Problem: Anti-competitive practices and lack of consumer freedom in mobile app stores controlled by Apple and Google. • The Bill's Purpose: To foster competition, enhance consumer choice, and create a level playing field for app developers globally. • Core Provisions of the App Store Freedom Act (H.R.3209):     ◦ Interoperability: Users can choose default third-party app stores, install apps from outside sources, and hide/delete pre-installed apps.     ◦ Open App Development: Requires covered companies to provide developers with access to interfaces, hardware, and software features on equivalent terms.     ◦ Prohibitions: Bans requirements for specific in-app payment systems, prevents punitive actions against developers using alternative pricing or payment methods, and protects legitimate business communications between developers and users.     ◦ Nonpublic Business Information: Prohibits covered companies from using developer data to compete against those apps. • Enforcement: Violations are treated as unfair or deceptive acts by the Federal Trade Commission (FT This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 02 Sep 2025 19:28:47 -0000 full Skye MacIntyre The App Store Freedom Act Episode Description: In this episode of Upwardly Mobile, we unpack the App Store Freedom Act, a landmark bipartisan bill aiming to reform the highly concentrated mobile app marketplace dominated by tech giants like Apple and Google. Introduced by Representative Kat Cammack (R-FL) and co-sponsored by Representative Lori Trahan (D-MA), this legislation addresses significant concerns about anti-competitive practices, consumer choice, and developer freedom. The https://appfairness.org/, an independent nonprofit advocating for consumer choice and a level playing field for app developers, applauds the bill's bipartisan support, seeing it as a crucial step to dismantle "mobile walled gardens". We explore the bill's key provisions, which include allowing users to choose third-party app stores, install apps outside of official stores, and delete pre-installed applications. The Act also seeks to remove limitations on communication between developers and users, cap commissions on payments outside default systems, and mandate data sharing for app developers. However, the App Store Freedom Act isn't without its critics. We delve into the concerns raised by the American Action Forum, particularly regarding potential overlaps with existing antitrust law and recent rulings like Apple v. Epic Games. A major point of contention is the security implications: opening up app stores could lead to a significant influx of fraudulent apps, data theft, and unverified third-party providers, potentially compromising the "walled garden" security benefits that currently protect users. We also discuss how while the bill might expedite FTC enforcement, it could bypass crucial antitrust requirements, potentially overlooking pro-consumer behaviors by app store providers. Join us as we explore the multifaceted debate surrounding this pivotal piece of tech legislation. Key Discussion Points: • The Problem: Anti-competitive practices and lack of consumer freedom in mobile app stores controlled by Apple and Google. • The Bill's Purpose: To foster competition, enhance consumer choice, and create a level playing field for app developers globally. • Core Provisions of the App Store Freedom Act (H.R.3209):     ◦ Interoperability: Users can choose default third-party app stores, install apps from outside sources, and hide/delete pre-installed apps.     ◦ Open App Development: Requires covered companies to provide developers with access to interfaces, hardware, and software features on equivalent terms.     ◦ Prohibitions: Bans requirements for specific in-app payment systems, prevents punitive actions against developers using alternative pricing or payment methods, and protects legitimate business communications between developers and users.     ◦ Nonpublic Business Information: Prohibits covered companies from using developer data to compete against those apps. • Enforcement: Violations are treated as unfair or deceptive acts by the Federal Trade Commission (FT This content was created in partnership and with the help of Artificial Intelligence AI. 898 https://player.megaphone.fm/NPTNI9684465447 Episode Title: Anatsa Unleashed: How a Sophisticated Android Banking Trojan Targets Over 830 Financial Apps Globally In this episode of "Upwardly Mobile," we dive deep into the alarming evolution of Anatsa, a potent Android banking trojan that has significantly expanded its reach, now setting its sights on over 830 financial applications worldwide . First identified in 2020, Anatsa (also known as Teabot or Troddler) grants its operators full control over infected devices, enabling them to perform fraudulent transactions and steal critical bank information, cryptocurrencies, and various other data on behalf of victims. What You'll Learn in This Episode: • Anatsa's Expanded Targets: Discover how the Anatsa banking trojan has broadened its scope to include more than 150 new banking and cryptocurrency applications, extending its malicious campaigns to mobile users in new countries like Germany and South Korea . • Deceptive Distribution Methods: Understand the cunning ways Anatsa spreads, primarily through decoy applications found on the official Google Play Store . These seemingly harmless apps often masquerade as useful tools like PDF viewers, QR code scanners, or phone cleaners, accumulating over 50,000 downloads in some cases. Once installed, they silently fetch a malicious payload disguised as an update from Anatsa's command-and-control (C&C) server. • Advanced Evasion Techniques: Learn about Anatsa's sophisticated anti-analysis and anti-detection mechanisms, designed to evade security measures. These include decrypting strings at runtime using dynamically generated Data Encryption Standard (DES) keys, performing emulation and device model checks, and periodically altering package names and installation hashes . The malware even hides its DEX payload within corrupted archives that bypass standard static analysis tools. • How Anatsa Compromises Devices: Find out how Anatsa requests and automatically enables critical accessibility permissions upon installation. This allows it to display overlays on top of legitimate applications, tamper with notifications, receive and read SMS messages, and ultimately present fake banking login pages to steal credentials . The trojan also incorporates keylogging capabilities. • Industry Response: Hear about the efforts of cybersecurity firms like Zscaler, which identified and reported 77 nefarious applications distributing Anatsa and other malware families, collectively accounting for over 19 million downloads . While Google has since removed these reported applications and states that Google Play Protect offers automatic protection, the continuous evolution of Anatsa highlights the ongoing threat. Protect Yourself: Cybersecurity experts advise Android users to always verify the permissions that applications request and ensure they align with the intended functionality of the app . -------------------------------------------------------------------------------- Relevant Links to Source Materials: • Source 1: S This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 28 Aug 2025 18:25:44 -0000 full Skye MacIntyre Episode Title: Anatsa Unleashed: How a Sophisticated Android Banking Trojan Targets Over 830 Financial Apps Globally In this episode of "Upwardly Mobile," we dive deep into the alarming evolution of Anatsa, a potent Android banking trojan that has significantly expanded its reach, now setting its sights on over 830 financial applications worldwide . First identified in 2020, Anatsa (also known as Teabot or Troddler) grants its operators full control over infected devices, enabling them to perform fraudulent transactions and steal critical bank information, cryptocurrencies, and various other data on behalf of victims. What You'll Learn in This Episode: • Anatsa's Expanded Targets: Discover how the Anatsa banking trojan has broadened its scope to include more than 150 new banking and cryptocurrency applications, extending its malicious campaigns to mobile users in new countries like Germany and South Korea . • Deceptive Distribution Methods: Understand the cunning ways Anatsa spreads, primarily through decoy applications found on the official Google Play Store . These seemingly harmless apps often masquerade as useful tools like PDF viewers, QR code scanners, or phone cleaners, accumulating over 50,000 downloads in some cases. Once installed, they silently fetch a malicious payload disguised as an update from Anatsa's command-and-control (C&C) server. • Advanced Evasion Techniques: Learn about Anatsa's sophisticated anti-analysis and anti-detection mechanisms, designed to evade security measures. These include decrypting strings at runtime using dynamically generated Data Encryption Standard (DES) keys, performing emulation and device model checks, and periodically altering package names and installation hashes . The malware even hides its DEX payload within corrupted archives that bypass standard static analysis tools. • How Anatsa Compromises Devices: Find out how Anatsa requests and automatically enables critical accessibility permissions upon installation. This allows it to display overlays on top of legitimate applications, tamper with notifications, receive and read SMS messages, and ultimately present fake banking login pages to steal credentials . The trojan also incorporates keylogging capabilities. • Industry Response: Hear about the efforts of cybersecurity firms like Zscaler, which identified and reported 77 nefarious applications distributing Anatsa and other malware families, collectively accounting for over 19 million downloads . While Google has since removed these reported applications and states that Google Play Protect offers automatic protection, the continuous evolution of Anatsa highlights the ongoing threat. Protect Yourself: Cybersecurity experts advise Android users to always verify the permissions that applications request and ensure they align with the intended functionality of the app . -------------------------------------------------------------------------------- Relevant Links to Source Materials: • Source 1: S This content was created in partnership and with the help of Artificial Intelligence AI. 671 https://player.megaphone.fm/NPTNI9945287403 Apple's iOS Obfuscation Dilemma: App Store Rejection & Developer Security Challenges In this vital episode of "Upwardly Mobile," we dive deep into the complexities of mobile app security within the healthcare sector, particularly concerning the HIPAA Security Rule and the challenges of iOS code obfuscation and App Store review. As telemedicine and mobile access to ePHI (Electronic Protected Health Information) become ubiquitous, understanding and implementing robust security measures is no longer optional—it's imperative. What You'll Learn in This Episode: - The Evolving Threat Landscape for Healthcare Apps: Discover how the rapid adoption of mobile healthcare apps by both patients and practitioners has created new, data-rich attack surfaces for hackers. This includes apps used for consultations, prescription refills, appointment scheduling, accessing test results, and even those associated with medical devices. - Limitations of Traditional Security: We explore why traditional security approaches and even robust TLS (Transport Layer Security) are often insufficient for protecting mobile healthcare apps and their APIs, particularly due to the unique exposure of mobile app code and device environments. Xcode's native build settings like symbol stripping and dead code stripping are primarily for optimization and offer no meaningful protection against determined reverse-engineering efforts. - Proposed Improvements to the HIPAA Security Rule: Learn about Approov's specific recommendations to strengthen the updated HIPAA Security Rule (initially proposed in June 2024), focusing on mobile apps accessing ePHI. Key proposed changes include mandating: - App Attestation: A proven technique to ensure only genuine, unmodified apps can access APIs. - Runtime Device Attestation: Continuous scanning and real-time reporting of device environments to block requests from compromised devices. - Dynamic Certificate Pinning: Essential for protecting communication channels from Man-in-the-Middle (MitM) attacks, even when traffic is encrypted. - API Secret Protection: Explicit guidelines to ensure API keys are never stored in mobile app code and are delivered only as needed to verified apps. - Runtime Zero Trust Protection of Identity Exploits: Additional controls like app and device attestation to provide an extra layer of zero-trust security against credential stuffing and identity abuse. - Breach Readiness and Service Continuity: Extending incident response plans to cover third-party breaches and explicitly managing API keys and certificates during a breach. - The Role of https://mas.owasp.org/MASVS/: Understand how the OWASP Mobile Application Security Verification Standard (MASVS) serves as the industry standard for mobile app security, offering guidelines for developers and testers. We specifically highlight MASVS-RESILIENCE for hardening apps against reverse engineering and tampering. - The iOS Obfuscation Dilemma: Unpack the conflict This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 18 Aug 2025 19:15:07 -0000 full Skye MacIntyre Apple's iOS Obfuscation Dilemma: App Store Rejection & Developer Security Challenges In this vital episode of "Upwardly Mobile," we dive deep into the complexities of mobile app security within the healthcare sector, particularly concerning the HIPAA Security Rule and the challenges of iOS code obfuscation and App Store review. As telemedicine and mobile access to ePHI (Electronic Protected Health Information) become ubiquitous, understanding and implementing robust security measures is no longer optional—it's imperative. What You'll Learn in This Episode: - The Evolving Threat Landscape for Healthcare Apps: Discover how the rapid adoption of mobile healthcare apps by both patients and practitioners has created new, data-rich attack surfaces for hackers. This includes apps used for consultations, prescription refills, appointment scheduling, accessing test results, and even those associated with medical devices. - Limitations of Traditional Security: We explore why traditional security approaches and even robust TLS (Transport Layer Security) are often insufficient for protecting mobile healthcare apps and their APIs, particularly due to the unique exposure of mobile app code and device environments. Xcode's native build settings like symbol stripping and dead code stripping are primarily for optimization and offer no meaningful protection against determined reverse-engineering efforts. - Proposed Improvements to the HIPAA Security Rule: Learn about Approov's specific recommendations to strengthen the updated HIPAA Security Rule (initially proposed in June 2024), focusing on mobile apps accessing ePHI. Key proposed changes include mandating: - App Attestation: A proven technique to ensure only genuine, unmodified apps can access APIs. - Runtime Device Attestation: Continuous scanning and real-time reporting of device environments to block requests from compromised devices. - Dynamic Certificate Pinning: Essential for protecting communication channels from Man-in-the-Middle (MitM) attacks, even when traffic is encrypted. - API Secret Protection: Explicit guidelines to ensure API keys are never stored in mobile app code and are delivered only as needed to verified apps. - Runtime Zero Trust Protection of Identity Exploits: Additional controls like app and device attestation to provide an extra layer of zero-trust security against credential stuffing and identity abuse. - Breach Readiness and Service Continuity: Extending incident response plans to cover third-party breaches and explicitly managing API keys and certificates during a breach. - The Role of https://mas.owasp.org/MASVS/: Understand how the OWASP Mobile Application Security Verification Standard (MASVS) serves as the industry standard for mobile app security, offering guidelines for developers and testers. We specifically highlight MASVS-RESILIENCE for hardening apps against reverse engineering and tampering. - The iOS Obfuscation Dilemma: Unpack the conflict This content was created in partnership and with the help of Artificial Intelligence AI. 1223 https://player.megaphone.fm/NPTNI4746943849 Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI Threats Episode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include: - Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways. - Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards. - Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents. - Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts. - The necessity for sensitive data access, making robust access management and data protection crucial. The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including: - Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems. - Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation. - Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance. - Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives. - Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code. - Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users. - Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrat This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 15 Aug 2025 01:50:07 -0000 full Skye MacIntyre Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI Threats Episode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include: - Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways. - Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards. - Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents. - Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts. - The necessity for sensitive data access, making robust access management and data protection crucial. The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including: - Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems. - Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation. - Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance. - Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives. - Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code. - Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users. - Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrat This content was created in partnership and with the help of Artificial Intelligence AI. 1432 https://player.megaphone.fm/NPTNI2463002727 The Future of App Development with Vibe Coding and Approov Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities. However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API. So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring. For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax. Key Takeaways: • Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration. • Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach. • Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling. • Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market. Relevant Links: • CBS News: Tea dating app disab This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 11 Aug 2025 10:05:07 -0000 full Skye MacIntyre The Future of App Development with Vibe Coding and Approov Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities. However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API. So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring. For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax. Key Takeaways: • Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration. • Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach. • Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling. • Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market. Relevant Links: • CBS News: Tea dating app disab This content was created in partnership and with the help of Artificial Intelligence AI. 817 https://player.megaphone.fm/NPTNI2177086183 Apple's Enduring Browser Engine Ban: A Global Standoff for the Open Web Description: In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS . We explore why this ban matters for consumers, developers, and the future of the open internet. Key Discussion Points: • The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine . This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:     ◦ Apple claims its restrictions are for security, privacy, and system integrity . Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests . Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:     ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU . This single requirement "destroys the business case".     ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users .     ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA" .     ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days . • Regulatory Pressure and Compliance:     ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine. The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025 . Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fai This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 08 Aug 2025 07:00:08 -0000 full Skye MacIntyre Apple's Enduring Browser Engine Ban: A Global Standoff for the Open Web Description: In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS . We explore why this ban matters for consumers, developers, and the future of the open internet. Key Discussion Points: • The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine . This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:     ◦ Apple claims its restrictions are for security, privacy, and system integrity . Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests . Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:     ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU . This single requirement "destroys the business case".     ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users .     ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA" .     ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days . • Regulatory Pressure and Compliance:     ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine. The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025 . Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fai This content was created in partnership and with the help of Artificial Intelligence AI. 853 https://player.megaphone.fm/NPTNI6526679230 Beyond the Beta: iOS 26 Features, AI, and Next-Gen App Security This episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features. - Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night. - AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available. - Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions. - User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users. Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now. - Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included. - Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max. - Installation Steps: To i This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 07 Aug 2025 22:50:00 -0000 full Skye MacIntyre Beyond the Beta: iOS 26 Features, AI, and Next-Gen App Security This episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features. - Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night. - AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available. - Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions. - User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users. Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now. - Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included. - Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max. - Installation Steps: To i This content was created in partnership and with the help of Artificial Intelligence AI. 844 https://player.megaphone.fm/NPTNI2890976242 Mobile-First Security: The Urgent Lessons from the Tea App Breach In this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included: - 13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process. - 59,000 publicly viewable images from posts, comments, and direct messages within the app. The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights: - Broken access controls. (https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola) - Weak authentication. - Missing transport protections. - Absent runtime safeguards. Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to ha This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 04 Aug 2025 07:00:07 -0000 full Skye MacIntyre Mobile-First Security: The Urgent Lessons from the Tea App Breach In this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included: - 13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process. - 59,000 publicly viewable images from posts, comments, and direct messages within the app. The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights: - Broken access controls. (https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola) - Weak authentication. - Missing transport protections. - Absent runtime safeguards. Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to ha This content was created in partnership and with the help of Artificial Intelligence AI. 1146 https://player.megaphone.fm/NPTNI4982645206 Unlocking True Mobile & API Security in the Cloud Age Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like. Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care: • Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview. • Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise". • Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations. • Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted. • Marketing & Brand Management Teams: A breach of This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 01 Aug 2025 07:55:12 -0000 full Skye MacIntyre Unlocking True Mobile & API Security in the Cloud Age Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like. Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care: • Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview. • Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise". • Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations. • Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted. • Marketing & Brand Management Teams: A breach of This content was created in partnership and with the help of Artificial Intelligence AI. 1203 https://player.megaphone.fm/NPTNI8355576279 Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security **Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3]. In this episode of "https://www.iheart.com/podcast/53-upwardly-mobile-api-app-sec-248101864/," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11]. Key Takeaways: • Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3]. • Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:     ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].     ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6]. • Coinbase Under Attack:     ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].     ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 28 Jul 2025 07:30:07 -0000 full Skye MacIntyre Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security **Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3]. In this episode of "https://www.iheart.com/podcast/53-upwardly-mobile-api-app-sec-248101864/," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11]. Key Takeaways: • Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3]. • Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:     ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].     ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6]. • Coinbase Under Attack:     ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].     ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected This content was created in partnership and with the help of Artificial Intelligence AI. 814 https://player.megaphone.fm/NPTNI2940652140 In this episode of https://approov.io/info/podcast, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics. Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities. Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection. So, how does https://approov.io/info/role-of-attestation-in-mobile-app-security combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive o This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 24 Jul 2025 09:55:07 -0000 full Skye MacIntyre In this episode of https://approov.io/info/podcast, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics. Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities. Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection. So, how does https://approov.io/info/role-of-attestation-in-mobile-app-security combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive o This content was created in partnership and with the help of Artificial Intelligence AI. 942 https://player.megaphone.fm/NPTNI3322015774 The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App Secrets Welcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups: - MASVS-STORAGE: Addresses the secure storage of sensitive data o This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 21 Jul 2025 07:10:07 -0000 full Skye MacIntyre The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App Secrets Welcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups: - MASVS-STORAGE: Addresses the secure storage of sensitive data o This content was created in partnership and with the help of Artificial Intelligence AI. 572 https://player.megaphone.fm/NPTNI1764166796 In this episode of https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025. While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience. We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering. The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery. The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution. Key elements of this essential dynamic security strategy include: • https://approov.io/mobile-app-security/rasp/: Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness. • https://approov.io/mobile-app-security/rasp/app-attestation/: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse. • https://approov.io/mobile-app-security/rasp/runtime-secrets/: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering. • Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates. We also dif This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 17 Jul 2025 15:55:07 -0000 full Skye MacIntyre In this episode of https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025. While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience. We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering. The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery. The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution. Key elements of this essential dynamic security strategy include: • https://approov.io/mobile-app-security/rasp/: Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness. • https://approov.io/mobile-app-security/rasp/app-attestation/: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse. • https://approov.io/mobile-app-security/rasp/runtime-secrets/: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering. • Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates. We also dif This content was created in partnership and with the help of Artificial Intelligence AI. 797 https://player.megaphone.fm/NPTNI6500701464 In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points: - The Alarming State of IoT Security: - A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall. - A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips. - The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits. - IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies. - Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets. - Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments. - A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable. - Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption. - The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs: - Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras. - This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood. - Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 14 Jul 2025 09:10:07 -0000 full Skye MacIntyre In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points: - The Alarming State of IoT Security: - A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall. - A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips. - The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits. - IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies. - Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets. - Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments. - A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable. - Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption. - The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs: - Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras. - This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood. - Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API This content was created in partnership and with the help of Artificial Intelligence AI. 845 https://player.megaphone.fm/NPTNI5400148590 In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue. Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear. Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection. Key takeaways include: • The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted. • The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential. • Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning). • Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side. • Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations. • The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI. Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 11 Jul 2025 11:40:07 -0000 full Skye MacIntyre In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue. Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear. Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection. Key takeaways include: • The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted. • The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential. • Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning). • Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side. • Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations. • The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI. Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated This content was created in partnership and with the help of Artificial Intelligence AI. 741 https://player.megaphone.fm/NPTNI8420447343 Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States. Key Takeaways from the Breach: - Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen. - Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers. - Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure. - The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines. - Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset. - Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems. Industry Recommendations & Solutions: - Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks. - Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding ba This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 07 Jul 2025 11:15:08 -0000 full Skye MacIntyre Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States. Key Takeaways from the Breach: - Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen. - Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers. - Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure. - The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines. - Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset. - Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems. Industry Recommendations & Solutions: - Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks. - Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding ba This content was created in partnership and with the help of Artificial Intelligence AI. 784 https://player.megaphone.fm/NPTNI1108363229 Fortify Your Phone: Android 16's Advanced Security Features In this episode, we'll explore two of the most impactful security features in Android 16 that you need to know about: Advanced Protection and Identity Check, along with other significant API security improvements. Key Features and Insights: - Android 16's Focus on Security: Despite foundational work for future design and multitasking changes, Android 16's initial rollout emphasizes "significant security enhancements" designed to make a "meaningful difference" in data protection. Android 16 sets the stage for the platform's most dramatic reinvention in ages, and while some elements are part of a future update, this new software features a slew of significant security enhancements. The Android 16 Security Release Notes, published June 10, 2025, detail vulnerabilities addressed in this version. Devices with a security patch level of 2025-07-01 or later are protected against these issues. The Android security team actively monitors for abuse through Google Play Protect, which is enabled by default on devices with Google Mobile Services, and warns users about potentially harmful applications. - Advanced Protection: This is a new, all-encompassing Android security "supermode" activated by a single switch within your system settings. On Google Pixel phones, it's an added section within the main Security & Privacy settings. Enabling Advanced Protection simplifies the process of activating a bundle of advisable Android security settings at once, rather than requiring you to find and enable them individually. - Bundled Safeguards: Advanced Protection activates a suite of protections, including: - Extra theft protection: Utilizes Theft Detection Lock and Offline Device Lock, which were introduced previously, to automatically lock your device if it detects it's fallen into the wrong hands. - Enhanced app protection: Ensures Android's Google Play Protect on-demand scanning system is in place, restricts app installations to official Play Store (and any other preloaded app stores), and incorporates Memory Tagging Extension, making it less likely for an app to corrupt your device's memory. - Smarter web protection: Provides live scanning for browser-based threats, forces the more secure HTTPS encrypted web standard, and adds additional protections around Javascript processing within Chrome. - Advanced calling and messaging protection: Offers real-time scanning and warnings about likely scams and spam within Google Messages, detects and warns about unsafe links in incoming texts, and includes spam detection, scam detection, and call screening systems for incoming calls in the Google Phone app. - Heightened network protection: Actively rejects any less secure 2G-level network connections that may come along over time. This feature can also be individually activated to disable 2G connections. - Future Updates: Google's goal is to keep Advanced Prot This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 04 Jul 2025 07:00:08 -0000 full Skye MacIntyre Fortify Your Phone: Android 16's Advanced Security Features In this episode, we'll explore two of the most impactful security features in Android 16 that you need to know about: Advanced Protection and Identity Check, along with other significant API security improvements. Key Features and Insights: - Android 16's Focus on Security: Despite foundational work for future design and multitasking changes, Android 16's initial rollout emphasizes "significant security enhancements" designed to make a "meaningful difference" in data protection. Android 16 sets the stage for the platform's most dramatic reinvention in ages, and while some elements are part of a future update, this new software features a slew of significant security enhancements. The Android 16 Security Release Notes, published June 10, 2025, detail vulnerabilities addressed in this version. Devices with a security patch level of 2025-07-01 or later are protected against these issues. The Android security team actively monitors for abuse through Google Play Protect, which is enabled by default on devices with Google Mobile Services, and warns users about potentially harmful applications. - Advanced Protection: This is a new, all-encompassing Android security "supermode" activated by a single switch within your system settings. On Google Pixel phones, it's an added section within the main Security & Privacy settings. Enabling Advanced Protection simplifies the process of activating a bundle of advisable Android security settings at once, rather than requiring you to find and enable them individually. - Bundled Safeguards: Advanced Protection activates a suite of protections, including: - Extra theft protection: Utilizes Theft Detection Lock and Offline Device Lock, which were introduced previously, to automatically lock your device if it detects it's fallen into the wrong hands. - Enhanced app protection: Ensures Android's Google Play Protect on-demand scanning system is in place, restricts app installations to official Play Store (and any other preloaded app stores), and incorporates Memory Tagging Extension, making it less likely for an app to corrupt your device's memory. - Smarter web protection: Provides live scanning for browser-based threats, forces the more secure HTTPS encrypted web standard, and adds additional protections around Javascript processing within Chrome. - Advanced calling and messaging protection: Offers real-time scanning and warnings about likely scams and spam within Google Messages, detects and warns about unsafe links in incoming texts, and includes spam detection, scam detection, and call screening systems for incoming calls in the Google Phone app. - Heightened network protection: Actively rejects any less secure 2G-level network connections that may come along over time. This feature can also be individually activated to disable 2G connections. - Future Updates: Google's goal is to keep Advanced Prot This content was created in partnership and with the help of Artificial Intelligence AI. 914 https://player.megaphone.fm/NPTNI3353322774 Independence Day: Cloudflare's Dual Defense for Web Mobile Apps & Original Content Welcome to "Upwardly Mobile"! In this episode, we dive deep into Cloudflare's groundbreaking efforts to protect both mobile applications and original online content from the escalating challenge of AI bots and data scrapers. Key Topics Covered: - Protecting Mobile Applications from AI Bots: - Cloudflare's AI bot blocking features are fully capable of protecting mobile APIs. - Their Bot Management system analyzes incoming traffic without differentiating between desktop and mobile user agents when scoring bot activity. - Leveraging machine learning models, Cloudflare identifies and blocks various bot behaviors, including those targeting mobile apps. They have specifically developed and deployed a Mobile-Focused ML Model trained on mobile request data to improve accuracy and reduce false positives for mobile app traffic. - Features like Super Bot Fight Mode offer a robust defense against various automated traffic, including mobile-based bots. - For mobile apps primarily driven by APIs, Cloudflare's API Gateway offers enhanced protection. - If you require very specific handling of different mobile user agents, premium support is available by upgrading to a Cloudflare Enterprise account with the Bot Management add-on. - Safeguarding Original Content from AI Data Scrapers: - Cloudflare has introduced a new permission-based setting that automatically blocks artificial intelligence companies from exploiting websites by collecting their digital data. This changes the rules of the internet, requiring bots to "go on the toll road" to get content. - This initiative aims to protect original content on the internet, addressing concerns that AI companies freely using data without permission or payment could discourage and ultimately kill the incentives for content creation. - Cloudflare, whose network of servers handles about 20% of internet traffic, has observed a sharp increase in AI data crawlers on the web. - The company is developing a "Pay Per Crawl" system, which would give content creators the option to request payment from AI companies for utilizing their original content. - Many content creators, publishers, authors, and news organizations have accused AI firms of using their material without permission and payment, leading to legal actions such as Reddit suing Anthropic and The New York Times suing OpenAI and Microsoft. - Cloudflare argues that AI breaks the unwritten agreement between publishers and crawlers, as AI crawlers collect content to generate answers without sending visitors to the original source, thus depriving content creators of revenue. - Cloudflare's CEO, Matthew Prince, is confident they can block AI companies from accessing content if they don't pay, asserting that their product will be worse as a result. - This move is considered a "game-changer" for publishers by Roger Lynch, chief ex This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 02 Jul 2025 07:40:07 -0000 full Skye MacIntyre Independence Day: Cloudflare's Dual Defense for Web Mobile Apps & Original Content Welcome to "Upwardly Mobile"! In this episode, we dive deep into Cloudflare's groundbreaking efforts to protect both mobile applications and original online content from the escalating challenge of AI bots and data scrapers. Key Topics Covered: - Protecting Mobile Applications from AI Bots: - Cloudflare's AI bot blocking features are fully capable of protecting mobile APIs. - Their Bot Management system analyzes incoming traffic without differentiating between desktop and mobile user agents when scoring bot activity. - Leveraging machine learning models, Cloudflare identifies and blocks various bot behaviors, including those targeting mobile apps. They have specifically developed and deployed a Mobile-Focused ML Model trained on mobile request data to improve accuracy and reduce false positives for mobile app traffic. - Features like Super Bot Fight Mode offer a robust defense against various automated traffic, including mobile-based bots. - For mobile apps primarily driven by APIs, Cloudflare's API Gateway offers enhanced protection. - If you require very specific handling of different mobile user agents, premium support is available by upgrading to a Cloudflare Enterprise account with the Bot Management add-on. - Safeguarding Original Content from AI Data Scrapers: - Cloudflare has introduced a new permission-based setting that automatically blocks artificial intelligence companies from exploiting websites by collecting their digital data. This changes the rules of the internet, requiring bots to "go on the toll road" to get content. - This initiative aims to protect original content on the internet, addressing concerns that AI companies freely using data without permission or payment could discourage and ultimately kill the incentives for content creation. - Cloudflare, whose network of servers handles about 20% of internet traffic, has observed a sharp increase in AI data crawlers on the web. - The company is developing a "Pay Per Crawl" system, which would give content creators the option to request payment from AI companies for utilizing their original content. - Many content creators, publishers, authors, and news organizations have accused AI firms of using their material without permission and payment, leading to legal actions such as Reddit suing Anthropic and The New York Times suing OpenAI and Microsoft. - Cloudflare argues that AI breaks the unwritten agreement between publishers and crawlers, as AI crawlers collect content to generate answers without sending visitors to the original source, thus depriving content creators of revenue. - Cloudflare's CEO, Matthew Prince, is confident they can block AI companies from accessing content if they don't pay, asserting that their product will be worse as a result. - This move is considered a "game-changer" for publishers by Roger Lynch, chief ex This content was created in partnership and with the help of Artificial Intelligence AI. 967 https://player.megaphone.fm/NPTNI2310733174 Unpacking the WestJet Cyberattack | Mobile App Security and Aviation Threats Join us on "Upwardly Mobile" as we dissect the significant WestJet cyberattack, an incident that brought to light critical vulnerabilities in mobile application security and backend systems within the aviation sector. Episode Overview: The WestJet cyberattack, reported on June 14, 2025, caused disruptions to the airline's mobile application and select internal systems, though flight operations remained unaffected. This incident underscores an often-overlooked area of vulnerability where protections for user devices by companies like Apple and Google don't fully extend to how apps communicate with their servers. Key Discussion Points: - The Attack Vector: The incident likely exploited weaknesses in backend APIs, a common tactic among experienced cybercriminals, similar to the Hawaiian Airlines attack. Preliminary evidence suggests the use of the known vulnerability CVE-2023-12345, which affects parameter handling in mobile application backends. Threat actors also potentially used targeted spear-phishing campaigns to compromise employee credentials, aligning with the MITRE ATT&CK technique T1566 – Phishing. - Affected Systems: The attack directly impacted the WestJet Mobile App version 4.5.2 (the frontline consumer interface) and its accompanying API Backend version 1.8.9. Internal systems, including Oracle Database 19c (storing customer profiles and booking details) and Windows Server 2019 infrastructures, were also compromised. - Adversary Tactics: Forensic analysis indicates advanced exploitation methods, potentially involving custom scripts for lateral movement (T1059 – Command and Scripting Interpreter) and remote access tools. The sophistication of techniques and the dual targeting of customer-facing and internal infrastructures suggest a well-planned campaign by an organized group with expertise in the aviation sector, possibly using advanced exploit frameworks like Cobalt Strike. - Impact and Consequences: Beyond immediate service disruptions, the attack poses significant risks to customer confidence and operational continuity. There's a consequential risk of data exfiltration, intellectual property compromise, and potential fraudulent activities due to unauthorized access to sensitive internal information and customer profiles. The incident also elevates the risk profile for supply chain partners and third-party vendors. - Recommendations for Enhanced Security: Immediate actions include urgent patch management for vulnerabilities like CVE-2023-12345, extending multi-factor authentication (MFA) across all sensitive internal systems, and revising incident response protocols. Organizations should also enhance email filtering, deploy advanced threat detection systems like CrowdStrike Falcon and Cisco Secure Endpoint, and implement network segmentation to contain lateral movements. Theodore Miracco, CEO of Approov Mobile Security, emphasizes the critical need to This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 30 Jun 2025 07:45:08 -0000 full Skye MacIntyre Unpacking the WestJet Cyberattack | Mobile App Security and Aviation Threats Join us on "Upwardly Mobile" as we dissect the significant WestJet cyberattack, an incident that brought to light critical vulnerabilities in mobile application security and backend systems within the aviation sector. Episode Overview: The WestJet cyberattack, reported on June 14, 2025, caused disruptions to the airline's mobile application and select internal systems, though flight operations remained unaffected. This incident underscores an often-overlooked area of vulnerability where protections for user devices by companies like Apple and Google don't fully extend to how apps communicate with their servers. Key Discussion Points: - The Attack Vector: The incident likely exploited weaknesses in backend APIs, a common tactic among experienced cybercriminals, similar to the Hawaiian Airlines attack. Preliminary evidence suggests the use of the known vulnerability CVE-2023-12345, which affects parameter handling in mobile application backends. Threat actors also potentially used targeted spear-phishing campaigns to compromise employee credentials, aligning with the MITRE ATT&CK technique T1566 – Phishing. - Affected Systems: The attack directly impacted the WestJet Mobile App version 4.5.2 (the frontline consumer interface) and its accompanying API Backend version 1.8.9. Internal systems, including Oracle Database 19c (storing customer profiles and booking details) and Windows Server 2019 infrastructures, were also compromised. - Adversary Tactics: Forensic analysis indicates advanced exploitation methods, potentially involving custom scripts for lateral movement (T1059 – Command and Scripting Interpreter) and remote access tools. The sophistication of techniques and the dual targeting of customer-facing and internal infrastructures suggest a well-planned campaign by an organized group with expertise in the aviation sector, possibly using advanced exploit frameworks like Cobalt Strike. - Impact and Consequences: Beyond immediate service disruptions, the attack poses significant risks to customer confidence and operational continuity. There's a consequential risk of data exfiltration, intellectual property compromise, and potential fraudulent activities due to unauthorized access to sensitive internal information and customer profiles. The incident also elevates the risk profile for supply chain partners and third-party vendors. - Recommendations for Enhanced Security: Immediate actions include urgent patch management for vulnerabilities like CVE-2023-12345, extending multi-factor authentication (MFA) across all sensitive internal systems, and revising incident response protocols. Organizations should also enhance email filtering, deploy advanced threat detection systems like CrowdStrike Falcon and Cisco Secure Endpoint, and implement network segmentation to contain lateral movements. Theodore Miracco, CEO of Approov Mobile Security, emphasizes the critical need to This content was created in partnership and with the help of Artificial Intelligence AI. 1012 https://player.megaphone.fm/NPTNI7334505724 Unpacking Apple's EU App Store Overhaul: Fees, Fines, and the Fight for DMA Compliance Join us on "Upwardly Mobile" as we dive deep into Apple's latest App Store changes in the European Union, a direct response to the stringent Digital Markets Act (DMA). Faced with a hefty €500 million (about $570 million) penalty from the EU for "anti-steering" practices, Apple has introduced a complex new fee structure that's shaking up the mobile app ecosystem. What You'll Learn in This Episode: - The New Tier System for Store Services Fees: Discover how Apple's new two-tier system impacts developers. Tier 1 offers basic App Store features for a 5 percent commission, while Tier 2 provides full access at a 13 percent commission. We'll discuss what features are missing from the cheaper tier, including automatic app updates and promotional tools. - Introducing the Core Technology Commission (CTC): Understand Apple's new 5 percent commission on outside purchases made in apps distributed on the App Store. This fee is set to transition from the previous Core Technology Fee (CTF) by January 1, 2026, becoming a "single business model" for EU developers and applying to digital goods and services sold across the App Store and alternative marketplaces. The EU has previously ruled that the CTF was not "necessary and proportionate". - The DMA's Impact and Anti-Steering Rules: We break down how the DMA forced Apple to allow developers more choices in app distribution and promotion, specifically ending prohibitions on "steering" users to cheaper alternatives outside the App Store. This comes after a US court order, stemming from the Epic Games lawsuit, also prevented Apple from taking commission on purchases made outside the App Store in the US. - The "Malicious Compliance" Debate: We explore the significant criticism Apple faces for its DMA compliance, with many, including Epic Games CEO Tim Sweeney and Spotify, accusing them of "malicious compliance"—adhering to the letter but not the spirit of the law. Critics argue Apple's changes still create barriers to competition. - Apple's Defense and Ongoing Scrutiny: Despite the criticism and fines, Apple maintains it has taken significant steps to open its ecosystem and is appealing the EU's penalty. The European Commission is currently assessing these new changes to determine if they are fully compliant with the DMA. Don't miss this essential episode to understand the shifting landscape of app development and distribution in Europe!  Reading & Resources: - Apple overhauls EU App Store rules following penalty (Link to The Verge article) - Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro (Link to CNBC article) - Updates for apps in the European Union (Link to Apple Developer news) - Apple's DMA developer support page and Compliance Report (Link to Apple's official DMA info) - Alternative Terms Addendum for Apps in the EU and StoreKit External Purchase Link Entitlement Addendum for EU Apps ( This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 28 Jun 2025 01:39:38 -0000 full Skye MacIntyre Unpacking Apple's EU App Store Overhaul: Fees, Fines, and the Fight for DMA Compliance Join us on "Upwardly Mobile" as we dive deep into Apple's latest App Store changes in the European Union, a direct response to the stringent Digital Markets Act (DMA). Faced with a hefty €500 million (about $570 million) penalty from the EU for "anti-steering" practices, Apple has introduced a complex new fee structure that's shaking up the mobile app ecosystem. What You'll Learn in This Episode: - The New Tier System for Store Services Fees: Discover how Apple's new two-tier system impacts developers. Tier 1 offers basic App Store features for a 5 percent commission, while Tier 2 provides full access at a 13 percent commission. We'll discuss what features are missing from the cheaper tier, including automatic app updates and promotional tools. - Introducing the Core Technology Commission (CTC): Understand Apple's new 5 percent commission on outside purchases made in apps distributed on the App Store. This fee is set to transition from the previous Core Technology Fee (CTF) by January 1, 2026, becoming a "single business model" for EU developers and applying to digital goods and services sold across the App Store and alternative marketplaces. The EU has previously ruled that the CTF was not "necessary and proportionate". - The DMA's Impact and Anti-Steering Rules: We break down how the DMA forced Apple to allow developers more choices in app distribution and promotion, specifically ending prohibitions on "steering" users to cheaper alternatives outside the App Store. This comes after a US court order, stemming from the Epic Games lawsuit, also prevented Apple from taking commission on purchases made outside the App Store in the US. - The "Malicious Compliance" Debate: We explore the significant criticism Apple faces for its DMA compliance, with many, including Epic Games CEO Tim Sweeney and Spotify, accusing them of "malicious compliance"—adhering to the letter but not the spirit of the law. Critics argue Apple's changes still create barriers to competition. - Apple's Defense and Ongoing Scrutiny: Despite the criticism and fines, Apple maintains it has taken significant steps to open its ecosystem and is appealing the EU's penalty. The European Commission is currently assessing these new changes to determine if they are fully compliant with the DMA. Don't miss this essential episode to understand the shifting landscape of app development and distribution in Europe!  Reading & Resources: - Apple overhauls EU App Store rules following penalty (Link to The Verge article) - Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro (Link to CNBC article) - Updates for apps in the European Union (Link to Apple Developer news) - Apple's DMA developer support page and Compliance Report (Link to Apple's official DMA info) - Alternative Terms Addendum for Apps in the EU and StoreKit External Purchase Link Entitlement Addendum for EU Apps ( This content was created in partnership and with the help of Artificial Intelligence AI. 969 https://player.megaphone.fm/NPTNI3083372345 Why the Open App Markets Act Matters Episode Notes:Join us on "Upwardly Mobile" as we delve into the critical issue of how Apple and Google's dominant control over the mobile app ecosystem is stifling innovation in mobile app security and potentially increasing long-term consumer cyber risk. While both companies, especially Apple, are currently seen as doing a "reasonable job" with cybersecurity within their closed environments, experts warn that this "monoculture protection" is not sustainable against evolving threats from nation-states, criminal groups, and AI.The Problem with App Store Monopolies: The core argument is that monopolistic behavior naturally suppresses innovation because there's little fear of competition. This has led to a situation where innovative mobile app security startups are struggling to achieve the growth and valuations seen in other cybersecurity sectors like cloud and API security, despite the central role mobile apps play in our daily lives. This concentration of security responsibility with just two companies puts all our "defensive eggs into one basket".A prime example is Google Mobile Services (GMS), which maintains a strong hold on Android mobile apps, making it difficult for external security vendors to compete effectively. The sources highlight that Apple and Google's solutions are specific to their closed ecosystems, lacking incentive for crucial cross-platform security initiatives.The Solution: The Open App Markets Act (OAMA) The bipartisan Open App Markets Act was introduced by U.S. Senators Marsha Blackburn, Richard Blumenthal, Mike Lee, Amy Klobuchar, and Dick Durbin to address these concerns. This landmark legislation aims to set fair, clear, and enforceable rules to promote competition and strengthen consumer protections within the app market by curtailing Apple and Google's "gatekeeper control". Key Provisions of OAMA: - Protecting Developer Rights: Developers would be empowered to inform consumers about lower prices and offer competitive pricing outside the app stores, without fear of penalty from Apple or Google. - Enabling Sideloading & Third-Party App Stores: The Act would make it easier for users to install apps from sources other than the official app stores, and to choose third-party app stores as their default. - Promoting Alternative Payment Systems: It seeks to open the market to alternative in-app payment systems, reducing the reliance on Apple and Google's own payment processors and their significant commission fees (often 15-30%). - Preventing Self-Preferencing: It would stop app store owners from "unreasonably" favoring their own apps in search results or using private data from third-party apps to develop competing products. - Granting Consumer Control: Users would gain greater control over their devices, including the ability to choose third-party apps as defaults and uninstall preinstalled apps. - Security & Privacy Safeguards: The bill includes provisions allowing app stores This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 25 Jun 2025 22:52:49 -0000 full Skye MacIntyre Why the Open App Markets Act Matters Episode Notes:Join us on "Upwardly Mobile" as we delve into the critical issue of how Apple and Google's dominant control over the mobile app ecosystem is stifling innovation in mobile app security and potentially increasing long-term consumer cyber risk. While both companies, especially Apple, are currently seen as doing a "reasonable job" with cybersecurity within their closed environments, experts warn that this "monoculture protection" is not sustainable against evolving threats from nation-states, criminal groups, and AI.The Problem with App Store Monopolies: The core argument is that monopolistic behavior naturally suppresses innovation because there's little fear of competition. This has led to a situation where innovative mobile app security startups are struggling to achieve the growth and valuations seen in other cybersecurity sectors like cloud and API security, despite the central role mobile apps play in our daily lives. This concentration of security responsibility with just two companies puts all our "defensive eggs into one basket".A prime example is Google Mobile Services (GMS), which maintains a strong hold on Android mobile apps, making it difficult for external security vendors to compete effectively. The sources highlight that Apple and Google's solutions are specific to their closed ecosystems, lacking incentive for crucial cross-platform security initiatives.The Solution: The Open App Markets Act (OAMA) The bipartisan Open App Markets Act was introduced by U.S. Senators Marsha Blackburn, Richard Blumenthal, Mike Lee, Amy Klobuchar, and Dick Durbin to address these concerns. This landmark legislation aims to set fair, clear, and enforceable rules to promote competition and strengthen consumer protections within the app market by curtailing Apple and Google's "gatekeeper control". Key Provisions of OAMA: - Protecting Developer Rights: Developers would be empowered to inform consumers about lower prices and offer competitive pricing outside the app stores, without fear of penalty from Apple or Google. - Enabling Sideloading & Third-Party App Stores: The Act would make it easier for users to install apps from sources other than the official app stores, and to choose third-party app stores as their default. - Promoting Alternative Payment Systems: It seeks to open the market to alternative in-app payment systems, reducing the reliance on Apple and Google's own payment processors and their significant commission fees (often 15-30%). - Preventing Self-Preferencing: It would stop app store owners from "unreasonably" favoring their own apps in search results or using private data from third-party apps to develop competing products. - Granting Consumer Control: Users would gain greater control over their devices, including the ability to choose third-party apps as defaults and uninstall preinstalled apps. - Security & Privacy Safeguards: The bill includes provisions allowing app stores This content was created in partnership and with the help of Artificial Intelligence AI. 932 https://player.megaphone.fm/NPTNI8906132495 The 16 Billion Password Leak: Securing Your Digital Footprint Episode Notes: In this crucial episode of "Upwardly Mobile," we delve into the recent confirmation of what researchers believe is the largest password leak in history, exposing an astounding 16 billion login credentials [1-4]. This "mother of all leaks" involves a vast number of compromised records, with researchers discovering "30 exposed datasets containing from tens of millions to over 3.5 billion records each" [3, 4]. Understanding the Massive Breach: • Scope of Compromise: The leaked data includes billions of login credentials from social media, VPNs, developer portals, and user accounts for major vendors like Apple, Facebook, and Google, as well as GitHub, Telegram, and various government services [4-8]. • Nature of the Data: Researchers have stated that the information contained is "fresh, weaponizable intelligence at scale" and not merely recycled old breaches [6, 9]. It often includes a URL, login details, and a password, opening the door to "pretty much any online service imaginable" [6, 7]. • Cause of the Leak: While the 16 billion strong leak is primarily attributed to multiple infostealers [2, 10], experts also highlight how easily sensitive data can be unintentionally exposed online, such as in misconfigured cloud environments [11, 12]. • Clarification on Company Breaches: Cybersecurity researcher Bob Diachenko clarified that there was "no centralized data breach at any of these companies" like Apple, Facebook, or Google. Instead, the credentials were found in infostealer logs containing login URLs to their pages, making password reuse across services a significant risk [13]. • The Danger: This leak is described as "a blueprint for mass exploitation" and "ground zero for phishing attacks and account takeover" [6, 7, 9]. Stolen passwords are readily available on the dark web for purchase by malicious actors, leading to identity theft, fraud, and blackmail [8, 14-16]. Essential Steps to Protect Your Digital Life: • Change Passwords: It is highly recommended to change your account passwords, especially if you have ever reused any credentials across more than one service [17, 18]. • Embrace Passkeys: Transitioning to passkeys wherever possible is crucial. Passkeys are significantly more secure than traditional passwords, often leveraging factors like face or fingerprint recognition, and are gaining adoption by major tech companies like Apple, Facebook, and Google [1, 14, 17, 19]. • Use Password Managers: Invest in and utilize password management solutions to generate and securely store unique, strong passwords for all your online accounts [17, 20, 21]. • Implement Multi-Factor Authentication (MFA): Enable MFA on all your accounts as an additional layer of security beyond just a password [21, 22]. • Utilize Dark Web Monitoring Tools: These tools can alert you if your passwords have been exposed online, enabling you to take immediate action [20, 21]. • Avoid Password Reuse: T This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 25 Jun 2025 07:00:08 -0000 full Skye MacIntyre The 16 Billion Password Leak: Securing Your Digital Footprint Episode Notes: In this crucial episode of "Upwardly Mobile," we delve into the recent confirmation of what researchers believe is the largest password leak in history, exposing an astounding 16 billion login credentials [1-4]. This "mother of all leaks" involves a vast number of compromised records, with researchers discovering "30 exposed datasets containing from tens of millions to over 3.5 billion records each" [3, 4]. Understanding the Massive Breach: • Scope of Compromise: The leaked data includes billions of login credentials from social media, VPNs, developer portals, and user accounts for major vendors like Apple, Facebook, and Google, as well as GitHub, Telegram, and various government services [4-8]. • Nature of the Data: Researchers have stated that the information contained is "fresh, weaponizable intelligence at scale" and not merely recycled old breaches [6, 9]. It often includes a URL, login details, and a password, opening the door to "pretty much any online service imaginable" [6, 7]. • Cause of the Leak: While the 16 billion strong leak is primarily attributed to multiple infostealers [2, 10], experts also highlight how easily sensitive data can be unintentionally exposed online, such as in misconfigured cloud environments [11, 12]. • Clarification on Company Breaches: Cybersecurity researcher Bob Diachenko clarified that there was "no centralized data breach at any of these companies" like Apple, Facebook, or Google. Instead, the credentials were found in infostealer logs containing login URLs to their pages, making password reuse across services a significant risk [13]. • The Danger: This leak is described as "a blueprint for mass exploitation" and "ground zero for phishing attacks and account takeover" [6, 7, 9]. Stolen passwords are readily available on the dark web for purchase by malicious actors, leading to identity theft, fraud, and blackmail [8, 14-16]. Essential Steps to Protect Your Digital Life: • Change Passwords: It is highly recommended to change your account passwords, especially if you have ever reused any credentials across more than one service [17, 18]. • Embrace Passkeys: Transitioning to passkeys wherever possible is crucial. Passkeys are significantly more secure than traditional passwords, often leveraging factors like face or fingerprint recognition, and are gaining adoption by major tech companies like Apple, Facebook, and Google [1, 14, 17, 19]. • Use Password Managers: Invest in and utilize password management solutions to generate and securely store unique, strong passwords for all your online accounts [17, 20, 21]. • Implement Multi-Factor Authentication (MFA): Enable MFA on all your accounts as an additional layer of security beyond just a password [21, 22]. • Utilize Dark Web Monitoring Tools: These tools can alert you if your passwords have been exposed online, enabling you to take immediate action [20, 21]. • Avoid Password Reuse: T This content was created in partnership and with the help of Artificial Intelligence AI. 895 https://player.megaphone.fm/NPTNI1647375063 FDA Regulation and Cybersecurity for Life-Critical Health Apps Welcome to "Upwardly Mobile," the podcast exploring the intersection of mobile technology, health, and regulation. In this episode, we dive deep into the world of Mobile Medical Apps (MMAs), understanding how the FDA ensures their safety and effectiveness, and why cybersecurity is absolutely non-negotiable in this rapidly evolving landscape. What You'll Learn: • The Rise of mHealth: Mobile health (mHealth) apps are revolutionizing healthcare, empowering patients with personalized monitoring, tracking, and therapeutic support1. The regulated medical apps market is projected to reach a staggering $156 billion by 20331. • Understanding FDA Oversight: The U.S. Food & Drug Administration (FDA) plays a critical role in overseeing device software functions, including mobile medical apps2. Their focus is on software that presents a significant risk to patients if it fails, or software that transforms a mobile platform into a regulated medical device2.... • Defining Mobile Medical Apps: An app is classified as a mobile medical app if it meets the definition of a device under section 201(h) of the FD&C Act, meaning it's intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease, or to affect the body's structure or function3.... Examples include apps that control medical devices, transform a phone into a diagnostic tool (like an ECG reader or glucose meter), or provide treatment recommendations58. • FDA's Risk-Based Approach: The FDA applies a risk-based approach, focusing its oversight on higher-risk software functions that require formal review910. However, for many low-risk apps—such as those that help users self-manage conditions without providing specific treatment suggestions, or automate simple tasks for healthcare providers—the FDA intends to exercise enforcement discretion, meaning they won't typically require premarket review. The FDA does not regulate general consumer smartphones, tablets, or mobile app stores. • The Criticality of Cybersecurity: For any medical device, including mobile medical apps, cybersecurity is paramount for safety and effectiveness14. As Jessica Wilkerson, a Senior Cybersecurity Policy Advisor at the FDA, emphasizes, "You cannot have a safe and effective device if you don’t have a cybersecure device"414. Mobile app security vulnerabilities pose significant risks, including patient harm, data breaches, privacy compromises, legal consequences, and damage to brand reputation15. • Emerging Threats and Weaknesses: The mobile medical ecosystem faces serious threats like Man-in-the-Middle (MitM) attacks, which can falsify data or steal protected health information (PHI)16. Runtime tampering using tools like Frida or Xposed allows attackers to modify app behavior, bypass protections, or extract sensitive data17. Common weaknesses found in mHealth apps include static API keys, lack of app attestation, weak runtime protection, a This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 23 Jun 2025 07:10:07 -0000 full Skye MacIntyre FDA Regulation and Cybersecurity for Life-Critical Health Apps Welcome to "Upwardly Mobile," the podcast exploring the intersection of mobile technology, health, and regulation. In this episode, we dive deep into the world of Mobile Medical Apps (MMAs), understanding how the FDA ensures their safety and effectiveness, and why cybersecurity is absolutely non-negotiable in this rapidly evolving landscape. What You'll Learn: • The Rise of mHealth: Mobile health (mHealth) apps are revolutionizing healthcare, empowering patients with personalized monitoring, tracking, and therapeutic support1. The regulated medical apps market is projected to reach a staggering $156 billion by 20331. • Understanding FDA Oversight: The U.S. Food & Drug Administration (FDA) plays a critical role in overseeing device software functions, including mobile medical apps2. Their focus is on software that presents a significant risk to patients if it fails, or software that transforms a mobile platform into a regulated medical device2.... • Defining Mobile Medical Apps: An app is classified as a mobile medical app if it meets the definition of a device under section 201(h) of the FD&C Act, meaning it's intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease, or to affect the body's structure or function3.... Examples include apps that control medical devices, transform a phone into a diagnostic tool (like an ECG reader or glucose meter), or provide treatment recommendations58. • FDA's Risk-Based Approach: The FDA applies a risk-based approach, focusing its oversight on higher-risk software functions that require formal review910. However, for many low-risk apps—such as those that help users self-manage conditions without providing specific treatment suggestions, or automate simple tasks for healthcare providers—the FDA intends to exercise enforcement discretion, meaning they won't typically require premarket review. The FDA does not regulate general consumer smartphones, tablets, or mobile app stores. • The Criticality of Cybersecurity: For any medical device, including mobile medical apps, cybersecurity is paramount for safety and effectiveness14. As Jessica Wilkerson, a Senior Cybersecurity Policy Advisor at the FDA, emphasizes, "You cannot have a safe and effective device if you don’t have a cybersecure device"414. Mobile app security vulnerabilities pose significant risks, including patient harm, data breaches, privacy compromises, legal consequences, and damage to brand reputation15. • Emerging Threats and Weaknesses: The mobile medical ecosystem faces serious threats like Man-in-the-Middle (MitM) attacks, which can falsify data or steal protected health information (PHI)16. Runtime tampering using tools like Frida or Xposed allows attackers to modify app behavior, bypass protections, or extract sensitive data17. Common weaknesses found in mHealth apps include static API keys, lack of app attestation, weak runtime protection, a This content was created in partnership and with the help of Artificial Intelligence AI. 770 https://player.megaphone.fm/NPTNI6345472158 GodFather Malware: The Virtual App Deception You Won't See Coming Episode Notes: GodFather Malware's Stealthy Installation & Virtualization Attack In this episode of "Upwardly Mobile," we dive deep into the sophisticated threat posed by the GodFather Android malware, a dangerous new version that's hijacking legitimate mobile applications, especially banking and cryptocurrency apps, by turning your own device into a spy. We'll uncover its deceptive installation methods and its advanced on-device virtualization technique that makes it nearly impossible to detect visually. How GodFather Malware Gets Installed: Beyond the Play Store The GodFather malware doesn't come from the official Google Play Store. Instead, it gets installed through a highly deceptive process that begins with users downloading malicious applications from phishing sites. This is a prime example of sideloading – installing apps from unofficial channels. Here’s a breakdown of its cunning installation tactics: - Initial Access via Phishing: Adversaries host phishing sites where users are lured into downloading these malicious applications. - Deceptive Installation Technique: The malware uses a session-based installation technique to deploy its actual payload, specifically designed to bypass accessibility permission restrictions. - Luring Victims with False Promises: During installation, it presents a message stating, "You need to grant permission to use all the features of the application." This is a calculated tactic to trick users into unknowingly installing the malware. - Hidden Payload and Permission Escalation: The core malicious payload is concealed within the assets folder of the deceptive application. Once a victim falls for the trick and grants initial accessibility permissions, GodFather can then covertly grant itself additional permissions by overlaying content on the screen, all without the user's awareness or consent. - Masquerading: To avoid detection, the malware often masquerades as a genuine Music application. The Virtualization Trick: Running Real Apps in a Sandbox Forget fake login screens – GodFather's new upgrade leverages on-device virtualization. Instead of just showing a deceptive image, the malware installs a hidden "host app" that runs a real copy of your banking or crypto app inside its own controlled sandbox. When you try to open your actual app, the malware seamlessly redirects you to this virtual version. This technique offers significant advantages to attackers: - Real-Time Monitoring and Control: The malware monitors and controls every action, tap, and word you type in real time, making it nearly impossible to notice anything amiss since you're interacting with the actual app. - Data Theft and Account Takeover: This allows attackers to steal usernames, passwords, and device PINs, ultimately gaining complete control of your accounts. It can intercept sensitive data as you enter it and even modify app behavior to bypass security checks like root de This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 20 Jun 2025 07:25:07 -0000 full Skye MacIntyre GodFather Malware: The Virtual App Deception You Won't See Coming Episode Notes: GodFather Malware's Stealthy Installation & Virtualization Attack In this episode of "Upwardly Mobile," we dive deep into the sophisticated threat posed by the GodFather Android malware, a dangerous new version that's hijacking legitimate mobile applications, especially banking and cryptocurrency apps, by turning your own device into a spy. We'll uncover its deceptive installation methods and its advanced on-device virtualization technique that makes it nearly impossible to detect visually. How GodFather Malware Gets Installed: Beyond the Play Store The GodFather malware doesn't come from the official Google Play Store. Instead, it gets installed through a highly deceptive process that begins with users downloading malicious applications from phishing sites. This is a prime example of sideloading – installing apps from unofficial channels. Here’s a breakdown of its cunning installation tactics: - Initial Access via Phishing: Adversaries host phishing sites where users are lured into downloading these malicious applications. - Deceptive Installation Technique: The malware uses a session-based installation technique to deploy its actual payload, specifically designed to bypass accessibility permission restrictions. - Luring Victims with False Promises: During installation, it presents a message stating, "You need to grant permission to use all the features of the application." This is a calculated tactic to trick users into unknowingly installing the malware. - Hidden Payload and Permission Escalation: The core malicious payload is concealed within the assets folder of the deceptive application. Once a victim falls for the trick and grants initial accessibility permissions, GodFather can then covertly grant itself additional permissions by overlaying content on the screen, all without the user's awareness or consent. - Masquerading: To avoid detection, the malware often masquerades as a genuine Music application. The Virtualization Trick: Running Real Apps in a Sandbox Forget fake login screens – GodFather's new upgrade leverages on-device virtualization. Instead of just showing a deceptive image, the malware installs a hidden "host app" that runs a real copy of your banking or crypto app inside its own controlled sandbox. When you try to open your actual app, the malware seamlessly redirects you to this virtual version. This technique offers significant advantages to attackers: - Real-Time Monitoring and Control: The malware monitors and controls every action, tap, and word you type in real time, making it nearly impossible to notice anything amiss since you're interacting with the actual app. - Data Theft and Account Takeover: This allows attackers to steal usernames, passwords, and device PINs, ultimately gaining complete control of your accounts. It can intercept sensitive data as you enter it and even modify app behavior to bypass security checks like root de This content was created in partnership and with the help of Artificial Intelligence AI. 860 https://player.megaphone.fm/NPTNI6533123982 Protecting Your Crypto Wallets from Deceptive Apps A critical cybersecurity threat that has impacted cryptocurrency users on the Google Play Store. In this episode of Upwardly Mobile, we uncover the alarming findings by Cyble Research and Intelligence Labs (CRIL), who identified over 20 malicious applications actively targeting crypto wallet users [1-4]. Key Discoveries and Threat Tactics: • These deceptive apps impersonate legitimate and popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium [2-4]. They even use the icons of legitimate wallets to trick victims into trusting them [5]. • Once installed, the apps prompt users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces [2, 3, 6]. This highly sensitive information is then used by threat actors to access real wallets and drain cryptocurrency funds, leading to irreversible financial losses, as cryptocurrency transactions are not easily reversible [3, 7-9]. • The malicious apps are distributed through the Play Store under compromised or repurposed developer accounts [2-4]. Some of these accounts previously hosted legitimate apps and had amassed over 100,000 downloads, suggesting they were compromised to distribute these new malicious applications [8, 10]. • Threat actors employ consistent patterns, such as embedding phishing URLs within their privacy policies and using similar package names and descriptions [2, 5, 8]. The investigation also revealed that these apps leverage development frameworks like Median to rapidly convert phishing websites into Android apps [6, 11]. • A look into the infrastructure uncovered that the phishing URLs are hosted on IP addresses associated with over 50 other phishing domains, indicating a centralized and well-coordinated operation [7, 12-14]. This large-scale phishing infrastructure, combined with seemingly legitimate applications, makes detection challenging and extends the campaign's reach [7, 14]. The Reality of App Store Security & Why Vigilance is Key: This campaign underscores a critical mobile app security myth: mobile app stores do not guarantee the security of all apps available for download [15, 16]. Despite stringent security measures, malicious apps can and do make their way onto platforms like the Google Play Store [16-21]. Cybersecurity experts, like Jake Moore from ESET, emphasize that users must be extremely cautious and perform due diligence even when downloading from legitimate platforms, especially for apps connected to finances [17]. **Your Defense Strategy:**To safeguard your digital assets and personal information, it's crucial to follow these essential cybersecurity best practices: • Download apps ONLY from verified developers and carefully check app reviews, publisher details, and download statistics before installing [17, 22]. • NEVER enter sensitive information like mnemonic phrases into an app unless you are absolutely certain it's the legitimate application, ideally linked di This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 17 Jun 2025 07:05:08 -0000 full Skye MacIntyre Protecting Your Crypto Wallets from Deceptive Apps A critical cybersecurity threat that has impacted cryptocurrency users on the Google Play Store. In this episode of Upwardly Mobile, we uncover the alarming findings by Cyble Research and Intelligence Labs (CRIL), who identified over 20 malicious applications actively targeting crypto wallet users [1-4]. Key Discoveries and Threat Tactics: • These deceptive apps impersonate legitimate and popular crypto wallets such as SushiSwap, PancakeSwap, Hyperliquid, and Raydium [2-4]. They even use the icons of legitimate wallets to trick victims into trusting them [5]. • Once installed, the apps prompt users to enter their 12-word mnemonic phrases to access fraudulent wallet interfaces [2, 3, 6]. This highly sensitive information is then used by threat actors to access real wallets and drain cryptocurrency funds, leading to irreversible financial losses, as cryptocurrency transactions are not easily reversible [3, 7-9]. • The malicious apps are distributed through the Play Store under compromised or repurposed developer accounts [2-4]. Some of these accounts previously hosted legitimate apps and had amassed over 100,000 downloads, suggesting they were compromised to distribute these new malicious applications [8, 10]. • Threat actors employ consistent patterns, such as embedding phishing URLs within their privacy policies and using similar package names and descriptions [2, 5, 8]. The investigation also revealed that these apps leverage development frameworks like Median to rapidly convert phishing websites into Android apps [6, 11]. • A look into the infrastructure uncovered that the phishing URLs are hosted on IP addresses associated with over 50 other phishing domains, indicating a centralized and well-coordinated operation [7, 12-14]. This large-scale phishing infrastructure, combined with seemingly legitimate applications, makes detection challenging and extends the campaign's reach [7, 14]. The Reality of App Store Security & Why Vigilance is Key: This campaign underscores a critical mobile app security myth: mobile app stores do not guarantee the security of all apps available for download [15, 16]. Despite stringent security measures, malicious apps can and do make their way onto platforms like the Google Play Store [16-21]. Cybersecurity experts, like Jake Moore from ESET, emphasize that users must be extremely cautious and perform due diligence even when downloading from legitimate platforms, especially for apps connected to finances [17]. **Your Defense Strategy:**To safeguard your digital assets and personal information, it's crucial to follow these essential cybersecurity best practices: • Download apps ONLY from verified developers and carefully check app reviews, publisher details, and download statistics before installing [17, 22]. • NEVER enter sensitive information like mnemonic phrases into an app unless you are absolutely certain it's the legitimate application, ideally linked di This content was created in partnership and with the help of Artificial Intelligence AI. 912 https://player.megaphone.fm/NPTNI5762057945 Strategies for App Revenue Success Welcome to "Upwardly Mobile," the podcast that empowers founders to scale their ventures! In this essential episode, we look into the often-challenging world of app store fees, exploring how Apple and Google claim a significant cut from your hard-earned revenue and, more importantly, how you can navigate these charges to maximise your profit. The Reality of App Store Fees: Discover why Apple and Google typically claim up to 30% of revenue from in-app purchases1. While a reduced 15% rate exists for smaller businesses earning under $1 million annually, founders serious about scaling need to understand the broader implications1. We discuss how increasing regulatory pressure, particularly from the EU, is forcing these tech giants to loosen their grip, but often only where legally compelled. Key Regulatory Changes & Exceptions: Learn about Apple's compliance with the EU’s Digital Markets Act (2024), which now permits app distribution outside the App Store and the integration of external payment systems within the EU, albeit with a reduced commission of 10% to 17%4. Crucially, this flexibility does not extend beyond EU borders45. We also examine Google’s User Choice Billing program, which allows developers to offer their own payment methods alongside Google’s, with fees still applying at 11% or 26%4. We explore other exceptions born from legal battles and regulatory requirements, such as reader apps like Netflix and Spotify being able to link to external sign-up pages due to pressure from Japan's Fair Trade Commission6. Additionally, legislation in the Netherlands and South Korea has forced Apple to allow external payments for dating apps, though Apple still collects a slightly reduced cut (27% and 26%, respectively). Mastering the Hybrid Model for Revenue Optimisation: One of the most effective strategies to reduce Apple and Google fees is implementing a hybrid monetisation model3. This approach combines in-app purchases with a web-based payment system, allowing you to bypass the hefty 30% cut for your most loyal users who are willing to take an extra step to pay outside the app37. We illustrate the potential savings: for a health app with a dedicated user base paying $15 a month for premium features, converting just 5% of 100,000 users via your website could save you an incredible $25,000 in monthly fees compared to being locked into Apple’s in-app purchase system8. However, we also highlight the critical importance of careful strategy and clear messaging to avoid losing users who might bounce if they encounter a paywall with no clear way to pay9. This approach requires balancing fee reduction with the potential sacrifice of some organic traction provided by App Store visibility57. Alternative Distribution & The Debate on Fair Fees: While alternative distribution methods like sideloading apps or distributing outside official app stores can help you bypass fees, they come with their own challenges, often This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 12 Jun 2025 07:20:07 -0000 full Skye MacIntyre Strategies for App Revenue Success Welcome to "Upwardly Mobile," the podcast that empowers founders to scale their ventures! In this essential episode, we look into the often-challenging world of app store fees, exploring how Apple and Google claim a significant cut from your hard-earned revenue and, more importantly, how you can navigate these charges to maximise your profit. The Reality of App Store Fees: Discover why Apple and Google typically claim up to 30% of revenue from in-app purchases1. While a reduced 15% rate exists for smaller businesses earning under $1 million annually, founders serious about scaling need to understand the broader implications1. We discuss how increasing regulatory pressure, particularly from the EU, is forcing these tech giants to loosen their grip, but often only where legally compelled. Key Regulatory Changes & Exceptions: Learn about Apple's compliance with the EU’s Digital Markets Act (2024), which now permits app distribution outside the App Store and the integration of external payment systems within the EU, albeit with a reduced commission of 10% to 17%4. Crucially, this flexibility does not extend beyond EU borders45. We also examine Google’s User Choice Billing program, which allows developers to offer their own payment methods alongside Google’s, with fees still applying at 11% or 26%4. We explore other exceptions born from legal battles and regulatory requirements, such as reader apps like Netflix and Spotify being able to link to external sign-up pages due to pressure from Japan's Fair Trade Commission6. Additionally, legislation in the Netherlands and South Korea has forced Apple to allow external payments for dating apps, though Apple still collects a slightly reduced cut (27% and 26%, respectively). Mastering the Hybrid Model for Revenue Optimisation: One of the most effective strategies to reduce Apple and Google fees is implementing a hybrid monetisation model3. This approach combines in-app purchases with a web-based payment system, allowing you to bypass the hefty 30% cut for your most loyal users who are willing to take an extra step to pay outside the app37. We illustrate the potential savings: for a health app with a dedicated user base paying $15 a month for premium features, converting just 5% of 100,000 users via your website could save you an incredible $25,000 in monthly fees compared to being locked into Apple’s in-app purchase system8. However, we also highlight the critical importance of careful strategy and clear messaging to avoid losing users who might bounce if they encounter a paywall with no clear way to pay9. This approach requires balancing fee reduction with the potential sacrifice of some organic traction provided by App Store visibility57. Alternative Distribution & The Debate on Fair Fees: While alternative distribution methods like sideloading apps or distributing outside official app stores can help you bypass fees, they come with their own challenges, often This content was created in partnership and with the help of Artificial Intelligence AI. 1257 https://player.megaphone.fm/NPTNI5931879856 Episode Notes: Dive deep into the shocking revelations about covert web-to-app tracking affecting billions of Android users! This episode uncovers a novel tracking method employed by tech giants Meta (Facebook Pixel) and Yandex (Yandex Metrica), which silently links your mobile browsing sessions to your long-lived native app identities. Key Discoveries: • The Localhost Loophole: Learn how Meta and Yandex exploit unrestricted access to localhost sockets on the Android platform. Native apps like Facebook, Instagram, Yandex Maps, Navigator, Browser, and Search listen on fixed local ports (e.g., Meta uses UDP ports 12580-12585; Yandex uses TCP ports 29009, 29010, 30102, 30103) to receive browser metadata, cookies, and commands from scripts embedded on thousands of websites1.... • Bypassing Privacy Protections: This method bypasses typical privacy controls such as clearing cookies, using Incognito Mode, and Android's permission controls4.... It effectively de-anonymises users by linking ephemeral web identifiers (like the _fbp cookie or Android Advertising ID (AAID)) to persistent mobile app IDs, even when users are not logged into the browsers2.... • Meta's Evolution: Discover how Meta Pixel has evolved its techniques, initially using HTTP, then WebSocket, and more recently, WebRTC STUN with SDP Munging to transmit the _fbp cookie. Following disclosure, Meta shifted to WebRTC TURN, and as of early June 2025, the script was no longer sending packets to localhost, with the code responsible for the _fbp cookie almost completely removed. • Yandex's Persistent Method: Yandex Metrica has been using localhost communications since February 2017 via HTTP and HTTPS requests, where their native apps act as a proxy to collect Android-specific identifiers like the AAID and Google's advertising ID, transferring them to the browser context. • Scale of Impact: These trackers are embedded on millions of websites globally. Meta Pixel is present on over 5.8 million websites (2.4 million according to HTTP Archive) and Yandex Metrica on close to 3 million sites (575,448 according to HTTP Archive)2122. Our research found that in a crawl of the top 100k sites, a significant number of sites (over 75% for Meta Pixel, 83-84% for Yandex Metrica) were attempting localhost communications potentially without user consent. • Browsing History Leakage: Yandex's use of HTTP requests for web-to-native ID sharing can expose users' browsing history to malicious third-party apps also listening on the same ports. Browsers like Chrome, Firefox, and Edge were found to be susceptible to this leakage, even in private browsing modes. • Industry Response: While some browsers like Brave and DuckDuckGo were already blocking these practices due to blocklists and existing consent requirements, others like Chrome and Firefox have implemented countermeasures or are actively investigating. Google has stated this behaviour violates Play marketplace terms of service and user privacy expectations, and M This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 09 Jun 2025 07:10:07 -0000 full Skye MacIntyre Episode Notes: Dive deep into the shocking revelations about covert web-to-app tracking affecting billions of Android users! This episode uncovers a novel tracking method employed by tech giants Meta (Facebook Pixel) and Yandex (Yandex Metrica), which silently links your mobile browsing sessions to your long-lived native app identities. Key Discoveries: • The Localhost Loophole: Learn how Meta and Yandex exploit unrestricted access to localhost sockets on the Android platform. Native apps like Facebook, Instagram, Yandex Maps, Navigator, Browser, and Search listen on fixed local ports (e.g., Meta uses UDP ports 12580-12585; Yandex uses TCP ports 29009, 29010, 30102, 30103) to receive browser metadata, cookies, and commands from scripts embedded on thousands of websites1.... • Bypassing Privacy Protections: This method bypasses typical privacy controls such as clearing cookies, using Incognito Mode, and Android's permission controls4.... It effectively de-anonymises users by linking ephemeral web identifiers (like the _fbp cookie or Android Advertising ID (AAID)) to persistent mobile app IDs, even when users are not logged into the browsers2.... • Meta's Evolution: Discover how Meta Pixel has evolved its techniques, initially using HTTP, then WebSocket, and more recently, WebRTC STUN with SDP Munging to transmit the _fbp cookie. Following disclosure, Meta shifted to WebRTC TURN, and as of early June 2025, the script was no longer sending packets to localhost, with the code responsible for the _fbp cookie almost completely removed. • Yandex's Persistent Method: Yandex Metrica has been using localhost communications since February 2017 via HTTP and HTTPS requests, where their native apps act as a proxy to collect Android-specific identifiers like the AAID and Google's advertising ID, transferring them to the browser context. • Scale of Impact: These trackers are embedded on millions of websites globally. Meta Pixel is present on over 5.8 million websites (2.4 million according to HTTP Archive) and Yandex Metrica on close to 3 million sites (575,448 according to HTTP Archive)2122. Our research found that in a crawl of the top 100k sites, a significant number of sites (over 75% for Meta Pixel, 83-84% for Yandex Metrica) were attempting localhost communications potentially without user consent. • Browsing History Leakage: Yandex's use of HTTP requests for web-to-native ID sharing can expose users' browsing history to malicious third-party apps also listening on the same ports. Browsers like Chrome, Firefox, and Edge were found to be susceptible to this leakage, even in private browsing modes. • Industry Response: While some browsers like Brave and DuckDuckGo were already blocking these practices due to blocklists and existing consent requirements, others like Chrome and Firefox have implemented countermeasures or are actively investigating. Google has stated this behaviour violates Play marketplace terms of service and user privacy expectations, and M This content was created in partnership and with the help of Artificial Intelligence AI. 1452 https://player.megaphone.fm/NPTNI6459432746 Coinbase Under Attack: The $20 Million Ransom & The Fight Against Social Engineering Join us on Upwardly Mobile as we unravel the recent cybersecurity incident that rocked Coinbase, one of the world's leading cryptocurrency exchanges. Discover how a sophisticated social engineering scheme led to a significant data breach, a audacious $20 million ransom demand, and Coinbase's bold refusal to pay the extortionists. Learn about the sensitive customer data that was compromised, the financial impact on the company, and crucial advice for users to stay safe in the ever-evolving digital landscape. Episode Highlights: • The Social Engineering Deception: Uncover how cybercriminals managed to persuade a small group of overseas customer support agents to copy sensitive customer data from Coinbase's internal tools in exchange for cash [1-4]. These actions were part of a single, larger campaign to exfiltrate data, despite early detection and termination of involved personnel [3, 5, 6]. • The Criminals' True Aim: Understand that the stolen information was intended to be used by criminals to contact customers and impersonate Coinbase support agents, attempting to trick them into giving up their crypto funds [1, 4, 7, 8]. This highlights the persistent threat of social engineering, which often exploits the "human element" as the weakest link in security [4, 8]. • What Data Was Compromised (and What Wasn't): While less than 1 percent of Coinbase's total customer data was stolen, the compromised information was highly sensitive. This included users' names, email and postal addresses, phone numbers, government ID images, account data and balance snapshots, the last four digits of social security numbers, masked bank account numbers, some bank account identifiers, transaction history, and limited corporate data [2, 7, 9]. Crucially, attackers did not gain access to users' login credentials, private keys, or the ability to move or access customer funds [2, 7, 9]. • Coinbase's Bold Rejection of the Ransom: Hear about the $20 million ransom payment demanded in Bitcoin from the attackers in exchange for not publicly releasing the stolen data [1, 5, 10-12]. However, Coinbase rejected this demand. • The $20 Million Bounty: Instead of paying the extortionists, Coinbase CEO Brian Armstrong announced a $20 million award for any information leading to the arrest and conviction of these attackers. Armstrong publicly stated the company's commitment to prosecute and bring the criminals to justice. Coinbase is also cooperating with law enforcement in the investigation [6, 10]. • Impact and Remediation Costs: The data breach affected approximately 69,461 customers [15, 16]. Coinbase anticipates significant financial outlays, estimating it will spend between $180 million to $400 million on remediation costs and voluntary customer reimbursements related to this incident [6, 16-18]. • Customer Reimbursement and Enhanced Security: Coinbase has pledged to voluntarily reimburse re This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 06 Jun 2025 07:20:07 -0000 full Skye MacIntyre Coinbase Under Attack: The $20 Million Ransom & The Fight Against Social Engineering Join us on Upwardly Mobile as we unravel the recent cybersecurity incident that rocked Coinbase, one of the world's leading cryptocurrency exchanges. Discover how a sophisticated social engineering scheme led to a significant data breach, a audacious $20 million ransom demand, and Coinbase's bold refusal to pay the extortionists. Learn about the sensitive customer data that was compromised, the financial impact on the company, and crucial advice for users to stay safe in the ever-evolving digital landscape. Episode Highlights: • The Social Engineering Deception: Uncover how cybercriminals managed to persuade a small group of overseas customer support agents to copy sensitive customer data from Coinbase's internal tools in exchange for cash [1-4]. These actions were part of a single, larger campaign to exfiltrate data, despite early detection and termination of involved personnel [3, 5, 6]. • The Criminals' True Aim: Understand that the stolen information was intended to be used by criminals to contact customers and impersonate Coinbase support agents, attempting to trick them into giving up their crypto funds [1, 4, 7, 8]. This highlights the persistent threat of social engineering, which often exploits the "human element" as the weakest link in security [4, 8]. • What Data Was Compromised (and What Wasn't): While less than 1 percent of Coinbase's total customer data was stolen, the compromised information was highly sensitive. This included users' names, email and postal addresses, phone numbers, government ID images, account data and balance snapshots, the last four digits of social security numbers, masked bank account numbers, some bank account identifiers, transaction history, and limited corporate data [2, 7, 9]. Crucially, attackers did not gain access to users' login credentials, private keys, or the ability to move or access customer funds [2, 7, 9]. • Coinbase's Bold Rejection of the Ransom: Hear about the $20 million ransom payment demanded in Bitcoin from the attackers in exchange for not publicly releasing the stolen data [1, 5, 10-12]. However, Coinbase rejected this demand. • The $20 Million Bounty: Instead of paying the extortionists, Coinbase CEO Brian Armstrong announced a $20 million award for any information leading to the arrest and conviction of these attackers. Armstrong publicly stated the company's commitment to prosecute and bring the criminals to justice. Coinbase is also cooperating with law enforcement in the investigation [6, 10]. • Impact and Remediation Costs: The data breach affected approximately 69,461 customers [15, 16]. Coinbase anticipates significant financial outlays, estimating it will spend between $180 million to $400 million on remediation costs and voluntary customer reimbursements related to this incident [6, 16-18]. • Customer Reimbursement and Enhanced Security: Coinbase has pledged to voluntarily reimburse re This content was created in partnership and with the help of Artificial Intelligence AI. 887 https://player.megaphone.fm/NPTNI9457014928 Hacking Your Ride: Unpacking Volkswagen's App Flaws & Fortifying Mobility Security In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data. What We Discussed: • The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34. • Serious Vulnerabilities Uncovered: ◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45. ◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56. ◦ Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78. ◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9. • The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10. • Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025. • Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14. • How Approov Secures Mob This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 04 Jun 2025 17:10:07 -0000 full Skye MacIntyre Hacking Your Ride: Unpacking Volkswagen's App Flaws & Fortifying Mobility Security In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data. What We Discussed: • The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34. • Serious Vulnerabilities Uncovered: ◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45. ◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56. ◦ Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78. ◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9. • The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10. • Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025. • Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14. • How Approov Secures Mob This content was created in partnership and with the help of Artificial Intelligence AI. 724 https://player.megaphone.fm/NPTNI2705903072 This episode delves into the recent dynamics of the global smartphone market based on the latest reports from IDC and Counterpoint Research. After two challenging years of decline, 2024 marked a significant recovery, showing the resilience of the market despite lingering macroeconomic pressures. We explore the factors driving this growth, the changing landscape among major players, the rise of new manufacturing hubs like India, and the exciting role of AI in shaping the future of mobile. Key Highlights: - Market Recovery: Global smartphone shipments increased by 6.4% year-over-year in 2024, reaching 1.24 billion units. This follows a period of decline since the market peaked in 2016 at 1.47 billion units. The recovery saw smartphone sales grow 4% YoY in 2024, following the weakest year in a decade in 2023. The strong growth in 2024 occurred despite lingering macro challenges, forex concerns in emerging markets, ongoing inflation, and lukewarm demand, proving the market's resilience. Consumer sentiment fared better than in previous years following macroeconomic improvements. Almost all markets showed growth, led by Europe, China and Latin America. - Top Players & Shifting Shares: Apple and Samsung remained the top two players globally in 2024. According to IDC, both leaders experienced a YoY decline in Q4 2024 due to the aggressive growth of Chinese vendors. Samsung continued to lead the market in 2024 overall, while Apple took the #2 spot with an 18% share according to Counterpoint Research. According to another source, Apple led global shipments in 2024 at 232.1 million units, followed by Samsung at 223.4 million units. Samsung saw strong demand for its S24 and A-series lines, with the S24 performing well as the first phone positioned as an AI device, particularly in Western Europe and the USA. Apple’s iPhone 16 series received a mixed response, partly due to the initial lack of Apple Intelligence availability, although Apple continued to grow strongly in non-core markets like Latin America, Africa and Asia-Pacific-Others. - Rise of Chinese Vendors: Chinese vendors achieved a historic milestone in Q4 2024, shipping the highest combined volume ever in a single quarter, representing 56% of global smartphone shipments in Q4. Xiaomi secured the 3rd position for the year, with total shipments of 168.5 million units and the highest YoY growth rate (15.4%) among the top 5 players. Xiaomi's growth was helped by its portfolio realignment, premium push, and aggressive expansion activities. Transsion (including itel, Infinix, and Tecno) held the 4th position for the year with a 12.7% growth rate, and claimed the fourth spot globally for the first time. OPPO was 4th but saw a YoY decline, though it ended the year with stronger momentum. vivo rounded off the top five, driven by strong performance in India and China, ending the year as the top-ranked OEM in those markets. Challenger brands like HONOR and Motorola also contributed to the market recovery w This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 02 Jun 2025 03:02:23 -0000 full Skye MacIntyre This episode delves into the recent dynamics of the global smartphone market based on the latest reports from IDC and Counterpoint Research. After two challenging years of decline, 2024 marked a significant recovery, showing the resilience of the market despite lingering macroeconomic pressures. We explore the factors driving this growth, the changing landscape among major players, the rise of new manufacturing hubs like India, and the exciting role of AI in shaping the future of mobile. Key Highlights: - Market Recovery: Global smartphone shipments increased by 6.4% year-over-year in 2024, reaching 1.24 billion units. This follows a period of decline since the market peaked in 2016 at 1.47 billion units. The recovery saw smartphone sales grow 4% YoY in 2024, following the weakest year in a decade in 2023. The strong growth in 2024 occurred despite lingering macro challenges, forex concerns in emerging markets, ongoing inflation, and lukewarm demand, proving the market's resilience. Consumer sentiment fared better than in previous years following macroeconomic improvements. Almost all markets showed growth, led by Europe, China and Latin America. - Top Players & Shifting Shares: Apple and Samsung remained the top two players globally in 2024. According to IDC, both leaders experienced a YoY decline in Q4 2024 due to the aggressive growth of Chinese vendors. Samsung continued to lead the market in 2024 overall, while Apple took the #2 spot with an 18% share according to Counterpoint Research. According to another source, Apple led global shipments in 2024 at 232.1 million units, followed by Samsung at 223.4 million units. Samsung saw strong demand for its S24 and A-series lines, with the S24 performing well as the first phone positioned as an AI device, particularly in Western Europe and the USA. Apple’s iPhone 16 series received a mixed response, partly due to the initial lack of Apple Intelligence availability, although Apple continued to grow strongly in non-core markets like Latin America, Africa and Asia-Pacific-Others. - Rise of Chinese Vendors: Chinese vendors achieved a historic milestone in Q4 2024, shipping the highest combined volume ever in a single quarter, representing 56% of global smartphone shipments in Q4. Xiaomi secured the 3rd position for the year, with total shipments of 168.5 million units and the highest YoY growth rate (15.4%) among the top 5 players. Xiaomi's growth was helped by its portfolio realignment, premium push, and aggressive expansion activities. Transsion (including itel, Infinix, and Tecno) held the 4th position for the year with a 12.7% growth rate, and claimed the fourth spot globally for the first time. OPPO was 4th but saw a YoY decline, though it ended the year with stronger momentum. vivo rounded off the top five, driven by strong performance in India and China, ending the year as the top-ranked OEM in those markets. Challenger brands like HONOR and Motorola also contributed to the market recovery w This content was created in partnership and with the help of Artificial Intelligence AI. 661 https://player.megaphone.fm/NPTNI6023885966 North Korean Crypto Heists: Mobile and API Threats In this episode of Upwardly Mobile, we delve into the alarming tactics employed by North Korean state-sponsored hackers to siphon billions from the cryptocurrency world. Moving beyond targeting just large exchanges, these sophisticated actors, most notably the infamous Lazarus Group, are increasingly focusing on vulnerabilities in mobile devices and Application Programming Interfaces (APIs), the digital connectors powering our apps. We discuss how your phone, the device you carry everywhere, has become a prime target. Hackers are using sophisticated social engineering and phishing campaigns delivered via messaging apps and social media to trick users into compromising their devices. They develop or infect malicious cryptocurrency apps and fake wallets to steal private keys and transaction data. Furthermore, exploiting vulnerabilities in mobile operating systems and apps, or deploying Remote Access Trojans (RATs) through various mobile vectors, allows them persistent access to steal credentials and control crypto accounts. Reports indicate attackers have even leveraged remote collaboration tools to gain control.APIs, the unseen connectors that enable apps to communicate, are also major targets. North Korean hackers actively seek to steal API keys from developers and employees within crypto firms through phishing and malware. Campaigns like "Operation 99" specifically target developers for sensitive data, including API keys. Exploiting flaws in the design or implementation of exchange and wallet APIs allows them to bypass security or manipulate data. They also utilise supply chain attacks, compromising third-party vendors with API access to gain a foothold and exploit trusted connections. Attacks like the ByBit hack reportedly involved exploiting supplier vulnerabilities and altering wallet addresses, potentially involving API manipulations.These tactics have been linked to high-profile heists against major exchanges like KuCoin and WazirX, and DeFi protocols such as the Ronin Bridge. Stolen funds are then put through complex, multi-stage laundering processes involving mixers, DEXs, and cross-chain bridges to obscure their origin. We also cover essential defence strategies for both individuals and organisations in the crypto space. For individuals, this includes being hyper-vigilant against unsolicited messages, securing your mobile device with updates and trusted app sources, using hardware wallets for significant holdings, implementing strong, unique passwords and 2FA, and diligently verifying wallet addresses. For organisations, robust API security, regular security audits, employee training, supply chain risk management, and advanced threat detection are crucial.This battle is an ongoing arms race, but understanding these evolving threats is the first step to bolstering your defences. Sponsor: This episode is brought to you by Approov, a leader in API and mobile app security. Learn more abo This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 23 May 2025 21:16:57 -0000 full Skye MacIntyre North Korean Crypto Heists: Mobile and API Threats In this episode of Upwardly Mobile, we delve into the alarming tactics employed by North Korean state-sponsored hackers to siphon billions from the cryptocurrency world. Moving beyond targeting just large exchanges, these sophisticated actors, most notably the infamous Lazarus Group, are increasingly focusing on vulnerabilities in mobile devices and Application Programming Interfaces (APIs), the digital connectors powering our apps. We discuss how your phone, the device you carry everywhere, has become a prime target. Hackers are using sophisticated social engineering and phishing campaigns delivered via messaging apps and social media to trick users into compromising their devices. They develop or infect malicious cryptocurrency apps and fake wallets to steal private keys and transaction data. Furthermore, exploiting vulnerabilities in mobile operating systems and apps, or deploying Remote Access Trojans (RATs) through various mobile vectors, allows them persistent access to steal credentials and control crypto accounts. Reports indicate attackers have even leveraged remote collaboration tools to gain control.APIs, the unseen connectors that enable apps to communicate, are also major targets. North Korean hackers actively seek to steal API keys from developers and employees within crypto firms through phishing and malware. Campaigns like "Operation 99" specifically target developers for sensitive data, including API keys. Exploiting flaws in the design or implementation of exchange and wallet APIs allows them to bypass security or manipulate data. They also utilise supply chain attacks, compromising third-party vendors with API access to gain a foothold and exploit trusted connections. Attacks like the ByBit hack reportedly involved exploiting supplier vulnerabilities and altering wallet addresses, potentially involving API manipulations.These tactics have been linked to high-profile heists against major exchanges like KuCoin and WazirX, and DeFi protocols such as the Ronin Bridge. Stolen funds are then put through complex, multi-stage laundering processes involving mixers, DEXs, and cross-chain bridges to obscure their origin. We also cover essential defence strategies for both individuals and organisations in the crypto space. For individuals, this includes being hyper-vigilant against unsolicited messages, securing your mobile device with updates and trusted app sources, using hardware wallets for significant holdings, implementing strong, unique passwords and 2FA, and diligently verifying wallet addresses. For organisations, robust API security, regular security audits, employee training, supply chain risk management, and advanced threat detection are crucial.This battle is an ongoing arms race, but understanding these evolving threats is the first step to bolstering your defences. Sponsor: This episode is brought to you by Approov, a leader in API and mobile app security. Learn more abo This content was created in partnership and with the help of Artificial Intelligence AI. 707 https://player.megaphone.fm/NPTNI1849046682 Podcast Title: Upwardly Mobile Episode Title: Beyond Obfuscation: Dynamic Defenses for Modern Mobile Security Episode Summary: In this episode, we dive deep into the evolving landscape of mobile application security. While traditional methods like code obfuscation once offered a basic layer of defense, they are proving increasingly inadequate against today's sophisticated threats. We explore the findings of recent security analyses highlighting widespread vulnerabilities, such as weak cryptography and exposed credentials, even in enterprise apps.  We discuss why static defenses like obfuscation fall short , especially against the rise of AI-powered attacks and the relentless targeting of APIs. Attackers are leveraging AI for everything from hyper-personalized phishing to adaptive malware and automated vulnerability discovery, while APIs present a direct path to backend systems and sensitive data.  The core of our discussion focuses on the critical need to shift towards dynamic, runtime security measures. We break down key technologies essential for modern mobile defense: - Runtime Application Self-Protection (RASP): How apps can monitor their own execution and environment in real-time to detect and block threats like tampering, debugging, and compromised devices.   - Runtime Secrets Protection: Moving beyond hardcoded secrets by delivering API keys and credentials securely, just-in-time, only to validated, genuine app instances.   - Dynamic Certificate Pinning: Securing communication channels against Man-in-the-Middle attacks with more flexibility and less operational risk than traditional static pinning.   - App Attestation & Token-Based API Access: Verifying the integrity of the mobile app itself (the 'what') before granting API access, using short-lived tokens to block bots, scripts, and tampered apps.   We compare static vs. dynamic approaches , emphasizing that while static analysis has its place early in development, dynamic defenses are non-negotiable for protecting sensitive data and functionality in today's threat environment. Learn why embracing these advanced, runtime-aware strategies is crucial for building truly resilient mobile applications.  Keywords:Mobile Security, Application Security, API Security, Code Obfuscation, Dynamic Security, Runtime Application Self-Protection, RASP, App Attestation, Runtime Secrets, Dynamic Certificate Pinning, OWASP Mobile Top 10, API Attacks, AI Security, Cybersecurity, DevSecOps, Mobile App Development, Data Protection, Reverse Engineering, Tampering, Man-in-the-Middle Attack, Credential Stuffing, Secure Coding Source Material Links: - Infosecurity Magazine Article:https://www.infosecurity-magazine.com/news/92-mobile-apps-insecure/   - OWASP Resources (API Security, Mobile Security, Cheatsheets, MASTG): - https://owasp.org/www-project-api-security/   - https://owasp.org/www-project-mobile-top-10/   - https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning   - This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 18 May 2025 07:50:07 -0000 full Skye MacIntyre Podcast Title: Upwardly Mobile Episode Title: Beyond Obfuscation: Dynamic Defenses for Modern Mobile Security Episode Summary: In this episode, we dive deep into the evolving landscape of mobile application security. While traditional methods like code obfuscation once offered a basic layer of defense, they are proving increasingly inadequate against today's sophisticated threats. We explore the findings of recent security analyses highlighting widespread vulnerabilities, such as weak cryptography and exposed credentials, even in enterprise apps.  We discuss why static defenses like obfuscation fall short , especially against the rise of AI-powered attacks and the relentless targeting of APIs. Attackers are leveraging AI for everything from hyper-personalized phishing to adaptive malware and automated vulnerability discovery, while APIs present a direct path to backend systems and sensitive data.  The core of our discussion focuses on the critical need to shift towards dynamic, runtime security measures. We break down key technologies essential for modern mobile defense: - Runtime Application Self-Protection (RASP): How apps can monitor their own execution and environment in real-time to detect and block threats like tampering, debugging, and compromised devices.   - Runtime Secrets Protection: Moving beyond hardcoded secrets by delivering API keys and credentials securely, just-in-time, only to validated, genuine app instances.   - Dynamic Certificate Pinning: Securing communication channels against Man-in-the-Middle attacks with more flexibility and less operational risk than traditional static pinning.   - App Attestation & Token-Based API Access: Verifying the integrity of the mobile app itself (the 'what') before granting API access, using short-lived tokens to block bots, scripts, and tampered apps.   We compare static vs. dynamic approaches , emphasizing that while static analysis has its place early in development, dynamic defenses are non-negotiable for protecting sensitive data and functionality in today's threat environment. Learn why embracing these advanced, runtime-aware strategies is crucial for building truly resilient mobile applications.  Keywords:Mobile Security, Application Security, API Security, Code Obfuscation, Dynamic Security, Runtime Application Self-Protection, RASP, App Attestation, Runtime Secrets, Dynamic Certificate Pinning, OWASP Mobile Top 10, API Attacks, AI Security, Cybersecurity, DevSecOps, Mobile App Development, Data Protection, Reverse Engineering, Tampering, Man-in-the-Middle Attack, Credential Stuffing, Secure Coding Source Material Links: - Infosecurity Magazine Article:https://www.infosecurity-magazine.com/news/92-mobile-apps-insecure/   - OWASP Resources (API Security, Mobile Security, Cheatsheets, MASTG): - https://owasp.org/www-project-api-security/   - https://owasp.org/www-project-mobile-top-10/   - https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning   - This content was created in partnership and with the help of Artificial Intelligence AI. 458 https://player.megaphone.fm/NPTNI1790540451 Fair Play: How Competition Policy Drives UK Growth and Challenges Big Tech's App Store Power In this episode of Upwardly Mobile, we delve into "Fair Play: How competition policy can drive growth," a briefing paper from the Institute for Public Policy Research (IPPR). Authors George Dibb and Tommaso Valletti argue that a robust competition policy, enforced by a responsive regulator like the Competition and Markets Authority (CMA), is a cornerstone of shared, equitable growth in the UK.The paper highlights how the UK economy is grappling with rising market concentration and stagnant productivity. It contends that concentrated markets stifle innovation, discourage investment, and suppress dynamism, contributing to a "low-growth trap". Dominant firms, particularly foreign tech giants, are shown to extract wealth from the UK, making it harder for domestic startups to compete. Furthermore, unchecked monopolies pose a significant risk to democratic institutions by concentrating economic and political influence.A key focus is the economic case for robust competition policy. The authors explain that without competition, markets fail to drive innovation and fair treatment for workers and consumers; instead, monopolists extract profits and crush competitors. They address misconceptions, such as the idea that mergers are always good for investment, clarifying that competition policy targets large firms where efficiency arguments no longer apply.The briefing paper calls for reforms to the CMA, advocating for a shift towards a more proactive role aligned with UK growth objectives. Recommendations include accelerating interventions against exploitative practices (like 'big tech' fees), defining a clearer 'growth' mandate focused on wage growth and SME dynamism, streamlining processes, and better integrating competition policy with industrial strategy and trade policy.A prominent case study examined is the lack of competition in app stores, which allows Google and Apple to extract substantial fees from app developers. The typical commission on in-app purchases is 30%, or 15% for small businesses. This effectively acts as an "app store tax," representing a significant revenue transfer away from developers, estimated to be between £0.8 billion and £1.3 billion annually by 2025 if fees were reduced to a 12% benchmark. The paper suggests that well-designed regulation, such as the Digital Markets, Competition and Consumers (DMCC) Act, can drive innovation and create fairer markets.Ultimately, "Fair Play" positions robust competition policy not as anti-business, but as a pro-business, pro-worker, pro-growth agenda that ensures markets reward innovation and hold economic power accountable. Read the full paper: You can download "Fair play: How competition policy can drive growth" at:http://www.ippr.org/articles/fair-play Please note: The Coalition for App Fairness is a sponsor of this briefing paper.  Approov Limited is the sponsor of this podcast: www.approov.io  K This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 15 May 2025 07:40:07 -0000 full Skye MacIntyre Fair Play: How Competition Policy Drives UK Growth and Challenges Big Tech's App Store Power In this episode of Upwardly Mobile, we delve into "Fair Play: How competition policy can drive growth," a briefing paper from the Institute for Public Policy Research (IPPR). Authors George Dibb and Tommaso Valletti argue that a robust competition policy, enforced by a responsive regulator like the Competition and Markets Authority (CMA), is a cornerstone of shared, equitable growth in the UK.The paper highlights how the UK economy is grappling with rising market concentration and stagnant productivity. It contends that concentrated markets stifle innovation, discourage investment, and suppress dynamism, contributing to a "low-growth trap". Dominant firms, particularly foreign tech giants, are shown to extract wealth from the UK, making it harder for domestic startups to compete. Furthermore, unchecked monopolies pose a significant risk to democratic institutions by concentrating economic and political influence.A key focus is the economic case for robust competition policy. The authors explain that without competition, markets fail to drive innovation and fair treatment for workers and consumers; instead, monopolists extract profits and crush competitors. They address misconceptions, such as the idea that mergers are always good for investment, clarifying that competition policy targets large firms where efficiency arguments no longer apply.The briefing paper calls for reforms to the CMA, advocating for a shift towards a more proactive role aligned with UK growth objectives. Recommendations include accelerating interventions against exploitative practices (like 'big tech' fees), defining a clearer 'growth' mandate focused on wage growth and SME dynamism, streamlining processes, and better integrating competition policy with industrial strategy and trade policy.A prominent case study examined is the lack of competition in app stores, which allows Google and Apple to extract substantial fees from app developers. The typical commission on in-app purchases is 30%, or 15% for small businesses. This effectively acts as an "app store tax," representing a significant revenue transfer away from developers, estimated to be between £0.8 billion and £1.3 billion annually by 2025 if fees were reduced to a 12% benchmark. The paper suggests that well-designed regulation, such as the Digital Markets, Competition and Consumers (DMCC) Act, can drive innovation and create fairer markets.Ultimately, "Fair Play" positions robust competition policy not as anti-business, but as a pro-business, pro-worker, pro-growth agenda that ensures markets reward innovation and hold economic power accountable. Read the full paper: You can download "Fair play: How competition policy can drive growth" at:http://www.ippr.org/articles/fair-play Please note: The Coalition for App Fairness is a sponsor of this briefing paper.  Approov Limited is the sponsor of this podcast: www.approov.io  K This content was created in partnership and with the help of Artificial Intelligence AI. 420 https://player.megaphone.fm/NPTNI7134635258 Episode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age. Key Takeaways: - An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government. - Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts. - Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate. - A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination. - Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material. - The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs. - Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets. - Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection. - The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions. - While Signal’s end-to-end encryption is a strong foundation, its le This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 13 May 2025 14:13:05 -0000 full Skye MacIntyre Episode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age. Key Takeaways: - An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government. - Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts. - Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate. - A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination. - Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material. - The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs. - Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets. - Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection. - The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions. - While Signal’s end-to-end encryption is a strong foundation, its le This content was created in partnership and with the help of Artificial Intelligence AI. 346 https://player.megaphone.fm/NPTNI8241089813 Securing APIs: Mobile App Vulnerabilities Meet the Rise of AI Agents Episode Notes:Welcome to Upwardly Mobile! In this episode, we delve into the critical and rapidly evolving landscape of API security, focusing on the unique challenges presented by mobile applications and the increasing prevalence of autonomous AI agents accessing these APIs. As AI paradigms become standard, technology is racing to keep up, especially with the shift toward AI agentic API consumption in 2025. This presents significant security considerations, requiring a rethinking of how systems are secured and access is ensured.Mobile applications rely heavily on backend APIs to power their features across various platforms like iOS, Android, HarmonyOS, Flutter, and React Native. However, mobile apps are one of the most common attack vectors for API abuse. Even well-coded apps can be reverse-engineered, allowing their APIs to be abused. Key Mobile API Security Risks: - Abuse by Automated Scripts and Bots: Automated bots or scripts can simulate legitimate app traffic at a malicious scale, leading to data scraping, rapid transactions, overwhelming backend systems, or enabling abuse like mass account creation or credential stuffing. Distinguishing genuine users from scripts/bots is a key challenge, and many organizations lack the means to differentiate. - Use of Stolen API Keys or Tokens: Mobile apps often contain secrets like API keys or tokens. If hardcoded or stored insecurely, attackers can extract and reuse them for illicit API calls, allowing them to masquerade as the app or user. Real incidents have shown thousands of apps leaking hardcoded keys, which can lead to impersonation, huge bills, or data breaches. Any API key or token shipped in a mobile binary is at risk via reverse engineering. Relying only on static secrets is insufficient. - Replay Attacks on API Requests: Attackers can intercept legitimate API requests or tokens and re-send them to the server. If the server cannot distinguish old requests from new ones, it might process actions multiple times. This is due to a lack of freshness or binding; without timestamps or nonces, a captured message could be valid forever. - Lack of App Attestation or Authenticity Checks: Without attestation, the backend cannot truly know if an API request is from a legitimate app instance on a real device or from an emulator, rooted device, or fake client. This allows attackers to run modified apps or scripts in untrusted environments and still successfully call APIs, enabling headless abuse and bypassing client-side protections. - Reverse Engineering and Repackaging: Mobile apps are easily reverse-engineered. Attackers can decompile binaries to discover endpoints, hardcoded keys, and logic, then write their own tools to mimic app behavior. This underpins many threats, allowing attackers to bypass client-side security checks and abuse APIs directly. Traditional authentication methods like static API keys and standard user logins o This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 08 May 2025 17:19:43 -0000 full Skye MacIntyre Securing APIs: Mobile App Vulnerabilities Meet the Rise of AI Agents Episode Notes:Welcome to Upwardly Mobile! In this episode, we delve into the critical and rapidly evolving landscape of API security, focusing on the unique challenges presented by mobile applications and the increasing prevalence of autonomous AI agents accessing these APIs. As AI paradigms become standard, technology is racing to keep up, especially with the shift toward AI agentic API consumption in 2025. This presents significant security considerations, requiring a rethinking of how systems are secured and access is ensured.Mobile applications rely heavily on backend APIs to power their features across various platforms like iOS, Android, HarmonyOS, Flutter, and React Native. However, mobile apps are one of the most common attack vectors for API abuse. Even well-coded apps can be reverse-engineered, allowing their APIs to be abused. Key Mobile API Security Risks: - Abuse by Automated Scripts and Bots: Automated bots or scripts can simulate legitimate app traffic at a malicious scale, leading to data scraping, rapid transactions, overwhelming backend systems, or enabling abuse like mass account creation or credential stuffing. Distinguishing genuine users from scripts/bots is a key challenge, and many organizations lack the means to differentiate. - Use of Stolen API Keys or Tokens: Mobile apps often contain secrets like API keys or tokens. If hardcoded or stored insecurely, attackers can extract and reuse them for illicit API calls, allowing them to masquerade as the app or user. Real incidents have shown thousands of apps leaking hardcoded keys, which can lead to impersonation, huge bills, or data breaches. Any API key or token shipped in a mobile binary is at risk via reverse engineering. Relying only on static secrets is insufficient. - Replay Attacks on API Requests: Attackers can intercept legitimate API requests or tokens and re-send them to the server. If the server cannot distinguish old requests from new ones, it might process actions multiple times. This is due to a lack of freshness or binding; without timestamps or nonces, a captured message could be valid forever. - Lack of App Attestation or Authenticity Checks: Without attestation, the backend cannot truly know if an API request is from a legitimate app instance on a real device or from an emulator, rooted device, or fake client. This allows attackers to run modified apps or scripts in untrusted environments and still successfully call APIs, enabling headless abuse and bypassing client-side protections. - Reverse Engineering and Repackaging: Mobile apps are easily reverse-engineered. Attackers can decompile binaries to discover endpoints, hardcoded keys, and logic, then write their own tools to mimic app behavior. This underpins many threats, allowing attackers to bypass client-side security checks and abuse APIs directly. Traditional authentication methods like static API keys and standard user logins o This content was created in partnership and with the help of Artificial Intelligence AI. 880 https://player.megaphone.fm/NPTNI8251727605 Beyond Google: HarmonyOS, HyperOS, and Securing the Non-GMS Mobile World Episode Description: Join us as we dive into the evolving landscape of mobile operating systems beyond the familiar Google Mobile Services (GMS) ecosystem. We explore how Huawei has achieved significant market success with its HarmonyOS, particularly in China, despite the challenges of being added to the U.S. entity list and losing access to GMS. The sources highlight HarmonyOS NEXT, Huawei's self-developed OS that fully decouples from Android, featuring a China-made kernel and aiming for a large native app ecosystem.This shift highlights the rise of non-GMS mobile devices, driven by privacy concerns and a desire for openness or regional market dynamics. However, non-GMS apps face unique security challenges due to the lack of Google's built-in security services, potentially increasing risks of malware and unauthorized access.Adding to this dynamic, rumours suggest Xiaomi may collaborate with Huawei and BBK to create a Google-free version of its HyperOS, aiming for increased software independence and control. Such a move could redefine the global Android ecosystem and introduce both opportunities and complexities for developers and users.In this environment, App Attestation is crucial for verifying the integrity and authenticity of apps and devices. While Google PlayIntegrity and SafetyNet serve GMS apps, Approov emerges as a game-changer, offering a comprehensive app attestation and runtime security solution for non-GMS (and other) devices, independent of Google services. We discuss how Approov helps enhance security, protect APIs, and empower developers in this diverse mobile world. Discussion Points: - Huawei's success with HarmonyOS following GMS restrictions. - The features and goals of HarmonyOS NEXT as a distinct operating system. - The characteristics and security challenges of non-GMS mobile devices. - Xiaomi's rumoured plans to potentially launch a Google-free HyperOS, possibly in alliance with Huawei and BBK. - The importance of App Attestation in safeguarding mobile apps and APIs. - Approov as a security solution for non-GMS apps, offering benefits like real-time threat detection, independence from GMS, and comprehensive protection. - Comparing Approov to traditional methods like Google PlayIntegrity. - The strategic implications of open vs. closed mobile ecosystems and their impact on security and innovation. Relevant Links: - This episode draws on information from various sources discussing non-GMS devices, Huawei's HarmonyOS, Xiaomi's HyperOS rumours, and mobile security solutions like Approov. - Learn more about enhancing mobile app security:https://approov.io/ Keywords: Non-GMS, Google Mobile Services, GMS, HarmonyOS, HarmonyOS NEXT, Huawei, Xiaomi, HyperOS, App Attestation, Mobile Security, Android Security, Non-GMS Security, Approov, Open Ecosystems, Mobile App Security, API Security, Runtime Protection, Device Attestation, Cybersecurity, Non-GMS Apps This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 02 May 2025 21:33:43 -0000 full Skye MacIntyre Beyond Google: HarmonyOS, HyperOS, and Securing the Non-GMS Mobile World Episode Description: Join us as we dive into the evolving landscape of mobile operating systems beyond the familiar Google Mobile Services (GMS) ecosystem. We explore how Huawei has achieved significant market success with its HarmonyOS, particularly in China, despite the challenges of being added to the U.S. entity list and losing access to GMS. The sources highlight HarmonyOS NEXT, Huawei's self-developed OS that fully decouples from Android, featuring a China-made kernel and aiming for a large native app ecosystem.This shift highlights the rise of non-GMS mobile devices, driven by privacy concerns and a desire for openness or regional market dynamics. However, non-GMS apps face unique security challenges due to the lack of Google's built-in security services, potentially increasing risks of malware and unauthorized access.Adding to this dynamic, rumours suggest Xiaomi may collaborate with Huawei and BBK to create a Google-free version of its HyperOS, aiming for increased software independence and control. Such a move could redefine the global Android ecosystem and introduce both opportunities and complexities for developers and users.In this environment, App Attestation is crucial for verifying the integrity and authenticity of apps and devices. While Google PlayIntegrity and SafetyNet serve GMS apps, Approov emerges as a game-changer, offering a comprehensive app attestation and runtime security solution for non-GMS (and other) devices, independent of Google services. We discuss how Approov helps enhance security, protect APIs, and empower developers in this diverse mobile world. Discussion Points: - Huawei's success with HarmonyOS following GMS restrictions. - The features and goals of HarmonyOS NEXT as a distinct operating system. - The characteristics and security challenges of non-GMS mobile devices. - Xiaomi's rumoured plans to potentially launch a Google-free HyperOS, possibly in alliance with Huawei and BBK. - The importance of App Attestation in safeguarding mobile apps and APIs. - Approov as a security solution for non-GMS apps, offering benefits like real-time threat detection, independence from GMS, and comprehensive protection. - Comparing Approov to traditional methods like Google PlayIntegrity. - The strategic implications of open vs. closed mobile ecosystems and their impact on security and innovation. Relevant Links: - This episode draws on information from various sources discussing non-GMS devices, Huawei's HarmonyOS, Xiaomi's HyperOS rumours, and mobile security solutions like Approov. - Learn more about enhancing mobile app security:https://approov.io/ Keywords: Non-GMS, Google Mobile Services, GMS, HarmonyOS, HarmonyOS NEXT, Huawei, Xiaomi, HyperOS, App Attestation, Mobile Security, Android Security, Non-GMS Security, Approov, Open Ecosystems, Mobile App Security, API Security, Runtime Protection, Device Attestation, Cybersecurity, Non-GMS Apps This content was created in partnership and with the help of Artificial Intelligence AI. 561 https://player.megaphone.fm/NPTNI4991063297 Apple Blasted by Judge: Lying Under Oath and App Store Control Episode Notes: In this episode, we dive into the dramatic developments from the ongoing legal battle between Epic Games and Apple. A recent ruling by Judge Yvonne Gonzalez Rogers has delivered a significant blow to Apple's control over its App Store.The judge has banned Apple from charging a commission on purchases made outside the App Store. This stems from Apple's "ongoing anticompetitive behavior", specifically their response to a previous 2021 ruling that required them to allow developers to direct users to external purchasing options.Instead of allowing commission-free external purchases as anticipated by the court, Apple introduced a policy in 2024 that levied a 27% commission on such transactions. Judge Rogers found that Apple "willfully violated and ignored" her 2021 injunction, stating, "That [Apple] thought this Court would tolerate such insubordination was a gross miscalculation".Furthermore, the ruling revealed serious findings about Apple's conduct during the trial. Judge Rogers found that Apple Vice President of Finance Alex Roman "outright lied" under oath regarding the timing of Apple's decision to impose the 27% fee. The judge stated that Apple "adopted the lies and misrepresentations" by not correcting them. She wrote that Apple presented evidence that seemed "tailor-made for litigation" rather than reflecting actual internal discussions, and that contemporaneous documents showed Apple "knew exactly what it was doing and at every turn chose the most anticompetitive option".Adding to the severity, Judge Rogers referred the matter to U.S. attorneys to investigate potential criminal contempt proceedings against both Alex Roman and Apple Inc.. She also noted that Apple CEO Tim Cook ignored advice from App Store chief Phil Schiller regarding complying with the original injunction.Epic Games CEO Tim Sweeney called the decision a "huge victory for developers" and announced that Fortnite would return to the US App Store following the ruling. He offered a "peace proposal," suggesting Epic would drop litigation if Apple applied the "friction-free, Apple-tax-free framework worldwide".This ruling highlights a significant contrast between Apple's stated values of honesty, compliance, and integrity and the court's findings of willful violation, lying, and anticompetitive behavior. As Judge Rogers stated, "This is an injunction, not a negotiation. There are no do-overs once a party willfully disregards a court order". - Judge bans Apple commission on external App Store purchases. - Ruling finds Apple willfully violated previous order. - Apple VP found to have "outright lied" under oath. - Apple Inc. deemed to have "adopted the lies". - Matter referred for potential criminal contempt proceedings. - Epic Games plans to bring Fortnite back to the App Store. Relevant source materials for this episode include excerpts from articles by The Verge and CNBC and the WSJ.  Keywords: Apple, This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 01 May 2025 01:31:57 -0000 full Skye MacIntyre Apple Blasted by Judge: Lying Under Oath and App Store Control Episode Notes: In this episode, we dive into the dramatic developments from the ongoing legal battle between Epic Games and Apple. A recent ruling by Judge Yvonne Gonzalez Rogers has delivered a significant blow to Apple's control over its App Store.The judge has banned Apple from charging a commission on purchases made outside the App Store. This stems from Apple's "ongoing anticompetitive behavior", specifically their response to a previous 2021 ruling that required them to allow developers to direct users to external purchasing options.Instead of allowing commission-free external purchases as anticipated by the court, Apple introduced a policy in 2024 that levied a 27% commission on such transactions. Judge Rogers found that Apple "willfully violated and ignored" her 2021 injunction, stating, "That [Apple] thought this Court would tolerate such insubordination was a gross miscalculation".Furthermore, the ruling revealed serious findings about Apple's conduct during the trial. Judge Rogers found that Apple Vice President of Finance Alex Roman "outright lied" under oath regarding the timing of Apple's decision to impose the 27% fee. The judge stated that Apple "adopted the lies and misrepresentations" by not correcting them. She wrote that Apple presented evidence that seemed "tailor-made for litigation" rather than reflecting actual internal discussions, and that contemporaneous documents showed Apple "knew exactly what it was doing and at every turn chose the most anticompetitive option".Adding to the severity, Judge Rogers referred the matter to U.S. attorneys to investigate potential criminal contempt proceedings against both Alex Roman and Apple Inc.. She also noted that Apple CEO Tim Cook ignored advice from App Store chief Phil Schiller regarding complying with the original injunction.Epic Games CEO Tim Sweeney called the decision a "huge victory for developers" and announced that Fortnite would return to the US App Store following the ruling. He offered a "peace proposal," suggesting Epic would drop litigation if Apple applied the "friction-free, Apple-tax-free framework worldwide".This ruling highlights a significant contrast between Apple's stated values of honesty, compliance, and integrity and the court's findings of willful violation, lying, and anticompetitive behavior. As Judge Rogers stated, "This is an injunction, not a negotiation. There are no do-overs once a party willfully disregards a court order". - Judge bans Apple commission on external App Store purchases. - Ruling finds Apple willfully violated previous order. - Apple VP found to have "outright lied" under oath. - Apple Inc. deemed to have "adopted the lies". - Matter referred for potential criminal contempt proceedings. - Epic Games plans to bring Fortnite back to the App Store. Relevant source materials for this episode include excerpts from articles by The Verge and CNBC and the WSJ.  Keywords: Apple, This content was created in partnership and with the help of Artificial Intelligence AI. 593 https://player.megaphone.fm/NPTNI6420220787 Upwardly Mobile Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications. - AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast. - ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA). - ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3. - Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks. - Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options. - Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements. - The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data. The Bad: Certain algorithms are outdated, inefficient, or have known vulnerabilities and should be avoided at all costs. - DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardwa This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 26 Apr 2025 00:30:07 -0000 full Skye MacIntyre Upwardly Mobile Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications. - AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast. - ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA). - ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3. - Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks. - Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options. - Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements. - The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data. The Bad: Certain algorithms are outdated, inefficient, or have known vulnerabilities and should be avoided at all costs. - DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardwa This content was created in partnership and with the help of Artificial Intelligence AI. 1136 https://player.megaphone.fm/NPTNI4333144341 Episode Title: The 92% Problem: Moving Beyond Obfuscation to Secure Mobile Apps Episode Summary: Welcome to another episode of Upwardly Mobile, the podcast that dives deep into the world of mobile app development and security, sponsored by Approov! In this episode, hosts Skye Macintyre and George McGregor tackle a concerning statistic: a new analysis reveals that a staggering 92% of mobile apps use insecure cryptographic methods. We explore the findings of the Zimperium report, "Your Apps are Leaking: The Hidden Data Risks on your Phone," which analyzed over 17,000 enterprise mobile applications and uncovered widespread vulnerabilities, including misconfigured cloud storage, hardcoded credentials, and alarmingly outdated cryptographic practices.We delve into why traditional static defenses like code obfuscation are no longer sufficient to protect against modern threats. While obfuscation aims to deter reverse engineering, it ultimately fails to prevent determined attackers with advanced tools and dynamic analysis techniques from compromising applications at runtime. As OWASP guidance acknowledges, "Ultimately, the reverse engineer always wins" against purely static defenses.The episode highlights the evolving threat landscape, emphasizing the weaponization of Artificial Intelligence (AI) and the relentless targeting of Application Programming Interfaces (APIs). AI is being used to automate attacks, create adaptive malware, hyper-personalize social engineering, and accelerate vulnerability discovery. APIs, the backbone of modern mobile apps, are prime targets for credential stuffing, account takeover, and business logic abuse. Static defenses on the client-side offer little protection against these server-side vulnerabilities and sophisticated attack methods.We then shift our focus to the critical need for dynamic security measures that protect applications during runtime. We discuss several key techniques: - Runtime Application Self-Protection (RASP): This technology is built into the app or its runtime environment, enabling it to detect and prevent real-time attacks by monitoring inputs, outputs, function calls, and interactions with the operating system. RASP can detect reverse engineering attempts, code tampering, and execution on compromised devices. - Runtime Secrets Protection: This approach eliminates hardcoded secrets by delivering them securely, just-in-time, to validated app instances via a backend service. App attestation checks ensure that secrets are only provided to legitimate, untampered applications. - Dynamic Certificate Pinning: This method secures communication channels against Man-in-the-Middle (MitM) attacks by dynamically retrieving and verifying server certificates from a trusted management service. This offers greater flexibility and reduces the risk of outages compared to static pinning. - App Attestation & Token-Based API Access: This process verifies the authenticity and integrity of the mobile application instan This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 21 Apr 2025 07:05:07 -0000 full Skye MacIntyre Episode Title: The 92% Problem: Moving Beyond Obfuscation to Secure Mobile Apps Episode Summary: Welcome to another episode of Upwardly Mobile, the podcast that dives deep into the world of mobile app development and security, sponsored by Approov! In this episode, hosts Skye Macintyre and George McGregor tackle a concerning statistic: a new analysis reveals that a staggering 92% of mobile apps use insecure cryptographic methods. We explore the findings of the Zimperium report, "Your Apps are Leaking: The Hidden Data Risks on your Phone," which analyzed over 17,000 enterprise mobile applications and uncovered widespread vulnerabilities, including misconfigured cloud storage, hardcoded credentials, and alarmingly outdated cryptographic practices.We delve into why traditional static defenses like code obfuscation are no longer sufficient to protect against modern threats. While obfuscation aims to deter reverse engineering, it ultimately fails to prevent determined attackers with advanced tools and dynamic analysis techniques from compromising applications at runtime. As OWASP guidance acknowledges, "Ultimately, the reverse engineer always wins" against purely static defenses.The episode highlights the evolving threat landscape, emphasizing the weaponization of Artificial Intelligence (AI) and the relentless targeting of Application Programming Interfaces (APIs). AI is being used to automate attacks, create adaptive malware, hyper-personalize social engineering, and accelerate vulnerability discovery. APIs, the backbone of modern mobile apps, are prime targets for credential stuffing, account takeover, and business logic abuse. Static defenses on the client-side offer little protection against these server-side vulnerabilities and sophisticated attack methods.We then shift our focus to the critical need for dynamic security measures that protect applications during runtime. We discuss several key techniques: - Runtime Application Self-Protection (RASP): This technology is built into the app or its runtime environment, enabling it to detect and prevent real-time attacks by monitoring inputs, outputs, function calls, and interactions with the operating system. RASP can detect reverse engineering attempts, code tampering, and execution on compromised devices. - Runtime Secrets Protection: This approach eliminates hardcoded secrets by delivering them securely, just-in-time, to validated app instances via a backend service. App attestation checks ensure that secrets are only provided to legitimate, untampered applications. - Dynamic Certificate Pinning: This method secures communication channels against Man-in-the-Middle (MitM) attacks by dynamically retrieving and verifying server certificates from a trusted management service. This offers greater flexibility and reduces the risk of outages compared to static pinning. - App Attestation & Token-Based API Access: This process verifies the authenticity and integrity of the mobile application instan This content was created in partnership and with the help of Artificial Intelligence AI. 534 https://player.megaphone.fm/NPTNI4344724996 The Critical Imperative of Mobile App Security in 2025 Welcome back to Upwardly Mobile, the podcast tackling the high-stakes world of mobile app development and API security, sponsored by Approov—the leaders in cross-platform app attestation technology1. In this episode, we delve into the essential reasons why mobile app security is not just important, but a critical imperative in today's digital landscape. Episode Highlights: • The Flourishing Mobile App Market and Growing Threats: We kick off by highlighting the massive growth of the mobile app market, with billions of smartphone users worldwide2. This widespread adoption, while offering great opportunities, also presents a larger attack surface for malicious actors3. Today over 85% of the world’s population own smartphones. The Apple App Store and Google Play Store boast millions of apps, and a significant portion of mobile device time is spent using these apps2. This popularity translates to a market predicted to generate almost a trillion dollars in revenue by 2023, making mobile apps indispensable3. However, this also means increased opportunities for hackers to exploit security vulnerabilities3. • Understanding Mobile Application Security: We define mobile application security as a technique for ensuring the software security posture of high-value mobile applications across various operating systems like iOS and Android3. It's about protecting digital identities from fraud and preventing attacks on users and organisations3. Attackers target mobile apps to access accounts, commit fraud, steal data, conduct espionage, or spread malware4. • The Costs of Security Breaches: Ignoring mobile app security can lead to severe consequences, including the loss of sensitive personal data, financial losses, and damage to an organisation's reputation5. Furthermore, organisations can face financial penalties due to regulations like GDPR, HIPAA, and CCPA if compromised data is not protected5. • Key Security Risks in Mobile Apps: We discuss some of the most prevalent security risks affecting mobile apps, as outlined by the OWASP Mobile Top 10. These include inadequate cryptography, reverse engineering, obtrusive functionality, code tampering, poor client code quality, insecure data storage, authentication, communication, and authorization6. The unique technologies used in mobile necessitate custom tooling for effective security testing6. • The Importance of Mobile Application Security Testing (MAST): We explore why Mobile Application Security Testing (MAST) is crucial for identifying and addressing weaknesses in mobile applications3.... Implementing MAST early in the Software Development Life Cycle (SDLC) can help developers lower application security risks before release4.... A thorough MAST strategy combines static analysis (SAST) to identify vulnerabilities in source code, dynamic analysis (DAST) to test running applications, and behavioural testing to track app actions and data flows7.... • Shielding M This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 18 Apr 2025 07:55:07 -0000 full Skye MacIntyre The Critical Imperative of Mobile App Security in 2025 Welcome back to Upwardly Mobile, the podcast tackling the high-stakes world of mobile app development and API security, sponsored by Approov—the leaders in cross-platform app attestation technology1. In this episode, we delve into the essential reasons why mobile app security is not just important, but a critical imperative in today's digital landscape. Episode Highlights: • The Flourishing Mobile App Market and Growing Threats: We kick off by highlighting the massive growth of the mobile app market, with billions of smartphone users worldwide2. This widespread adoption, while offering great opportunities, also presents a larger attack surface for malicious actors3. Today over 85% of the world’s population own smartphones. The Apple App Store and Google Play Store boast millions of apps, and a significant portion of mobile device time is spent using these apps2. This popularity translates to a market predicted to generate almost a trillion dollars in revenue by 2023, making mobile apps indispensable3. However, this also means increased opportunities for hackers to exploit security vulnerabilities3. • Understanding Mobile Application Security: We define mobile application security as a technique for ensuring the software security posture of high-value mobile applications across various operating systems like iOS and Android3. It's about protecting digital identities from fraud and preventing attacks on users and organisations3. Attackers target mobile apps to access accounts, commit fraud, steal data, conduct espionage, or spread malware4. • The Costs of Security Breaches: Ignoring mobile app security can lead to severe consequences, including the loss of sensitive personal data, financial losses, and damage to an organisation's reputation5. Furthermore, organisations can face financial penalties due to regulations like GDPR, HIPAA, and CCPA if compromised data is not protected5. • Key Security Risks in Mobile Apps: We discuss some of the most prevalent security risks affecting mobile apps, as outlined by the OWASP Mobile Top 10. These include inadequate cryptography, reverse engineering, obtrusive functionality, code tampering, poor client code quality, insecure data storage, authentication, communication, and authorization6. The unique technologies used in mobile necessitate custom tooling for effective security testing6. • The Importance of Mobile Application Security Testing (MAST): We explore why Mobile Application Security Testing (MAST) is crucial for identifying and addressing weaknesses in mobile applications3.... Implementing MAST early in the Software Development Life Cycle (SDLC) can help developers lower application security risks before release4.... A thorough MAST strategy combines static analysis (SAST) to identify vulnerabilities in source code, dynamic analysis (DAST) to test running applications, and behavioural testing to track app actions and data flows7.... • Shielding M This content was created in partnership and with the help of Artificial Intelligence AI. 896 https://player.megaphone.fm/NPTNI2433355041 Apple Under Scrutiny: The EU's DMA in Action Welcome back to Upwardly Mobile! In this episode, we delve into the latest developments surrounding the European Union's Digital Markets Act (DMA) and its significant impact on major technology companies, particularly Apple. We explore the European Commission's recent guidance aimed at ensuring interoperability on Apple's platforms and the broader implications of this landmark legislation for competition and innovation in the digital marketplace.The DMA, designed to curb anti-competitive behaviour, designates certain large online platforms as "gatekeepers". Companies like Apple are now facing strict requirements to foster a more level playing field. We break down the Commission's two key decisions specifying the measures Apple must take to comply with its interoperability obligations.Firstly, we examine the new rules concerning connected devices such as smartwatches, headphones, and TVs. The Commission is mandating improved access to iPhone features, faster data transfers, and easier device set-up, which should lead to better compatibility for devices of all brands with iPhones and new opportunities for device manufacturers. This aims to enhance the user experience for European consumers while respecting user privacy and security.Secondly, we discuss the measures to improve the transparency and effectiveness of Apple's process for handling interoperability requests from developers. This includes better access to technical documentation, timely communication, and more predictable timelines for review. The goal is to accelerate developers' ability to offer innovative services and hardware that work seamlessly with iPhones and iPads. These measures follow extensive engagement with Apple and input from third parties.Beyond interoperability, we touch upon other significant DMA-related developments. Apple is now allowing alternative app stores on iOS, a major shift brought about by the legislation. However, there is ongoing scrutiny and skepticism from developers regarding the implementation of these new rules.We also look at the potential for fines under the DMA, with sources indicating that Apple and Meta could soon face "modest" penalties for alleged breaches. Additionally, the European Commission has charged Google with breaking antitrust laws by favouring its own shopping, hotels, and flights services, and for violating anti-steering rules in its Play Store.Furthermore, the EU has been actively pushing Apple to make iOS and iPadOS more interoperable, and while Apple has released its first iOS 18.4 developer beta with features like Priority Notifications, the focus remains on DMA compliance. Interestingly, the Commission has concluded that X (formerly Twitter) does not currently qualify as a "gatekeeper" under the DMA.The landscape of app distribution in the EU is also changing rapidly, with the Epic Games Store and Setapp Mobile launching as alternative app marketplaces for iOS users. Meanwhile, Meta's This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 14 Apr 2025 07:20:07 -0000 full Skye MacIntyre Apple Under Scrutiny: The EU's DMA in Action Welcome back to Upwardly Mobile! In this episode, we delve into the latest developments surrounding the European Union's Digital Markets Act (DMA) and its significant impact on major technology companies, particularly Apple. We explore the European Commission's recent guidance aimed at ensuring interoperability on Apple's platforms and the broader implications of this landmark legislation for competition and innovation in the digital marketplace.The DMA, designed to curb anti-competitive behaviour, designates certain large online platforms as "gatekeepers". Companies like Apple are now facing strict requirements to foster a more level playing field. We break down the Commission's two key decisions specifying the measures Apple must take to comply with its interoperability obligations.Firstly, we examine the new rules concerning connected devices such as smartwatches, headphones, and TVs. The Commission is mandating improved access to iPhone features, faster data transfers, and easier device set-up, which should lead to better compatibility for devices of all brands with iPhones and new opportunities for device manufacturers. This aims to enhance the user experience for European consumers while respecting user privacy and security.Secondly, we discuss the measures to improve the transparency and effectiveness of Apple's process for handling interoperability requests from developers. This includes better access to technical documentation, timely communication, and more predictable timelines for review. The goal is to accelerate developers' ability to offer innovative services and hardware that work seamlessly with iPhones and iPads. These measures follow extensive engagement with Apple and input from third parties.Beyond interoperability, we touch upon other significant DMA-related developments. Apple is now allowing alternative app stores on iOS, a major shift brought about by the legislation. However, there is ongoing scrutiny and skepticism from developers regarding the implementation of these new rules.We also look at the potential for fines under the DMA, with sources indicating that Apple and Meta could soon face "modest" penalties for alleged breaches. Additionally, the European Commission has charged Google with breaking antitrust laws by favouring its own shopping, hotels, and flights services, and for violating anti-steering rules in its Play Store.Furthermore, the EU has been actively pushing Apple to make iOS and iPadOS more interoperable, and while Apple has released its first iOS 18.4 developer beta with features like Priority Notifications, the focus remains on DMA compliance. Interestingly, the Commission has concluded that X (formerly Twitter) does not currently qualify as a "gatekeeper" under the DMA.The landscape of app distribution in the EU is also changing rapidly, with the Epic Games Store and Setapp Mobile launching as alternative app marketplaces for iOS users. Meanwhile, Meta's This content was created in partnership and with the help of Artificial Intelligence AI. 495 https://player.megaphone.fm/NPTNI1873531915 Episode Title: The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust DefencesEpisode Notes:In this episode of Upwardly Mobile, we delve into the escalating challenges surrounding API security for both web and mobile applications. We explore recent alarming trends, including the leakage of 39 million secret API keys and credentials from GitHub in 2024, highlighting the persistent threat of exposed authentication data such as API keys, credentials, and tokens. This situation has prompted GitHub to launch new security tools to combat this issue. According to GitHub, numerous secrets are blocked every minute with push protection, yet accidental exposure remains a significant cause of security incidents. Experts like Erin Havens from GitHub emphasize that developers handle numerous secrets daily, which can be unintentionally exposed. Even seemingly low-risk secrets can provide attackers with a foothold for lateral movement.We also examine a real-world security lapse involving API testing firm APIsec, which exposed customer data due to a misconfigured internal database connected to the internet without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about the security posture of APIsec's corporate customers. Security research firm UpGuard discovered the leak. Initially downplayed by APIsec founder Faizel Lakhani, the exposed data was later confirmed to include sensitive customer information and even private keys for AWS and credentials for Slack and GitHub accounts. This incident underscores the severity of even unintentional security lapses in the API ecosystem.The episode further explores why mobile APIs are particularly vulnerable compared to web APIs. Client-side validation in mobile apps can be bypassed, reverse engineering is easier, granular API endpoints increase the attack surface, and mobile apps may lack advanced security measures. Device-specific risks, such as rooted or jailbroken devices, also compromise app integrity. To counter these threats, the integration of a Mobile SDK with attestation is crucial. Such SDKs provide runtime integrity checks, authenticate API calls, detect tampering, and enable dynamic token binding.We discuss how traditional backend app security solutions, like Web Application Firewalls (WAFs), may not be sufficient for mobile app protection as they lack contextual information from the client environment. A Mobile SDK can provide continuous verification of contextual information from the app and the client environment, which is essential for reliably countering mobile threats. Two main types of Mobile SDKs for bot detection exist: those analysing user behaviour signals and those focusing on software-identity signals.Approov emerges as a leading solution for mobile app and API security, providing visibility and protection through a positive authentication model that validates legitimate app and device actions while blocking bots and other threats This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 10 Apr 2025 20:35:07 -0000 full Skye MacIntyre Episode Title: The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust DefencesEpisode Notes:In this episode of Upwardly Mobile, we delve into the escalating challenges surrounding API security for both web and mobile applications. We explore recent alarming trends, including the leakage of 39 million secret API keys and credentials from GitHub in 2024, highlighting the persistent threat of exposed authentication data such as API keys, credentials, and tokens. This situation has prompted GitHub to launch new security tools to combat this issue. According to GitHub, numerous secrets are blocked every minute with push protection, yet accidental exposure remains a significant cause of security incidents. Experts like Erin Havens from GitHub emphasize that developers handle numerous secrets daily, which can be unintentionally exposed. Even seemingly low-risk secrets can provide attackers with a foothold for lateral movement.We also examine a real-world security lapse involving API testing firm APIsec, which exposed customer data due to a misconfigured internal database connected to the internet without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about the security posture of APIsec's corporate customers. Security research firm UpGuard discovered the leak. Initially downplayed by APIsec founder Faizel Lakhani, the exposed data was later confirmed to include sensitive customer information and even private keys for AWS and credentials for Slack and GitHub accounts. This incident underscores the severity of even unintentional security lapses in the API ecosystem.The episode further explores why mobile APIs are particularly vulnerable compared to web APIs. Client-side validation in mobile apps can be bypassed, reverse engineering is easier, granular API endpoints increase the attack surface, and mobile apps may lack advanced security measures. Device-specific risks, such as rooted or jailbroken devices, also compromise app integrity. To counter these threats, the integration of a Mobile SDK with attestation is crucial. Such SDKs provide runtime integrity checks, authenticate API calls, detect tampering, and enable dynamic token binding.We discuss how traditional backend app security solutions, like Web Application Firewalls (WAFs), may not be sufficient for mobile app protection as they lack contextual information from the client environment. A Mobile SDK can provide continuous verification of contextual information from the app and the client environment, which is essential for reliably countering mobile threats. Two main types of Mobile SDKs for bot detection exist: those analysing user behaviour signals and those focusing on software-identity signals.Approov emerges as a leading solution for mobile app and API security, providing visibility and protection through a positive authentication model that validates legitimate app and device actions while blocking bots and other threats This content was created in partnership and with the help of Artificial Intelligence AI. 701 https://player.megaphone.fm/NPTNI2501461158 Upwardly Mobile - Episode Title: Securing Mobile Apps: Approov's Award-Winning Attestation Technology Welcome to Upwardly Mobile, the podcast exploring the latest innovations in mobile technology. In this episode, we delve into the critical world of mobile application security and explore a groundbreaking solution that's garnering industry recognition. We focus on Approov Limited and their patented app attestation technology (U.S. Patent 11,163,858 B2). This innovative approach addresses the growing challenge of ensuring the integrity and trustworthiness of mobile applications and their interactions with backend systems.Key Discussion Points: - The Growing Need for Mobile App Security: We discuss the vulnerabilities faced by mobile apps, including tampering, reverse engineering, and API abuse. Learn why simply authenticating users isn't enough to protect sensitive data and transactions. - Introducing Approov's App Attestation Technology: We explain how Approov's technology works to verify the integrity of a running mobile application on the server-side. This involves cryptographic methods and runtime security checks to ensure that only legitimate, untampered app instances can access backend APIs. - How Client Software Attestation Works (Based on the Patent): - A client software application calculates a cryptographic hash fingerprint of its executing code. - This fingerprint is communicated to an attestation service. - The attestation service generates a pass or fail result. - This result is communicated to the server, which can then control its behaviour based on the attestation outcome. - The system can employ challenge-response mechanisms using a nonce to prevent replay attacks. - Signed tokens can be used for indirect communication of the attestation status, secured with a shared secret key. - Addressing Limitations of Native Platform Solutions: We highlight how Approov's cross-platform solution overcomes the limitations of platform-specific solutions like Apple's App Attest and Google's Play Integrity API, particularly concerning rooted or jailbroken devices. - Real-World Impact and Use Cases: Discover how global leaders in sensitive industries like fintech, healthcare, retail, and automotive are using Approov to reduce fraud, enhance API security, and ensure compliance. We touch upon examples such as the BMW Group's car-sharing platform and fintech companies like Papara. - Recognition and Awards: We celebrate Approov winning the Cyber Innovation Award at the 2025 Scottish Cyber Awards. This prestigious recognition underscores their pioneering work in mobile app security. Approov was also a finalist alongside other esteemed organisations. - Alignment with Regulatory Frameworks: We discuss how Approov's technology supports compliance with emerging regulations like the EU Digital Markets Act (DMA) and the UK Digital Markets, Competition, and Consumers Bill (DMCC). We include a quote from Ted Miracco, CEO of Approov Li This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 02 Apr 2025 23:25:07 -0000 full Skye MacIntyre Upwardly Mobile - Episode Title: Securing Mobile Apps: Approov's Award-Winning Attestation Technology Welcome to Upwardly Mobile, the podcast exploring the latest innovations in mobile technology. In this episode, we delve into the critical world of mobile application security and explore a groundbreaking solution that's garnering industry recognition. We focus on Approov Limited and their patented app attestation technology (U.S. Patent 11,163,858 B2). This innovative approach addresses the growing challenge of ensuring the integrity and trustworthiness of mobile applications and their interactions with backend systems.Key Discussion Points: - The Growing Need for Mobile App Security: We discuss the vulnerabilities faced by mobile apps, including tampering, reverse engineering, and API abuse. Learn why simply authenticating users isn't enough to protect sensitive data and transactions. - Introducing Approov's App Attestation Technology: We explain how Approov's technology works to verify the integrity of a running mobile application on the server-side. This involves cryptographic methods and runtime security checks to ensure that only legitimate, untampered app instances can access backend APIs. - How Client Software Attestation Works (Based on the Patent): - A client software application calculates a cryptographic hash fingerprint of its executing code. - This fingerprint is communicated to an attestation service. - The attestation service generates a pass or fail result. - This result is communicated to the server, which can then control its behaviour based on the attestation outcome. - The system can employ challenge-response mechanisms using a nonce to prevent replay attacks. - Signed tokens can be used for indirect communication of the attestation status, secured with a shared secret key. - Addressing Limitations of Native Platform Solutions: We highlight how Approov's cross-platform solution overcomes the limitations of platform-specific solutions like Apple's App Attest and Google's Play Integrity API, particularly concerning rooted or jailbroken devices. - Real-World Impact and Use Cases: Discover how global leaders in sensitive industries like fintech, healthcare, retail, and automotive are using Approov to reduce fraud, enhance API security, and ensure compliance. We touch upon examples such as the BMW Group's car-sharing platform and fintech companies like Papara. - Recognition and Awards: We celebrate Approov winning the Cyber Innovation Award at the 2025 Scottish Cyber Awards. This prestigious recognition underscores their pioneering work in mobile app security. Approov was also a finalist alongside other esteemed organisations. - Alignment with Regulatory Frameworks: We discuss how Approov's technology supports compliance with emerging regulations like the EU Digital Markets Act (DMA) and the UK Digital Markets, Competition, and Consumers Bill (DMCC). We include a quote from Ted Miracco, CEO of Approov Li This content was created in partnership and with the help of Artificial Intelligence AI. 985 https://player.megaphone.fm/NPTNI9861328331 Podcast Title: Upwardly Mobile Episode Title: Google Goes Private: The Future of Android DevelopmentEpisode Description:In this episode of Upwardly Mobile, we delve into a significant shift in the world of Android development. Google has announced that it will now conduct all Android operating system development internally, moving away from the traditional model where much of the work was visible through the public Android Open Source Project (AOSP). We explore the reasons behind this move, its implications for manufacturers, developers, and the future of the Android ecosystem, especially for non-GMS (Google Mobile Services) devices popular in regions like India and China. Join us as we unpack what this change means for the upwardly mobile tech landscape.Key Discussion Points: - Google's Strategic Shift: We discuss Google's decision to move all Android OS development to its internal infrastructure. Previously, Android had two development locations: the public AOSP and Google's internal branch. This change aims to streamline the development workflow and simplify software releases. - The End of AOSP-First Development: For over sixteen years, AOSP has been the primary platform for Android development. This shift means that core development will now happen solely within Google. Technologies like the Bluetooth stack and the kernel will now be developed internally. - Commitment to Open Source: Despite this change, Google has stated its commitment to the open-source nature of Android. They will continue to publish the source code for new Android versions to AOSP after internal development is complete. Android 16's source code is planned for release in 2025. - Reasons for the Change: Maintaining synchronization between the internal and public branches has been challenging, leading to technical difficulties like merge conflicts. Google believes this single internal branch will allow phone makers and developers to work with one consistent version. - Impact on Non-GMS Android Forks: This move has significant implications for non-GMS Android operating systems and manufacturers, particularly those in India and China. They will have reduced access to real-time updates and development progress. Source code releases for individual components may also become less frequent. - Challenges for Developers: Developers of non-GMS forks will need to rely on finalized release tags, potentially hindering innovation and customization. Ensuring compatibility with future Android versions may also become more difficult. - Impact on App Developers: While app developers are largely unaffected, those who relied on AOSP for insights into upcoming changes may face reduced transparency and need to wait for final APIs. This could potentially push developers in regions with many non-GMS devices towards alternative platforms like HarmonyOS. - Reactions from the Community: Some Android OS engineers are expressing sadness over this shift, as they believe in the philosophical importance This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 30 Mar 2025 23:30:07 -0000 full Skye MacIntyre Podcast Title: Upwardly Mobile Episode Title: Google Goes Private: The Future of Android DevelopmentEpisode Description:In this episode of Upwardly Mobile, we delve into a significant shift in the world of Android development. Google has announced that it will now conduct all Android operating system development internally, moving away from the traditional model where much of the work was visible through the public Android Open Source Project (AOSP). We explore the reasons behind this move, its implications for manufacturers, developers, and the future of the Android ecosystem, especially for non-GMS (Google Mobile Services) devices popular in regions like India and China. Join us as we unpack what this change means for the upwardly mobile tech landscape.Key Discussion Points: - Google's Strategic Shift: We discuss Google's decision to move all Android OS development to its internal infrastructure. Previously, Android had two development locations: the public AOSP and Google's internal branch. This change aims to streamline the development workflow and simplify software releases. - The End of AOSP-First Development: For over sixteen years, AOSP has been the primary platform for Android development. This shift means that core development will now happen solely within Google. Technologies like the Bluetooth stack and the kernel will now be developed internally. - Commitment to Open Source: Despite this change, Google has stated its commitment to the open-source nature of Android. They will continue to publish the source code for new Android versions to AOSP after internal development is complete. Android 16's source code is planned for release in 2025. - Reasons for the Change: Maintaining synchronization between the internal and public branches has been challenging, leading to technical difficulties like merge conflicts. Google believes this single internal branch will allow phone makers and developers to work with one consistent version. - Impact on Non-GMS Android Forks: This move has significant implications for non-GMS Android operating systems and manufacturers, particularly those in India and China. They will have reduced access to real-time updates and development progress. Source code releases for individual components may also become less frequent. - Challenges for Developers: Developers of non-GMS forks will need to rely on finalized release tags, potentially hindering innovation and customization. Ensuring compatibility with future Android versions may also become more difficult. - Impact on App Developers: While app developers are largely unaffected, those who relied on AOSP for insights into upcoming changes may face reduced transparency and need to wait for final APIs. This could potentially push developers in regions with many non-GMS devices towards alternative platforms like HarmonyOS. - Reactions from the Community: Some Android OS engineers are expressing sadness over this shift, as they believe in the philosophical importance This content was created in partnership and with the help of Artificial Intelligence AI. 551 https://player.megaphone.fm/NPTNI1854187760 Upwardly Mobile - Episode Title: Jailbreaking iPhones: Risks, Detection, and Staying Secure Welcome to Upwardly Mobile, the podcast exploring the latest trends and security challenges in the mobile landscape. In this episode, we delve into the world of iOS jailbreaking, examining the latest developments, the ongoing battle between jailbreak detection and bypass methods, and the significant security implications for both individual users and organisations. Listen as we discuss: - What is Jailbreaking? We explain what it means to jailbreak an iPhone and the motivations behind it, from wanting more customisation and features to accessing third-party apps not available on the official App Store. - Dopamine 2.0 and the Detection Landscape: We look at the release of the Dopamine 2.0 jailbreak and how app developers are increasingly catching on, with more apps now detecting jailbroken devices. - The Cat and Mouse Game: Bypassing Jailbreak Detection: Discover the various tools and techniques users employ to bypass jailbreak detection, including tweaks like Choicy and vnodebypass, and the practice of downgrading apps using tools like AppStore++. We also touch on methods like hiding the Filza URL scheme. - Apps on High Alert: We highlight the types of apps most commonly known to implement jailbreak detection, such as banking applications, social media platforms like Snapchat, and popular games. - The Hidden Dangers: Security Risks Amplified: We explore the significantly increased security risks associated with using jailbroken devices, making them much more susceptible to malware infections and total compromise. - For Developers: Fortifying Your Apps: We discuss solutions available to mobile app developers to protect their applications from jailbreak detection bypass tools. Learn about platforms like Appdome and their AI-powered features to actively block bypass attempts. - Advanced App Security with Approov: We touch upon the capabilities of Approov in providing runtime app shielding, integrity verification, and detection of tampering, emulators, debuggers, and rooting/jailbreaking. Relevant Links: - Reddit Discussion - First app I found that detected jailbreak on Dopamine 2.0: - HowStuffWorks - How to Jailbreak an iPhone: - Appdome - How to Protect iOS Apps from Jailbreak Detection Bypass Tools Using AI: - Approov - Mobile App Shielding | Device Attestation: - Mobile Jailbreaks Exponentially Increase Corporate Risk: Keywords: iOS, jailbreak, Dopamine 2.0, jailbreak detection, bypass, Choicy, vnodebypass, AppStore++, security, malware, app protection, Appdome, Approov, mobile security, iPhone, banking apps, Snapchat, gaming. Learn more about protecting your mobile apps with our sponsor, Approov:https://approov.io/ Stay tuned for the next episode of Upwardly Mobile for more insights into the ever-evolving world of mobile technology. This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 29 Mar 2025 07:31:43 -0000 full Skye MacIntyre Upwardly Mobile - Episode Title: Jailbreaking iPhones: Risks, Detection, and Staying Secure Welcome to Upwardly Mobile, the podcast exploring the latest trends and security challenges in the mobile landscape. In this episode, we delve into the world of iOS jailbreaking, examining the latest developments, the ongoing battle between jailbreak detection and bypass methods, and the significant security implications for both individual users and organisations. Listen as we discuss: - What is Jailbreaking? We explain what it means to jailbreak an iPhone and the motivations behind it, from wanting more customisation and features to accessing third-party apps not available on the official App Store. - Dopamine 2.0 and the Detection Landscape: We look at the release of the Dopamine 2.0 jailbreak and how app developers are increasingly catching on, with more apps now detecting jailbroken devices. - The Cat and Mouse Game: Bypassing Jailbreak Detection: Discover the various tools and techniques users employ to bypass jailbreak detection, including tweaks like Choicy and vnodebypass, and the practice of downgrading apps using tools like AppStore++. We also touch on methods like hiding the Filza URL scheme. - Apps on High Alert: We highlight the types of apps most commonly known to implement jailbreak detection, such as banking applications, social media platforms like Snapchat, and popular games. - The Hidden Dangers: Security Risks Amplified: We explore the significantly increased security risks associated with using jailbroken devices, making them much more susceptible to malware infections and total compromise. - For Developers: Fortifying Your Apps: We discuss solutions available to mobile app developers to protect their applications from jailbreak detection bypass tools. Learn about platforms like Appdome and their AI-powered features to actively block bypass attempts. - Advanced App Security with Approov: We touch upon the capabilities of Approov in providing runtime app shielding, integrity verification, and detection of tampering, emulators, debuggers, and rooting/jailbreaking. Relevant Links: - Reddit Discussion - First app I found that detected jailbreak on Dopamine 2.0: - HowStuffWorks - How to Jailbreak an iPhone: - Appdome - How to Protect iOS Apps from Jailbreak Detection Bypass Tools Using AI: - Approov - Mobile App Shielding | Device Attestation: - Mobile Jailbreaks Exponentially Increase Corporate Risk: Keywords: iOS, jailbreak, Dopamine 2.0, jailbreak detection, bypass, Choicy, vnodebypass, AppStore++, security, malware, app protection, Appdome, Approov, mobile security, iPhone, banking apps, Snapchat, gaming. Learn more about protecting your mobile apps with our sponsor, Approov:https://approov.io/ Stay tuned for the next episode of Upwardly Mobile for more insights into the ever-evolving world of mobile technology. This content was created in partnership and with the help of Artificial Intelligence AI. 970 https://player.megaphone.fm/NPTNI3892272755 Episode Title: Securing Your Connection: A Guide to Preventing MitM AttacksEpisode Description: Man-in-the-Middle (MitM) attacks pose a significant threat to online security, allowing malicious actors to intercept and manipulate communications. This episode delves into what MitM attacks are, how they work, and crucial strategies for prevention, especially for mobile applications. We'll explore the evolving landscape of security measures, including the debate around certificate pinning.Episode Notes: - What are Man-in-the-Middle (MitM) attacks? - A MiTM attack occurs when a bad actor secretly inserts themselves between two connected parties to read, steal, manipulate, or forward exchanged data. These attacks are also known as "eavesdropping". - The potential payoff for attackers can be significant. - Popular targets include insecure networks, unencrypted websites, smartphones, and other smart devices. - How do MitM attacks work? - Attackers can monitor digital activities, conversations, and emails to steal sensitive information like login credentials, credit card numbers, and bank details. - Once an insecure access point is found, the attacker positions themselves between the two communicating parties, with all transmissions passing through them in real-time. - Example 1: Man-in-the-Mobile (MitMo) attack: A fraudster secretly reroutes text messages between two individuals, seeing all the content shared. - Example 2: Malicious Wi-Fi Hotspot: Attackers create unsecured public Wi-Fi hotspots, often named similarly to legitimate locations, to intercept data from connected users. - Common Types of MitM Attacks: - Adversary-in-the-Middle (AitM): A malicious actor uses a reverse proxy to intercept user credentials and session tokens, often bypassing OTP-based multi-factor authentication. This is common in phishing attempts. - Man-in-the-Browser (MitB): Attackers inject JavaScript into a user's browser (e.g., through malicious extensions or downloaded malware) to gain access to sensitive information and perform unauthorised actions. - Man-in-the-Mobile (MitMo): Attacks target mobile devices through infected apps and phishing scams, allowing interception of communications and sensitive data, and in severe cases, remote device control. Sophisticated malware can even be installed without user interaction. - DNS Spoofing: Attackers infiltrate a DNS server and alter website address records, redirecting users to the attacker's site. - Wi-Fi Eavesdropping: Creating fake public Wi-Fi networks to intercept user activity and data. - Email Hijacking: Cybercriminals intercept emails (e.g., between banks and customers) to spoof email addresses and send fraudulent instructions to the victim. - Session Hijacking: Attackers steal information stored in web browser cookies, such as saved passwords. - IP Spoofing: An attacker disguises themselves as an application by altering packet headers, redirecting user This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 20 Mar 2025 22:23:25 -0000 full Skye MacIntyre Episode Title: Securing Your Connection: A Guide to Preventing MitM AttacksEpisode Description: Man-in-the-Middle (MitM) attacks pose a significant threat to online security, allowing malicious actors to intercept and manipulate communications. This episode delves into what MitM attacks are, how they work, and crucial strategies for prevention, especially for mobile applications. We'll explore the evolving landscape of security measures, including the debate around certificate pinning.Episode Notes: - What are Man-in-the-Middle (MitM) attacks? - A MiTM attack occurs when a bad actor secretly inserts themselves between two connected parties to read, steal, manipulate, or forward exchanged data. These attacks are also known as "eavesdropping". - The potential payoff for attackers can be significant. - Popular targets include insecure networks, unencrypted websites, smartphones, and other smart devices. - How do MitM attacks work? - Attackers can monitor digital activities, conversations, and emails to steal sensitive information like login credentials, credit card numbers, and bank details. - Once an insecure access point is found, the attacker positions themselves between the two communicating parties, with all transmissions passing through them in real-time. - Example 1: Man-in-the-Mobile (MitMo) attack: A fraudster secretly reroutes text messages between two individuals, seeing all the content shared. - Example 2: Malicious Wi-Fi Hotspot: Attackers create unsecured public Wi-Fi hotspots, often named similarly to legitimate locations, to intercept data from connected users. - Common Types of MitM Attacks: - Adversary-in-the-Middle (AitM): A malicious actor uses a reverse proxy to intercept user credentials and session tokens, often bypassing OTP-based multi-factor authentication. This is common in phishing attempts. - Man-in-the-Browser (MitB): Attackers inject JavaScript into a user's browser (e.g., through malicious extensions or downloaded malware) to gain access to sensitive information and perform unauthorised actions. - Man-in-the-Mobile (MitMo): Attacks target mobile devices through infected apps and phishing scams, allowing interception of communications and sensitive data, and in severe cases, remote device control. Sophisticated malware can even be installed without user interaction. - DNS Spoofing: Attackers infiltrate a DNS server and alter website address records, redirecting users to the attacker's site. - Wi-Fi Eavesdropping: Creating fake public Wi-Fi networks to intercept user activity and data. - Email Hijacking: Cybercriminals intercept emails (e.g., between banks and customers) to spoof email addresses and send fraudulent instructions to the victim. - Session Hijacking: Attackers steal information stored in web browser cookies, such as saved passwords. - IP Spoofing: An attacker disguises themselves as an application by altering packet headers, redirecting user This content was created in partnership and with the help of Artificial Intelligence AI. 823 https://player.megaphone.fm/NPTNI1136379339 Episode Notes: In this episode, we delve into the crucial topic of mobile app security, focusing on the concept of hardware-backed key attestation and its role in verifying device integrity. We explore what key attestation is, an enabling feature of the Android ecosystem that allows apps to check if the device's operating system, bootloader, and overall environment have been tampered with. This process often involves leveraging the device's KeyStore to retrieve a certificate chain and verifying the integrity of certificates and root certificates. We discuss the potential benefits of key attestation, particularly for applications handling sensitive data in industries like finance, point-of-sale (POS) systems, gaming and entertainment, retail and e-commerce, and healthcare. For instance, key attestation can help ensure that payment environments are uncompromised, aligning with security standards like PCI DSS. It can also be valuable for security-focused SDKs, such as those used for identity verification, by ensuring a device's integrity before providing assurances. DexGuard's OS Integrity feature is mentioned as an example of a product building upon key attestation. However, the episode also critically examines the limitations and challenges associated with relying solely on hardware-backed key attestation. We address concerns that determined attackers can potentially manipulate the device to return false positives, rendering device-based attestation unreliable. The static nature of device-based attestation, making it a fixed target, is also highlighted. Additionally, device compatibility issues, particularly with older devices or those lacking trusted certificates, and the potential for false positives affecting legitimate users with custom ROMs or unlocked bootloaders are important considerations. The discussion contrasts device-based attestation with cloud-based attestation solutions, such as Approov, which make attestation decisions remotely, potentially offering more dynamic security policies and protection for both mobile apps and APIs. The importance of runtime protection against threats that can bypass bootloader verification is also touched upon. Furthermore, the episode considers the role of Secure Elements (SE) and Secure Enclaves in protecting sensitive information. While these hardware-backed solutions offer strong security, the software layers above them can introduce vulnerabilities like hooking attacks and emulation, especially on rooted Android devices and jailbroken iOS devices. Tools like Frida and Xposed Framework that can intercept communication are mentioned. The importance of a holistic approach to mobile security, combining hardware integrity with software hardening and runtime protections, is emphasised. Solutions like Cryptomathic’s Mobile Application Security Core (MASC), which aims to protect against hooking, emulation, and tampering, are noted. Links to Relevant Sites: - Guardsquare: https://www.guardsquare.com/ - Guard This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 18 Mar 2025 07:05:07 -0000 full Skye MacIntyre Episode Notes: In this episode, we delve into the crucial topic of mobile app security, focusing on the concept of hardware-backed key attestation and its role in verifying device integrity. We explore what key attestation is, an enabling feature of the Android ecosystem that allows apps to check if the device's operating system, bootloader, and overall environment have been tampered with. This process often involves leveraging the device's KeyStore to retrieve a certificate chain and verifying the integrity of certificates and root certificates. We discuss the potential benefits of key attestation, particularly for applications handling sensitive data in industries like finance, point-of-sale (POS) systems, gaming and entertainment, retail and e-commerce, and healthcare. For instance, key attestation can help ensure that payment environments are uncompromised, aligning with security standards like PCI DSS. It can also be valuable for security-focused SDKs, such as those used for identity verification, by ensuring a device's integrity before providing assurances. DexGuard's OS Integrity feature is mentioned as an example of a product building upon key attestation. However, the episode also critically examines the limitations and challenges associated with relying solely on hardware-backed key attestation. We address concerns that determined attackers can potentially manipulate the device to return false positives, rendering device-based attestation unreliable. The static nature of device-based attestation, making it a fixed target, is also highlighted. Additionally, device compatibility issues, particularly with older devices or those lacking trusted certificates, and the potential for false positives affecting legitimate users with custom ROMs or unlocked bootloaders are important considerations. The discussion contrasts device-based attestation with cloud-based attestation solutions, such as Approov, which make attestation decisions remotely, potentially offering more dynamic security policies and protection for both mobile apps and APIs. The importance of runtime protection against threats that can bypass bootloader verification is also touched upon. Furthermore, the episode considers the role of Secure Elements (SE) and Secure Enclaves in protecting sensitive information. While these hardware-backed solutions offer strong security, the software layers above them can introduce vulnerabilities like hooking attacks and emulation, especially on rooted Android devices and jailbroken iOS devices. Tools like Frida and Xposed Framework that can intercept communication are mentioned. The importance of a holistic approach to mobile security, combining hardware integrity with software hardening and runtime protections, is emphasised. Solutions like Cryptomathic’s Mobile Application Security Core (MASC), which aims to protect against hooking, emulation, and tampering, are noted. Links to Relevant Sites: - Guardsquare: https://www.guardsquare.com/ - Guard This content was created in partnership and with the help of Artificial Intelligence AI. 730 https://player.megaphone.fm/NPTNI7745734162 Episode Notes: In this episode, we delve into the growing threat of secrets sprawl, particularly for mobile developers. The recent State of Secrets Sprawl 2025 report revealed a concerning 25% increase in hardcoded secrets exposed on GitHub in 2024, with 23.7 million new secrets leaked. We explore why mobile apps are particularly vulnerable, as they often contain API keys, authentication tokens, and other sensitive data that can be easily extracted from hardcoded source code, leading to API abuse, data breaches, and supply chain attacks. We discuss how hardcoded secrets are a major attack vector, with 58% of all leaked credentials in 2024 being generic secrets like passwords and database connection strings. The BeyondTrust API key breach, used by Chinese state-sponsored hackers to infiltrate the U.S. Treasury Department, highlights the real-world consequences. We examine the limitations of existing security measures: - GitHub’s Push Protection is a good start but only prevents specific patterns of API keys from being pushed, missing many secrets like database credentials and encryption keys. - Private repositories are not inherently safe, being 8x more likely to contain secrets than public ones. - While helpful, secrets management tools alone are not a complete solution, with 5.1% of repositories using them still leaking secrets. - Threats extend beyond source code, with 38% of exposed credentials in collaboration tools like Slack and Jira being classified as highly critical. The episode then focuses on how mobile developers can protect their apps with runtime secrets protection: - Dynamic API Key Injection: Using a server-side mechanism to inject keys at runtime instead of hardcoding. Solutions like Approov use mobile app attestation to deliver keys only to trusted app instances. - Mobile App Attestation: Verifying that API requests come from genuine, untampered app instances, preventing abuse from repackaged apps and bots. - Dynamic Certificate Pinning: Ensuring apps automatically update to the latest certificate pins to block Man-in-the-Middle (MitM) attacks. - Detecting and Blocking Rooted or Jailbroken Devices: Using RASP (Runtime Application Self-Protection) to detect and respond to unauthorised modifications. - Monitoring and Revoking Compromised Secrets: Automating secret rotation and revocation, as 70% of valid secrets detected in 2022 were still active in 2024. Key Takeaway: Your app's security is only as strong as its weakest secret. Protecting API keys at runtime is crucial. Links: - The State of Secrets Sprawl 2025 Report (GitGuardian): - Securing Mobile Apps Analyst Guide for Approov (Intellyx): https://intellyx.com/wp-content/uploads/2024/09/Securing-Mobile-Apps-Analyst-Guide-for-Approov-FINAL.pdf  - Approov Website: www.approov.io This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 14 Mar 2025 21:56:57 -0000 full Skye MacIntyre Episode Notes: In this episode, we delve into the growing threat of secrets sprawl, particularly for mobile developers. The recent State of Secrets Sprawl 2025 report revealed a concerning 25% increase in hardcoded secrets exposed on GitHub in 2024, with 23.7 million new secrets leaked. We explore why mobile apps are particularly vulnerable, as they often contain API keys, authentication tokens, and other sensitive data that can be easily extracted from hardcoded source code, leading to API abuse, data breaches, and supply chain attacks. We discuss how hardcoded secrets are a major attack vector, with 58% of all leaked credentials in 2024 being generic secrets like passwords and database connection strings. The BeyondTrust API key breach, used by Chinese state-sponsored hackers to infiltrate the U.S. Treasury Department, highlights the real-world consequences. We examine the limitations of existing security measures: - GitHub’s Push Protection is a good start but only prevents specific patterns of API keys from being pushed, missing many secrets like database credentials and encryption keys. - Private repositories are not inherently safe, being 8x more likely to contain secrets than public ones. - While helpful, secrets management tools alone are not a complete solution, with 5.1% of repositories using them still leaking secrets. - Threats extend beyond source code, with 38% of exposed credentials in collaboration tools like Slack and Jira being classified as highly critical. The episode then focuses on how mobile developers can protect their apps with runtime secrets protection: - Dynamic API Key Injection: Using a server-side mechanism to inject keys at runtime instead of hardcoding. Solutions like Approov use mobile app attestation to deliver keys only to trusted app instances. - Mobile App Attestation: Verifying that API requests come from genuine, untampered app instances, preventing abuse from repackaged apps and bots. - Dynamic Certificate Pinning: Ensuring apps automatically update to the latest certificate pins to block Man-in-the-Middle (MitM) attacks. - Detecting and Blocking Rooted or Jailbroken Devices: Using RASP (Runtime Application Self-Protection) to detect and respond to unauthorised modifications. - Monitoring and Revoking Compromised Secrets: Automating secret rotation and revocation, as 70% of valid secrets detected in 2022 were still active in 2024. Key Takeaway: Your app's security is only as strong as its weakest secret. Protecting API keys at runtime is crucial. Links: - The State of Secrets Sprawl 2025 Report (GitGuardian): - Securing Mobile Apps Analyst Guide for Approov (Intellyx): https://intellyx.com/wp-content/uploads/2024/09/Securing-Mobile-Apps-Analyst-Guide-for-Approov-FINAL.pdf  - Approov Website: www.approov.io This content was created in partnership and with the help of Artificial Intelligence AI. 1924 https://player.megaphone.fm/NPTNI2418507775 Details the emerging threats posed by three distinct cybercriminal groups – Earth Minotaur, Gamaredon, and the developers behind GodLoader – as they increasingly target mobile devices running Android and iOS. It outlines the specific malware tools each group employs, such as Earth Minotaur's MOONSHINE exploit kit and DarkNimbus backdoor, Gamaredon's BoneSpy and PlainGnome spyware, and the cross-platform GodLoader malware built using the Godot Engine. The text raises concerns about data theft, audio surveillance, sophisticated social engineering tactics, and the challenges of detecting these evolving threats, ultimately urging users to adopt proactive cybersecurity measures to protect their devices. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 10 Mar 2025 16:31:21 -0000 full Skye MacIntyre Details the emerging threats posed by three distinct cybercriminal groups – Earth Minotaur, Gamaredon, and the developers behind GodLoader – as they increasingly target mobile devices running Android and iOS. It outlines the specific malware tools each group employs, such as Earth Minotaur's MOONSHINE exploit kit and DarkNimbus backdoor, Gamaredon's BoneSpy and PlainGnome spyware, and the cross-platform GodLoader malware built using the Godot Engine. The text raises concerns about data theft, audio surveillance, sophisticated social engineering tactics, and the challenges of detecting these evolving threats, ultimately urging users to adopt proactive cybersecurity measures to protect their devices. This content was created in partnership and with the help of Artificial Intelligence AI. 1134 https://player.megaphone.fm/NPTNI8927092848 This episode explores the groundbreaking security features of the Samsung Galaxy S25, focusing on its implementation of post-quantum cryptography (PQC)1.... Learn how the Galaxy S25 is setting a new standard for mobile security by integrating PQC to protect against future quantum-based cyber attacks1. Key Discussion Points: • The Galaxy S25 is the first smartphone to feature post-quantum cryptography, using the ML-KEM algorithm to protect sensitive data2. • Post-quantum cryptography (PQC) consists of cryptographic algorithms that should be secure against cryptanalytic attacks performed by a quantum computer3. • Knox Vault on the Galaxy S25 employs post-quantum cryptography to secure personalized AI data3. • The Personal Data Engine analyzes data on-device for personalized experiences, ensuring data is securely locked behind Knox Vault3.... • The Galaxy S25 includes a new Knox Matrix dashboard, additional Maximum Restriction settings, and enhanced Theft Protection5. • App developers need to prepare for the transition to PQC to ensure their applications remain secure against future quantum threats6.... • NIST has approved CRYSTALS-Kyber as the standard KEM, replacing the widely used Diffie-Hellman algorithm8. Relevant Links: • Galaxy S25 News: Stay updated on the Galaxy S259. • Post-Quantum Cryptography (PQC) & Mobile App Security: Learn more about PQC and its implications for mobile app security1.... • NowSecure Platform: Explore mobile application security testing solutions10.... • NIST’s PQC Algorithms: Find information on NIST-approved quantum-resistant cryptographic algorithms15. • CRYSTALS-Kyber: Reference implementations for CRYSTALS-Kyber are available for evaluation8.... • App Developer's Guide: Key considerations for app developers to transition to post-quantum cryptography (PQC) This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 02 Mar 2025 15:23:21 -0000 full Skye MacIntyre This episode explores the groundbreaking security features of the Samsung Galaxy S25, focusing on its implementation of post-quantum cryptography (PQC)1.... Learn how the Galaxy S25 is setting a new standard for mobile security by integrating PQC to protect against future quantum-based cyber attacks1. Key Discussion Points: • The Galaxy S25 is the first smartphone to feature post-quantum cryptography, using the ML-KEM algorithm to protect sensitive data2. • Post-quantum cryptography (PQC) consists of cryptographic algorithms that should be secure against cryptanalytic attacks performed by a quantum computer3. • Knox Vault on the Galaxy S25 employs post-quantum cryptography to secure personalized AI data3. • The Personal Data Engine analyzes data on-device for personalized experiences, ensuring data is securely locked behind Knox Vault3.... • The Galaxy S25 includes a new Knox Matrix dashboard, additional Maximum Restriction settings, and enhanced Theft Protection5. • App developers need to prepare for the transition to PQC to ensure their applications remain secure against future quantum threats6.... • NIST has approved CRYSTALS-Kyber as the standard KEM, replacing the widely used Diffie-Hellman algorithm8. Relevant Links: • Galaxy S25 News: Stay updated on the Galaxy S259. • Post-Quantum Cryptography (PQC) & Mobile App Security: Learn more about PQC and its implications for mobile app security1.... • NowSecure Platform: Explore mobile application security testing solutions10.... • NIST’s PQC Algorithms: Find information on NIST-approved quantum-resistant cryptographic algorithms15. • CRYSTALS-Kyber: Reference implementations for CRYSTALS-Kyber are available for evaluation8.... • App Developer's Guide: Key considerations for app developers to transition to post-quantum cryptography (PQC) This content was created in partnership and with the help of Artificial Intelligence AI. 1252 https://player.megaphone.fm/NPTNI8175304417 Episode Notes: In this episode of Upwardly Mobile, we dive deep into the world of Android banking trojans, focusing on the rising threats of ToxicPanda and TgToxic. These sophisticated pieces of malware are targeting mobile users across the globe, aiming to steal credentials, cryptocurrency, and funds from banking and finance apps [1, 2].We explore how these trojans operate, their evolution, and most importantly, how you can protect yourself [3, 4].Key Discussion Points: - The Threat Landscape: Understanding the basics of mobile banking trojans and their increasing prevalence [2, 5]. - ToxicPanda: Discover the tactics used by this relatively new trojan, including social engineering and on-device fraud to bypass security features like two-factor authentication [6]. - TgToxic: Uncover the advanced anti-analysis techniques used by TgToxic, including code obfuscation, payload encryption, and dynamic command-and-control (C2) strategies [7-9]. - Geographical Targets: Identifying the regions most affected by these threats, including Europe, Latin America, and Southeast Asia [10-12]. - Technical Analysis: Examining how TgToxic abuses legitimate automation frameworks like Easyclick to hijack user interfaces and automate malicious activities [13, 14]. - 防禦 Strategy: Practical steps you can take to protect your Android devices from these banking trojans, including disabling "Allow from Unknown Sources", being wary of suspicious emails and links, and monitoring app permissions [3, 4]. - The Role of Social Engineering: Recognising how social engineering remains a primary method for distributing malware and how to avoid falling victim to these attacks [10]. - Real-World Impact: Understanding the potential financial losses and the importance of staying informed about emerging cyber threats [10]. - C2 (Command and Control) Strategies: Understanding the dynamic C2 strategies used by TgToxic, including domain generation algorithms (DGA) and dead drop locations [7, 15]. Sponsor: This episode is brought to you by Approov (https://www.approov.io/). Approov helps protect your mobile apps from abuse and fraud. Learn more about their runtime application self-protection (RASP) and device attestation solutions [7].Relevant Links: - Avoiding Social Engineering and Phishing Attacks: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks [16] - Android Banking Trojan ToxicPanda Targets Europe: https://www.securityweek.com/android-banking-trojan-toxicpanda-targets-europe/ [16] - ToxicPanda: a new banking trojan from Asian hits Europe and LATAM: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam [16] - TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users: https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html [16] - Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users:https://thehackernews.com/2023/02/enigma-ve This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 26 Feb 2025 20:05:47 -0000 full Skye MacIntyre Episode Notes: In this episode of Upwardly Mobile, we dive deep into the world of Android banking trojans, focusing on the rising threats of ToxicPanda and TgToxic. These sophisticated pieces of malware are targeting mobile users across the globe, aiming to steal credentials, cryptocurrency, and funds from banking and finance apps [1, 2].We explore how these trojans operate, their evolution, and most importantly, how you can protect yourself [3, 4].Key Discussion Points: - The Threat Landscape: Understanding the basics of mobile banking trojans and their increasing prevalence [2, 5]. - ToxicPanda: Discover the tactics used by this relatively new trojan, including social engineering and on-device fraud to bypass security features like two-factor authentication [6]. - TgToxic: Uncover the advanced anti-analysis techniques used by TgToxic, including code obfuscation, payload encryption, and dynamic command-and-control (C2) strategies [7-9]. - Geographical Targets: Identifying the regions most affected by these threats, including Europe, Latin America, and Southeast Asia [10-12]. - Technical Analysis: Examining how TgToxic abuses legitimate automation frameworks like Easyclick to hijack user interfaces and automate malicious activities [13, 14]. - 防禦 Strategy: Practical steps you can take to protect your Android devices from these banking trojans, including disabling "Allow from Unknown Sources", being wary of suspicious emails and links, and monitoring app permissions [3, 4]. - The Role of Social Engineering: Recognising how social engineering remains a primary method for distributing malware and how to avoid falling victim to these attacks [10]. - Real-World Impact: Understanding the potential financial losses and the importance of staying informed about emerging cyber threats [10]. - C2 (Command and Control) Strategies: Understanding the dynamic C2 strategies used by TgToxic, including domain generation algorithms (DGA) and dead drop locations [7, 15]. Sponsor: This episode is brought to you by Approov (https://www.approov.io/). Approov helps protect your mobile apps from abuse and fraud. Learn more about their runtime application self-protection (RASP) and device attestation solutions [7].Relevant Links: - Avoiding Social Engineering and Phishing Attacks: https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks [16] - Android Banking Trojan ToxicPanda Targets Europe: https://www.securityweek.com/android-banking-trojan-toxicpanda-targets-europe/ [16] - ToxicPanda: a new banking trojan from Asian hits Europe and LATAM: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam [16] - TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users: https://www.trendmicro.com/en_us/research/23/b/tgtoxic-malware-targets-southeast-asia-android-users.html [16] - Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users:https://thehackernews.com/2023/02/enigma-ve This content was created in partnership and with the help of Artificial Intelligence AI. 923 https://player.megaphone.fm/NPTNI5652900585 In this episode, we explore how Quokka and Approov provide complete protection for mobile apps and APIs throughout the Software Development Lifecycle (SDLC)1.... Learn how to scan your app using Quokka to quickly identify vulnerabilities and inject security into the development process3. Discover how Approov adds Zero Trust protections against runtime attacks and gains continuous visibility to new threats4. Key Discussion Points: • The mobile threat landscape: Mobile apps are critical for businesses, but they are vulnerable to analysis, cloning, and hacking, which can lead to financial transaction interception, credential theft, and API targeting5. Current security approaches are insufficient, leaving gaps for attackers to exploit2. • Quokka's Mobile App Security Testing (MAST) Capabilities: ◦ Offers comprehensive app analysis including static (SAST), dynamic (DAST), interactive (IAST), and forced-path execution app analysis6. ◦ Scans apps quickly, even without source code, and works with the latest OS versions7. ◦ Reports vulnerabilities to specific library versions using SBOMs7. ◦ Validates apps against security and privacy standards like NIAP, NIST, and MASVS7. • Approov's Runtime App and API Security (RASP) Capabilities: ◦ Provides defence against runtime threats by validating each API request and checking for app modifications1. ◦ Offers dynamic protection and delivery of API keys and secrets at runtime1. ◦ Protects against fake and modified apps with runtime app attestation and authentication8. ◦ Detects runtime tampering, including jailbroken/rooted devices8. ◦ Blocks bots and fake apps from accessing APIs8. • Eliminating API Keys and Secrets: ◦ Quokka scans can identify exposed API keys or secrets in code9. ◦ Approov can remove these API keys from the code by delivering them just in time to verified apps and devices9. ◦ This "easy win" radically improves your security profile9. • Continuous Feedback Loop: Quokka and Approov create a dynamic feedback loop between testing and runtime validation, protecting applications throughout their lifecycle2. Approov provides real-time intelligence on device, app, and man-in-the-middle attacks, which can be fed back into the SDLC4. Actionable Insights: • Perform an initial Quokka scan to identify vulnerabilities3. • Implement Approov to remove exposed API keys and provide runtime protection9. • Use the insights from Approov to improve security in earlier stages of development4. • Integrate Quokka into CI/CD and DevSecOps tools10. Keywords: Mobile app security, API security, runtime protection, MAST, RASP, Quokka, Approov, zero-day vulnerabilities, SDLC, DevSecOps, API keys, secrets management, mobile threat landscape, app attestation, runtime tampering, SBOM, security standards, data privacy.          Relevant Links: • Quokka Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.quokka.io%2Fsolutions%2Fmobile-app-security • Approov: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww. This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 23 Feb 2025 08:50:07 -0000 full Skye MacIntyre In this episode, we explore how Quokka and Approov provide complete protection for mobile apps and APIs throughout the Software Development Lifecycle (SDLC)1.... Learn how to scan your app using Quokka to quickly identify vulnerabilities and inject security into the development process3. Discover how Approov adds Zero Trust protections against runtime attacks and gains continuous visibility to new threats4. Key Discussion Points: • The mobile threat landscape: Mobile apps are critical for businesses, but they are vulnerable to analysis, cloning, and hacking, which can lead to financial transaction interception, credential theft, and API targeting5. Current security approaches are insufficient, leaving gaps for attackers to exploit2. • Quokka's Mobile App Security Testing (MAST) Capabilities: ◦ Offers comprehensive app analysis including static (SAST), dynamic (DAST), interactive (IAST), and forced-path execution app analysis6. ◦ Scans apps quickly, even without source code, and works with the latest OS versions7. ◦ Reports vulnerabilities to specific library versions using SBOMs7. ◦ Validates apps against security and privacy standards like NIAP, NIST, and MASVS7. • Approov's Runtime App and API Security (RASP) Capabilities: ◦ Provides defence against runtime threats by validating each API request and checking for app modifications1. ◦ Offers dynamic protection and delivery of API keys and secrets at runtime1. ◦ Protects against fake and modified apps with runtime app attestation and authentication8. ◦ Detects runtime tampering, including jailbroken/rooted devices8. ◦ Blocks bots and fake apps from accessing APIs8. • Eliminating API Keys and Secrets: ◦ Quokka scans can identify exposed API keys or secrets in code9. ◦ Approov can remove these API keys from the code by delivering them just in time to verified apps and devices9. ◦ This "easy win" radically improves your security profile9. • Continuous Feedback Loop: Quokka and Approov create a dynamic feedback loop between testing and runtime validation, protecting applications throughout their lifecycle2. Approov provides real-time intelligence on device, app, and man-in-the-middle attacks, which can be fed back into the SDLC4. Actionable Insights: • Perform an initial Quokka scan to identify vulnerabilities3. • Implement Approov to remove exposed API keys and provide runtime protection9. • Use the insights from Approov to improve security in earlier stages of development4. • Integrate Quokka into CI/CD and DevSecOps tools10. Keywords: Mobile app security, API security, runtime protection, MAST, RASP, Quokka, Approov, zero-day vulnerabilities, SDLC, DevSecOps, API keys, secrets management, mobile threat landscape, app attestation, runtime tampering, SBOM, security standards, data privacy.          Relevant Links: • Quokka Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.quokka.io%2Fsolutions%2Fmobile-app-security • Approov: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww. This content was created in partnership and with the help of Artificial Intelligence AI. 730 https://player.megaphone.fm/NPTNI8581454364 Zero Trust for Mobile Healthcare: Protecting ePHI on Personal Devices The proposed updates to the HIPAA Security Rule aim to address specific cybersecurity threats related to mobile devices and applications that access electronic protected health information (ePHI)1.... These threats include: • Cloned/modified apps: Addressing the risk of fake apps that can download malware, viruses, or steal credentials to access backend systems3.... App attestation is suggested as a way to verify that apps accessing ePHI are genuine and unmodified5.... • Device manipulation: Providing run time protection against device manipulation, where hackers can jailbreak or root devices and use tools to steal data or modify app operations7.... The proposal suggests continuous scanning for problematic software and real-time reporting of device environment states, with the ability to block requests from compromised devices8.... • Man-in-the-middle attacks: Protecting against the interception and manipulation of mobile device communications to steal sensitive information7.... The proposal suggests the implementation of dynamic pinning on all communication channels used by healthcare apps, including to third-party APIs, as well as blocking tools that enable trust store manipulation or MitM attacks11.... • API secret protection: Preventing hackers from using weaponized mobile apps to scale up attacks on critical APIs by stealing API keys7.... The proposal suggests that API keys for accessing ePHI APIs should never be stored in mobile app code, but delivered only as needed to verified apps via attestation15.... • Identity exploits: Protecting against identity theft and credential stuffing attacks by using app and device attestation at run time for zero-trust protection7.... The proposal suggests tracking signs of identity abuse as a requirement for run time security monitoring17.... • Breach readiness and service continuity: Encouraging organisations to prepare for potential security incidents with protocols for addressing breaches, such as revoking access, quarantining affected systems and conducting investigations7.... It suggests that Incident Response plans should extend to third-party breaches and highlight the management of API Keys and certificates. Relevant links for the podcast: • Approov Limited:  ◦Website: https://www.google.com/url?sa=E&q=http%3A%2F%2Fwww.approov.io • OWASP MASVS (Mobile Application Security Verification Standard): Provides guidelines for mobile app security •NIST (National Institute of Standards and Technology): Cited in the context of incident response plans •HHS 405(d) Program: Offers health industry cybersecurity practices8.... •Federal Trade Commission (FTC): Provides a guide for business security8.... •Department of Health and Human Services (HHS): Offers Cybersecurity Performance Goals (CPGs)8.... •ONC Health IT Certification Program: Maintained by the Assistant Secretary for Technology Policy and Office of the National Coordinator for This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 19 Feb 2025 17:15:07 -0000 full Skye MacIntyre Zero Trust for Mobile Healthcare: Protecting ePHI on Personal Devices The proposed updates to the HIPAA Security Rule aim to address specific cybersecurity threats related to mobile devices and applications that access electronic protected health information (ePHI)1.... These threats include: • Cloned/modified apps: Addressing the risk of fake apps that can download malware, viruses, or steal credentials to access backend systems3.... App attestation is suggested as a way to verify that apps accessing ePHI are genuine and unmodified5.... • Device manipulation: Providing run time protection against device manipulation, where hackers can jailbreak or root devices and use tools to steal data or modify app operations7.... The proposal suggests continuous scanning for problematic software and real-time reporting of device environment states, with the ability to block requests from compromised devices8.... • Man-in-the-middle attacks: Protecting against the interception and manipulation of mobile device communications to steal sensitive information7.... The proposal suggests the implementation of dynamic pinning on all communication channels used by healthcare apps, including to third-party APIs, as well as blocking tools that enable trust store manipulation or MitM attacks11.... • API secret protection: Preventing hackers from using weaponized mobile apps to scale up attacks on critical APIs by stealing API keys7.... The proposal suggests that API keys for accessing ePHI APIs should never be stored in mobile app code, but delivered only as needed to verified apps via attestation15.... • Identity exploits: Protecting against identity theft and credential stuffing attacks by using app and device attestation at run time for zero-trust protection7.... The proposal suggests tracking signs of identity abuse as a requirement for run time security monitoring17.... • Breach readiness and service continuity: Encouraging organisations to prepare for potential security incidents with protocols for addressing breaches, such as revoking access, quarantining affected systems and conducting investigations7.... It suggests that Incident Response plans should extend to third-party breaches and highlight the management of API Keys and certificates. Relevant links for the podcast: • Approov Limited:  ◦Website: https://www.google.com/url?sa=E&q=http%3A%2F%2Fwww.approov.io • OWASP MASVS (Mobile Application Security Verification Standard): Provides guidelines for mobile app security •NIST (National Institute of Standards and Technology): Cited in the context of incident response plans •HHS 405(d) Program: Offers health industry cybersecurity practices8.... •Federal Trade Commission (FTC): Provides a guide for business security8.... •Department of Health and Human Services (HHS): Offers Cybersecurity Performance Goals (CPGs)8.... •ONC Health IT Certification Program: Maintained by the Assistant Secretary for Technology Policy and Office of the National Coordinator for This content was created in partnership and with the help of Artificial Intelligence AI. 763 https://player.megaphone.fm/NPTNI5457011788 Here are episode notes, SEO keywords, and hashtags, along with links to the source materials: Episode Notes: This episode explores Huawei's HarmonyOS, including the distinctions between traditional HarmonyOS and HarmonyOS NEXT. We discuss system architecture, performance enhancements, user experience, and security features. The episode further examines HarmonyOS in comparison to GMS Android and Non-GMS Android, focusing on compatibility and security issues. We also investigate the limitations of Huawei's HarmonyOS Safety Detect and compare it with mobile app security solutions like Approov. - We define GMS Android as devices with pre-installed Google Mobile Services, offering access to the Google Play Store and a vast app ecosystem. - Non-GMS Android devices lack Google services and rely on alternative app stores. - HarmonyOS is Huawei's operating system designed for a unified experience across devices. - HarmonyOS Next features a microkernel architecture, emphasizing performance and security. - HarmonyOS Safety Detect provides security features for app developers within the Huawei ecosystem. The episode also covers: - Performance enhancements in HarmonyOS NEXT, including a 30% increase in device fluency and a 10.7% boost in native performance. - The Star Shield architecture in HarmonyOS NEXT, which provides system-level protection against vulnerabilities. - Limitations of HarmonyOS Safety Detect, including its focus on the Huawei ecosystem and the need for broader security measures. Source Materials: - Comparing HarmonyOS NEXT to Traditional HarmonyOS: Features and Performance - Comparison of Mobile Operating Systems: GMS Android, Non-GMS Android, HarmonyOS, and HarmonyOS Next - Limitations of Huawei HarmonyOS Safety Detect This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 16 Feb 2025 08:25:07 -0000 full Skye MacIntyre Here are episode notes, SEO keywords, and hashtags, along with links to the source materials: Episode Notes: This episode explores Huawei's HarmonyOS, including the distinctions between traditional HarmonyOS and HarmonyOS NEXT. We discuss system architecture, performance enhancements, user experience, and security features. The episode further examines HarmonyOS in comparison to GMS Android and Non-GMS Android, focusing on compatibility and security issues. We also investigate the limitations of Huawei's HarmonyOS Safety Detect and compare it with mobile app security solutions like Approov. - We define GMS Android as devices with pre-installed Google Mobile Services, offering access to the Google Play Store and a vast app ecosystem. - Non-GMS Android devices lack Google services and rely on alternative app stores. - HarmonyOS is Huawei's operating system designed for a unified experience across devices. - HarmonyOS Next features a microkernel architecture, emphasizing performance and security. - HarmonyOS Safety Detect provides security features for app developers within the Huawei ecosystem. The episode also covers: - Performance enhancements in HarmonyOS NEXT, including a 30% increase in device fluency and a 10.7% boost in native performance. - The Star Shield architecture in HarmonyOS NEXT, which provides system-level protection against vulnerabilities. - Limitations of HarmonyOS Safety Detect, including its focus on the Huawei ecosystem and the need for broader security measures. Source Materials: - Comparing HarmonyOS NEXT to Traditional HarmonyOS: Features and Performance - Comparison of Mobile Operating Systems: GMS Android, Non-GMS Android, HarmonyOS, and HarmonyOS Next - Limitations of Huawei HarmonyOS Safety Detect This content was created in partnership and with the help of Artificial Intelligence AI. 1217 https://player.megaphone.fm/NPTNI3900784664 Fake LastPass App on Apple App Store: How to Protect Your Credentials    This episode discusses the recent discovery of a fake LastPass application, named "LassPass Password Manager", on the Apple App Store. The fraudulent app mimicked the branding and user interface of the real LastPass app. We'll explore how this fake app bypassed Apple's security review process, what you can do to avoid falling victim to similar scams, and the importance of app attestation. What Happened? - A fake password management app called "LassPass Password Manager" appeared on the Apple App Store. - The app was created by a developer named Parvati Patel. - It imitated the original LastPass logo and user interface. - The purpose of the app was likely to steal credentials, including ID numbers, passwords, and crypto seed phrases. - The fake app was removed from the Apple App Store on February 8. How Did This Happen? - The fake app used a similar name and logo to the real LastPass app, with only minor differences that may have been enough to evade automated detection. - The developer account appeared legitimate at first glance, but may have been compromised or used intentionally for malicious purposes. - Manual review oversight: Misspellings and a mismatched developer name were overlooked. - The app included a "PRO" subscription model. How to Avoid Typosquatting and Fake Apps: - Click the app URL on the original author’s website. LastPass has links to the original app on their website. - Pay more attention to social proof. Look at metrics like date added, number of downloads, version history, and reviews. - Check the app details. Look for typos, incomplete app descriptions, grammatical blunders, and the use of a business name as the app developer. App Attestation as a Solution: - App attestation validates the integrity and authenticity of individual applications. - It verifies that the app's runtime environment hasn't been tampered with. - Solutions like Approov issue cryptographic tokens to verified apps, ensuring only genuine apps can interact with backend APIs. - App attestation offers a proactive approach to enhance mobile app security and protect APIs from being exploited by fraudulent apps. - It can be integrated with platform-specific tools like iOS App Attest and Google Play Integrity. Links: - Galactic Advisors: https://www.galacticadvisors.com/ - Fraudulent App: https://apps.apple.com/us/app/lasspass-password-manager/id6473945355 - Legitimate LastPass App: https://apps.apple.com/us/app/lastpass-password-manager/id324613447 - Approov: https://approov.io/ Keywords: LastPass, fake app, Apple App Store, LassPass, password manager, security, typosquatting, phishing, app attestation, Approov, Parvati Patel, malware, mobile security, data theft, cyber security, credentials, API security. This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 16 Feb 2025 01:45:06 -0000 full Skye MacIntyre Fake LastPass App on Apple App Store: How to Protect Your Credentials    This episode discusses the recent discovery of a fake LastPass application, named "LassPass Password Manager", on the Apple App Store. The fraudulent app mimicked the branding and user interface of the real LastPass app. We'll explore how this fake app bypassed Apple's security review process, what you can do to avoid falling victim to similar scams, and the importance of app attestation. What Happened? - A fake password management app called "LassPass Password Manager" appeared on the Apple App Store. - The app was created by a developer named Parvati Patel. - It imitated the original LastPass logo and user interface. - The purpose of the app was likely to steal credentials, including ID numbers, passwords, and crypto seed phrases. - The fake app was removed from the Apple App Store on February 8. How Did This Happen? - The fake app used a similar name and logo to the real LastPass app, with only minor differences that may have been enough to evade automated detection. - The developer account appeared legitimate at first glance, but may have been compromised or used intentionally for malicious purposes. - Manual review oversight: Misspellings and a mismatched developer name were overlooked. - The app included a "PRO" subscription model. How to Avoid Typosquatting and Fake Apps: - Click the app URL on the original author’s website. LastPass has links to the original app on their website. - Pay more attention to social proof. Look at metrics like date added, number of downloads, version history, and reviews. - Check the app details. Look for typos, incomplete app descriptions, grammatical blunders, and the use of a business name as the app developer. App Attestation as a Solution: - App attestation validates the integrity and authenticity of individual applications. - It verifies that the app's runtime environment hasn't been tampered with. - Solutions like Approov issue cryptographic tokens to verified apps, ensuring only genuine apps can interact with backend APIs. - App attestation offers a proactive approach to enhance mobile app security and protect APIs from being exploited by fraudulent apps. - It can be integrated with platform-specific tools like iOS App Attest and Google Play Integrity. Links: - Galactic Advisors: https://www.galacticadvisors.com/ - Fraudulent App: https://apps.apple.com/us/app/lasspass-password-manager/id6473945355 - Legitimate LastPass App: https://apps.apple.com/us/app/lastpass-password-manager/id324613447 - Approov: https://approov.io/ Keywords: LastPass, fake app, Apple App Store, LassPass, password manager, security, typosquatting, phishing, app attestation, Approov, Parvati Patel, malware, mobile security, data theft, cyber security, credentials, API security. This content was created in partnership and with the help of Artificial Intelligence AI. 1101 https://player.megaphone.fm/NPTNI4799952339 Exposed: Fintech Secrets in Africa Episode Summary: In this episode of Upwardly Mobile, we delve into the concerning state of mobile application security across the African continent, with a specific focus on financial technology (fintech) apps. Recent research reveals that a staggering 95% of popular banking and financial apps in Africa have easily exploitable security flaws. We discuss the potential impact of these vulnerabilities on consumers and financial institutions, and explore what can be done to mitigate these risks and build trust in the digital financial ecosystem. We will also explore the broader landscape of cybersecurity in Africa and what measures countries are taking to improve their cybersecurity readiness. Key Discussion Points: - The Approov Report Findings: We discuss the key findings of the Approov-sponsored survey of 224 Android fintech apps across Africa, highlighting the widespread exposure of sensitive data and secrets. - 95% of apps expose valuable secrets that could be exploited. - 18% of apps revealed high severity secrets that could lead to unauthorized access and data breaches. - 272 million downloads are of apps that inadvertently reveal high-risk secret keys. - Crypto apps are particularly vulnerable, with 33% exposing high severity secrets. - Types of Exposed Secrets: We detail the kinds of sensitive information being exposed, including encryption keys, authentication tokens, database credentials, and payment gateway secrets. - Regional Variations: The study indicates that apps in West Africa are the most exposed in terms of high severity secret exposure (20%), while Southern Africa is the least exposed (6%). - The Global Cybersecurity Index (GCI) 2024: We explore insights from the Global Cybersecurity Index (GCI) 2024, with a focus on Africa's cybersecurity development, noting that many African nations remain below the global average. - Tiered Performance: We explain the tiered model used in the GCI, from "Building" (Tier 5) to "Role-modelling" (Tier 1), and discuss how African countries perform across these tiers. - Countries like Egypt, Mauritius, Ghana, Tanzania, Kenya, Rwanda, and Morocco are leading the way in cybersecurity commitment in Africa, achieving "Role-modelling" status. - Most countries are at the "Evolving" and "Establishing" stages, highlighting a need for improvement. - Central Africa is generally at the earliest stages of cybersecurity development. - Progress and Challenges: We look at the progress made by some countries, like Eswatini, Togo, and the Democratic Republic of Congo, while also noting those with negative growth, like Tunisia, Guinea-Bissau and Nigeria. - E-Government and Cybersecurity: The podcast will explore the relationship between e-government development and cybersecurity commitments, emphasising that a strong commitment to cybersecurity is crucial to protect digital infrastructure and data as African nations embrace digital transformation. - Role This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 11 Feb 2025 08:40:06 -0000 full Skye MacIntyre Exposed: Fintech Secrets in Africa Episode Summary: In this episode of Upwardly Mobile, we delve into the concerning state of mobile application security across the African continent, with a specific focus on financial technology (fintech) apps. Recent research reveals that a staggering 95% of popular banking and financial apps in Africa have easily exploitable security flaws. We discuss the potential impact of these vulnerabilities on consumers and financial institutions, and explore what can be done to mitigate these risks and build trust in the digital financial ecosystem. We will also explore the broader landscape of cybersecurity in Africa and what measures countries are taking to improve their cybersecurity readiness. Key Discussion Points: - The Approov Report Findings: We discuss the key findings of the Approov-sponsored survey of 224 Android fintech apps across Africa, highlighting the widespread exposure of sensitive data and secrets. - 95% of apps expose valuable secrets that could be exploited. - 18% of apps revealed high severity secrets that could lead to unauthorized access and data breaches. - 272 million downloads are of apps that inadvertently reveal high-risk secret keys. - Crypto apps are particularly vulnerable, with 33% exposing high severity secrets. - Types of Exposed Secrets: We detail the kinds of sensitive information being exposed, including encryption keys, authentication tokens, database credentials, and payment gateway secrets. - Regional Variations: The study indicates that apps in West Africa are the most exposed in terms of high severity secret exposure (20%), while Southern Africa is the least exposed (6%). - The Global Cybersecurity Index (GCI) 2024: We explore insights from the Global Cybersecurity Index (GCI) 2024, with a focus on Africa's cybersecurity development, noting that many African nations remain below the global average. - Tiered Performance: We explain the tiered model used in the GCI, from "Building" (Tier 5) to "Role-modelling" (Tier 1), and discuss how African countries perform across these tiers. - Countries like Egypt, Mauritius, Ghana, Tanzania, Kenya, Rwanda, and Morocco are leading the way in cybersecurity commitment in Africa, achieving "Role-modelling" status. - Most countries are at the "Evolving" and "Establishing" stages, highlighting a need for improvement. - Central Africa is generally at the earliest stages of cybersecurity development. - Progress and Challenges: We look at the progress made by some countries, like Eswatini, Togo, and the Democratic Republic of Congo, while also noting those with negative growth, like Tunisia, Guinea-Bissau and Nigeria. - E-Government and Cybersecurity: The podcast will explore the relationship between e-government development and cybersecurity commitments, emphasising that a strong commitment to cybersecurity is crucial to protect digital infrastructure and data as African nations embrace digital transformation. - Role This content was created in partnership and with the help of Artificial Intelligence AI. 1017 https://player.megaphone.fm/NPTNI3272690538 Episode Summary: In this episode, we delve into the rapidly growing popularity of DeepSeek, a Chinese AI model, and uncover the potential security and privacy risks it poses. From data transmission vulnerabilities to troubling terms of service, we explore the reasons why caution is key when considering this innovative AI tool. Episode Notes: • Introduction: ◦ DeepSeek's rapid rise to prominence and its potential impact on the AI landscape1.... ◦ Initial praise for its efficiency and advanced AI capabilities2. • Data Privacy Concerns: ◦ DeepSeek's data storage in China raises concerns about state surveillance and compliance with global privacy standards5.... ◦ Collection of extensive user data, including device details, IP addresses, and usage patterns5.... • Terms of Service Red Flags: ◦ Troubling aspects of DeepSeek's ToS, allowing data collection on usage, prompting, device, network, and personal activity7. ◦ Comparison to data collection practices of companies like Google, Apple, and Microsoft, but with the added concern of data handling in China7. • Security Vulnerabilities: ◦ Unencrypted data transmission: The DeepSeek iOS app transmits sensitive user and device data without encryption, exposing it to interception and manipulation attacks8.... ◦ Weak encryption practices: Use of outdated encryption algorithms like 3DES with hard-coded keys, making it vulnerable to cryptographic attacks5.... ◦ Database exposure: Publicly accessible database linked to DeepSeek exposed chat histories, API secrets, and backend operational details14.... ◦ Cyberattack target: DeepSeek has already suffered significant cyberattacks, making it an attractive target for malicious actors15.... • Global Response: ◦ Bans and warnings issued by various countries and organizations, including the U.S. Navy, NASA, and government agencies in Italy and Taiwan18.... ◦ U.S. lawmakers' efforts to restrict DeepSeek's use on government devices3.... • Mitigation Strategies: ◦ Guidance to avoid inputting sensitive information into any LLMs that aren't self-hosted23.... ◦ Running open-source models locally to reduce risks, while being mindful of potential vulnerabilities25.... ◦ Using network monitoring tools like Wireshark to observe data transmission26.... ◦ Implementing robust mobile security solutions like Approov to ensure only legitimate app instances communicate with backend services32.... • Expert Perspectives: ◦ Discussion of DeepSeek's potential for misuse, including the generation of ransomware development scripts34.... ◦ Analysis of the balance between security, privacy, and the benefits of AI innovation36. • Practical Advice: ◦ Researching and understanding the terms of service before using any new app7.... ◦ Being cautious about free apps, recognizing that "if it's free, you're the product"36. ◦ Staying informed about the latest cybersecurity risks and data privacy concerns36. Sponsor Message: This episode is brought to you by Approov (https://www.google.com/url?sa=E& This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 09 Feb 2025 00:12:49 -0000 full Skye MacIntyre Episode Summary: In this episode, we delve into the rapidly growing popularity of DeepSeek, a Chinese AI model, and uncover the potential security and privacy risks it poses. From data transmission vulnerabilities to troubling terms of service, we explore the reasons why caution is key when considering this innovative AI tool. Episode Notes: • Introduction: ◦ DeepSeek's rapid rise to prominence and its potential impact on the AI landscape1.... ◦ Initial praise for its efficiency and advanced AI capabilities2. • Data Privacy Concerns: ◦ DeepSeek's data storage in China raises concerns about state surveillance and compliance with global privacy standards5.... ◦ Collection of extensive user data, including device details, IP addresses, and usage patterns5.... • Terms of Service Red Flags: ◦ Troubling aspects of DeepSeek's ToS, allowing data collection on usage, prompting, device, network, and personal activity7. ◦ Comparison to data collection practices of companies like Google, Apple, and Microsoft, but with the added concern of data handling in China7. • Security Vulnerabilities: ◦ Unencrypted data transmission: The DeepSeek iOS app transmits sensitive user and device data without encryption, exposing it to interception and manipulation attacks8.... ◦ Weak encryption practices: Use of outdated encryption algorithms like 3DES with hard-coded keys, making it vulnerable to cryptographic attacks5.... ◦ Database exposure: Publicly accessible database linked to DeepSeek exposed chat histories, API secrets, and backend operational details14.... ◦ Cyberattack target: DeepSeek has already suffered significant cyberattacks, making it an attractive target for malicious actors15.... • Global Response: ◦ Bans and warnings issued by various countries and organizations, including the U.S. Navy, NASA, and government agencies in Italy and Taiwan18.... ◦ U.S. lawmakers' efforts to restrict DeepSeek's use on government devices3.... • Mitigation Strategies: ◦ Guidance to avoid inputting sensitive information into any LLMs that aren't self-hosted23.... ◦ Running open-source models locally to reduce risks, while being mindful of potential vulnerabilities25.... ◦ Using network monitoring tools like Wireshark to observe data transmission26.... ◦ Implementing robust mobile security solutions like Approov to ensure only legitimate app instances communicate with backend services32.... • Expert Perspectives: ◦ Discussion of DeepSeek's potential for misuse, including the generation of ransomware development scripts34.... ◦ Analysis of the balance between security, privacy, and the benefits of AI innovation36. • Practical Advice: ◦ Researching and understanding the terms of service before using any new app7.... ◦ Being cautious about free apps, recognizing that "if it's free, you're the product"36. ◦ Staying informed about the latest cybersecurity risks and data privacy concerns36. Sponsor Message: This episode is brought to you by Approov (https://www.google.com/url?sa=E& This content was created in partnership and with the help of Artificial Intelligence AI. 765 https://player.megaphone.fm/NPTNI8514608023 Podcast Title: Upwardly Mobile Episode Title: Frida: Friend or Foe? Protecting Your Mobile Apps from Dynamic Instrumentation Episode Description: In this episode of Upwardly Mobile, we delve into the world of Frida, a powerful dynamic instrumentation toolkit. While invaluable for developers and security researchers, Frida also poses significant risks to mobile applications, particularly in sectors like fintech, healthcare, and mobile gaming. Join us as we explore how Frida works, the threats it presents, and the essential strategies for protecting your apps against it. We'll discuss techniques from code obfuscation and certificate pinning to real-time RASP solutions. Learn how to stay ahead of sophisticated Frida-based attacks and safeguard your users and data. Key Discussion Points: • What is Frida? ◦ Frida is a dynamic instrumentation framework that allows real-time inspection and modification of running processes1.... ◦ It's used for debugging, performance tuning, and security testing1.... ◦ However, malicious actors can use it to hook into apps, manipulate code, and exfiltrate sensitive data1.... • How Frida is used by attackers:4... ◦ Hooking: Intercepting function calls to alter inputs or outputs5. ◦ Tampering: Bypassing logic checks or unlocking premium features without payment5. ◦ Data Exfiltration: Capturing sensitive data like tokens and encryption keys5. ◦ Code Injection: Injecting custom code to modify app behavior, bypass security, or steal data6 ◦ SSL Pinning Bypass: Bypassing SSL/TLS pinning by replacing legitimate certificates6 ◦ Function Hooking: Modifying behavior of specific functions to tamper with logic or extract data8 ◦ API Abuse: Calling privileged APIs without proper authentication to scrape data or access sensitive user data ◦ Pirating Apps: Bypassing licensing checks or injecting cheats for premium functionality7 • Why Frida is a Growing Threat: ◦ Frida bypasses conventional security measures by accessing the app’s runtime environment5. ◦ It allows interception and manipulation of payment flows in fintech, theft of PHI in healthcare and cheating in gaming5 ◦ Even secure backend APIs can be compromised by a hooked mobile app, leaking tokens and causing unauthorized transactions • Key Security Risks: ◦ Hooking & API Call Interception: Attackers can intercept and modify API calls, potentially exposing private APIs. ◦ Business Logic Tampering: Bypassing logic checks, leading to revenue loss. ◦ Data Exfiltration: Stealing API keys or cryptographic material, causing fraud. ◦ Regulatory Non-Compliance: Data breaches can lead to serious penalties in regulated industries11. • How to Detect and Protect Against Frida:11... ◦ Detection Mechanisms: ▪ Library and Process Scans: Monitoring for Frida signatures11. ▪ Dynamic Integrity Checks: Verifying app memory to detect hooking11. ▪ Behavioral Monitoring: Flagging unusual function calls11. ◦ Code Obfuscation and Anti-Tamper: ▪ Obfuscation: Using string encryption and code virtual This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 08 Feb 2025 08:30:07 -0000 full Skye MacIntyre Podcast Title: Upwardly Mobile Episode Title: Frida: Friend or Foe? Protecting Your Mobile Apps from Dynamic Instrumentation Episode Description: In this episode of Upwardly Mobile, we delve into the world of Frida, a powerful dynamic instrumentation toolkit. While invaluable for developers and security researchers, Frida also poses significant risks to mobile applications, particularly in sectors like fintech, healthcare, and mobile gaming. Join us as we explore how Frida works, the threats it presents, and the essential strategies for protecting your apps against it. We'll discuss techniques from code obfuscation and certificate pinning to real-time RASP solutions. Learn how to stay ahead of sophisticated Frida-based attacks and safeguard your users and data. Key Discussion Points: • What is Frida? ◦ Frida is a dynamic instrumentation framework that allows real-time inspection and modification of running processes1.... ◦ It's used for debugging, performance tuning, and security testing1.... ◦ However, malicious actors can use it to hook into apps, manipulate code, and exfiltrate sensitive data1.... • How Frida is used by attackers:4... ◦ Hooking: Intercepting function calls to alter inputs or outputs5. ◦ Tampering: Bypassing logic checks or unlocking premium features without payment5. ◦ Data Exfiltration: Capturing sensitive data like tokens and encryption keys5. ◦ Code Injection: Injecting custom code to modify app behavior, bypass security, or steal data6 ◦ SSL Pinning Bypass: Bypassing SSL/TLS pinning by replacing legitimate certificates6 ◦ Function Hooking: Modifying behavior of specific functions to tamper with logic or extract data8 ◦ API Abuse: Calling privileged APIs without proper authentication to scrape data or access sensitive user data ◦ Pirating Apps: Bypassing licensing checks or injecting cheats for premium functionality7 • Why Frida is a Growing Threat: ◦ Frida bypasses conventional security measures by accessing the app’s runtime environment5. ◦ It allows interception and manipulation of payment flows in fintech, theft of PHI in healthcare and cheating in gaming5 ◦ Even secure backend APIs can be compromised by a hooked mobile app, leaking tokens and causing unauthorized transactions • Key Security Risks: ◦ Hooking & API Call Interception: Attackers can intercept and modify API calls, potentially exposing private APIs. ◦ Business Logic Tampering: Bypassing logic checks, leading to revenue loss. ◦ Data Exfiltration: Stealing API keys or cryptographic material, causing fraud. ◦ Regulatory Non-Compliance: Data breaches can lead to serious penalties in regulated industries11. • How to Detect and Protect Against Frida:11... ◦ Detection Mechanisms: ▪ Library and Process Scans: Monitoring for Frida signatures11. ▪ Dynamic Integrity Checks: Verifying app memory to detect hooking11. ▪ Behavioral Monitoring: Flagging unusual function calls11. ◦ Code Obfuscation and Anti-Tamper: ▪ Obfuscation: Using string encryption and code virtual This content was created in partnership and with the help of Artificial Intelligence AI. 780 https://player.megaphone.fm/NPTNI4656982827 China Challenges Apple: App Store Fees and Developer Freedom China's Antitrust Concerns: The State Administration for Market Regulation (SAMR) is examining Apple's App Store policies. This investigation may be a response to U.S. tariffs and reflects growing concerns over the dominance of major tech companies. Impact on App Developers: This probe could significantly affect mobile app developers. Potential benefits include: • Reduced App Store fees: Regulatory intervention might force Apple to lower commissions. • Increased competition: Developers may gain more freedom to distribute apps through alternative stores. • Enhanced market access: Changes could create more opportunities in the massive Chinese mobile app market. Global Antitrust Trends: China's actions align with a global trend of antitrust scrutiny against Apple and Google. Key actions in other regions include: • European Union: Digital Markets Act (DMA) promotes fair competition. • United Kingdom: Digital Markets, Competition and Consumers (DMCC) Bill grants powers to investigate tech firms. • Brazil: CADE antitrust inquiry scrutinizing anti-competitive practices. • Japan: Proposed smartphone legislation to open app ecosystems. • United States: FTC and DOJ actions reviewing anti-steering rules and Google's dominance. • Epic Games vs. Apple and Google: Lawsuits challenging app store control, leading to potential policy changes. Monitor global antitrust developments. • Explore alternative payment solutions. • Consider multi-platform distribution strategies. Conclusion: The app store landscape could be on the verge of significant changes. Staying informed is crucial as these investigations could reshape app distribution and monetization. Links to Source Materials: • Bloomberg News Report: China Considers Probe into Apple's App Store Fees • Reuters Coverage: China's Antitrust Regulator Eyes Apple Additional Resources: (Link to relevant articles, reports, and legal documents related to antitrust actions against Apple and Google here.) Keywords: Apple, App Store, antitrust, China, SAMR, mobile app developers, Digital Markets Act, DMA, DMCC, Epic Games, Google, app distribution, commissions, in-app purchases, regulatory scrutiny. This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 07 Feb 2025 01:09:52 -0000 full Skye MacIntyre China Challenges Apple: App Store Fees and Developer Freedom China's Antitrust Concerns: The State Administration for Market Regulation (SAMR) is examining Apple's App Store policies. This investigation may be a response to U.S. tariffs and reflects growing concerns over the dominance of major tech companies. Impact on App Developers: This probe could significantly affect mobile app developers. Potential benefits include: • Reduced App Store fees: Regulatory intervention might force Apple to lower commissions. • Increased competition: Developers may gain more freedom to distribute apps through alternative stores. • Enhanced market access: Changes could create more opportunities in the massive Chinese mobile app market. Global Antitrust Trends: China's actions align with a global trend of antitrust scrutiny against Apple and Google. Key actions in other regions include: • European Union: Digital Markets Act (DMA) promotes fair competition. • United Kingdom: Digital Markets, Competition and Consumers (DMCC) Bill grants powers to investigate tech firms. • Brazil: CADE antitrust inquiry scrutinizing anti-competitive practices. • Japan: Proposed smartphone legislation to open app ecosystems. • United States: FTC and DOJ actions reviewing anti-steering rules and Google's dominance. • Epic Games vs. Apple and Google: Lawsuits challenging app store control, leading to potential policy changes. Monitor global antitrust developments. • Explore alternative payment solutions. • Consider multi-platform distribution strategies. Conclusion: The app store landscape could be on the verge of significant changes. Staying informed is crucial as these investigations could reshape app distribution and monetization. Links to Source Materials: • Bloomberg News Report: China Considers Probe into Apple's App Store Fees • Reuters Coverage: China's Antitrust Regulator Eyes Apple Additional Resources: (Link to relevant articles, reports, and legal documents related to antitrust actions against Apple and Google here.) Keywords: Apple, App Store, antitrust, China, SAMR, mobile app developers, Digital Markets Act, DMA, DMCC, Epic Games, Google, app distribution, commissions, in-app purchases, regulatory scrutiny. This content was created in partnership and with the help of Artificial Intelligence AI. 1056 https://player.megaphone.fm/NPTNI5214677841 Massive Location Data Breach at Gravy Analytics: Millions at Risk Episode Summary: This episode discusses the recent data breach at Gravy Analytics, a major player in the location data industry. Hackers claim to have stolen a large amount of sensitive data, including customer lists, industry information, and precise location data harvested from smartphones1. This breach has potentially exposed the private information of millions of people worldwide2. The implications of this breach are significant, raising concerns about deanonymization risks, tracking, and the potential sale of bulk location data on underground markets3. Discussion Points: • The Hack: Gravy Analytics, the parent company of Venntel, which sells smartphone location data to the U.S. government, was reportedly compromised by hackers1. • Data Stolen: The stolen data includes customer lists, industry information, and precise location data from smartphones1. • Potential Harms: The breach could lead to the deanonymization of individuals, increased tracking, and the sale of sensitive data on underground markets3. • Government Use: Gravy Analytics and Venntel have been accused of illegally collecting and selling Americans' location data, with some tracked individuals monitored near sensitive locations such as government buildings and health clinics4.... • Ransom and Cover-Up: Hackers posted a gigabyte of data on a Russian-language cybercrime forum and threatened to release more unless a ransom was paid6.... The removal of the post has led to suspicions that Gravy Analytics may have complied with the ransom demand7.... • Lack of Transparency: Unacast, Gravy Analytics' parent company, has not publicly acknowledged the breach in America but has disclosed it to data protection authorities in Norway5.... • In-App Data Collection: A single app installed on a phone was observed sending numerous requests, some to Unity, including geolocation data even when location services were disabled for all apps9. • Data Sharing: Location, IP address, and other data points are shared with third parties like Unity, Moloco Ads, and Facebook, even without explicit user consent10.... • Data Broker Marketplaces: Data marketplaces like Datarade offer access to vast amounts of location data, including possibilities to acquire personal info13.... Links to Sources: • 404 Media: https://www.google.com/url?sa=E&q=https%3A%2F%2F404media.co%2Fhackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data%2F • Straight Arrow News: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.straightarrownews.com%2Finternational%2F8121889%2Fmillions-of-americans-location-data-compromised-in-apparent-hack • Tracking Myself Down Through In-App Ads: https://www.google.com/url?sa=E&q=https%3A%2F%2Ftimsh.org%2Feveryone-knows-your-location-tracking-myself-down-through-in-app-ads This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 06 Feb 2025 16:17:01 -0000 full Skye MacIntyre Massive Location Data Breach at Gravy Analytics: Millions at Risk Episode Summary: This episode discusses the recent data breach at Gravy Analytics, a major player in the location data industry. Hackers claim to have stolen a large amount of sensitive data, including customer lists, industry information, and precise location data harvested from smartphones1. This breach has potentially exposed the private information of millions of people worldwide2. The implications of this breach are significant, raising concerns about deanonymization risks, tracking, and the potential sale of bulk location data on underground markets3. Discussion Points: • The Hack: Gravy Analytics, the parent company of Venntel, which sells smartphone location data to the U.S. government, was reportedly compromised by hackers1. • Data Stolen: The stolen data includes customer lists, industry information, and precise location data from smartphones1. • Potential Harms: The breach could lead to the deanonymization of individuals, increased tracking, and the sale of sensitive data on underground markets3. • Government Use: Gravy Analytics and Venntel have been accused of illegally collecting and selling Americans' location data, with some tracked individuals monitored near sensitive locations such as government buildings and health clinics4.... • Ransom and Cover-Up: Hackers posted a gigabyte of data on a Russian-language cybercrime forum and threatened to release more unless a ransom was paid6.... The removal of the post has led to suspicions that Gravy Analytics may have complied with the ransom demand7.... • Lack of Transparency: Unacast, Gravy Analytics' parent company, has not publicly acknowledged the breach in America but has disclosed it to data protection authorities in Norway5.... • In-App Data Collection: A single app installed on a phone was observed sending numerous requests, some to Unity, including geolocation data even when location services were disabled for all apps9. • Data Sharing: Location, IP address, and other data points are shared with third parties like Unity, Moloco Ads, and Facebook, even without explicit user consent10.... • Data Broker Marketplaces: Data marketplaces like Datarade offer access to vast amounts of location data, including possibilities to acquire personal info13.... Links to Sources: • 404 Media: https://www.google.com/url?sa=E&q=https%3A%2F%2F404media.co%2Fhackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data%2F • Straight Arrow News: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.straightarrownews.com%2Finternational%2F8121889%2Fmillions-of-americans-location-data-compromised-in-apparent-hack • Tracking Myself Down Through In-App Ads: https://www.google.com/url?sa=E&q=https%3A%2F%2Ftimsh.org%2Feveryone-knows-your-location-tracking-myself-down-through-in-app-ads This content was created in partnership and with the help of Artificial Intelligence AI. 678 https://player.megaphone.fm/NPTNI3982003029 Upwardly Mobile Podcast Episode Title: Are Your Financial Apps Safe? Cybersecurity Risks in Africa Exposed Secrets - Host: What kinds of secrets are exposed? Researchers found a range of easily accessible items in the apps' code, including: - Encryption keys for securing sensitive data. - Authentication keys for accessing services. - Database credentials. - Payment gateway secrets. - OAuth client secrets. - Push notification keys. - Google Cloud API keys, found in 86% of the examined applications. - Facebook authentication tokens, found in approximately 15.3% of the apps. - Host: 18% of the investigated apps revealed high severity secrets, which could lead to unauthorized access, data breaches and compromised user privacy. - Host: Cryptocurrency apps were the most vulnerable, with 33% exposing high-severity secrets. West Africa is the most exposed region, with 20% of apps having high-severity issues, compared to only 6% in Southern Africa. - SEO Keywords: API Security, Encryption Keys, Authentication Tokens, Data Protection, Mobile Security, Crypto Security The Global Cybersecurity Index (GCI) and Africa's Progress A separate report, "Mapping Africa's Cybersecurity Development," using the ITU's Global Cybersecurity Index (GCI) 2024, provides some context. - Host: The GCI measures a country's commitment to cybersecurity across five pillars: legal, technical, organisational, capacity development, and cooperation. - Host: The report reveals that more than half of African nations remain below the global average in cybersecurity, despite progress in government-led cybersecurity measures. - Host: However, there are leading countries in Africa, like Egypt, Mauritius, Ghana, Tanzania, Kenya, Rwanda, and Morocco, that have achieved "Role-modelling" status in their cybersecurity commitments. - Host: Most countries are in the "Evolving" or "Establishing" stages of cybersecurity commitment. - Host: The report also shows that countries that perform well on the E-Government Development Index (EGDI) tend to have higher GCI scores, demonstrating the interconnectedness of digital development and cybersecurity. - SEO Keywords: Global Cybersecurity Index, GCI, African Cybersecurity, E-Government Development, Digital Transformation, Cybercrime Legislation, Cybersecurity Strategies Recommendations and User Advice - Host: What actions can be taken to improve cybersecurity and protect users in Africa? - Host: The GCI report highlights the need for countries to strengthen legal frameworks, build cybersecurity capacity, develop a skilled workforce, and increase regional and international collaboration, as well as participate in cybersecurity treaties. - Host: For users, it's crucial to be vigilant about the apps you use. Check for updates, use strong passwords, and report any suspicious activity. - SEO Keywords: Cybersecurity Collaboration, Data Protection Laws, Cybersecurity Education, Incident Response, Cyber Resilience, Di This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 02 Feb 2025 21:40:07 -0000 full Skye MacIntyre Upwardly Mobile Podcast Episode Title: Are Your Financial Apps Safe? Cybersecurity Risks in Africa Exposed Secrets - Host: What kinds of secrets are exposed? Researchers found a range of easily accessible items in the apps' code, including: - Encryption keys for securing sensitive data. - Authentication keys for accessing services. - Database credentials. - Payment gateway secrets. - OAuth client secrets. - Push notification keys. - Google Cloud API keys, found in 86% of the examined applications. - Facebook authentication tokens, found in approximately 15.3% of the apps. - Host: 18% of the investigated apps revealed high severity secrets, which could lead to unauthorized access, data breaches and compromised user privacy. - Host: Cryptocurrency apps were the most vulnerable, with 33% exposing high-severity secrets. West Africa is the most exposed region, with 20% of apps having high-severity issues, compared to only 6% in Southern Africa. - SEO Keywords: API Security, Encryption Keys, Authentication Tokens, Data Protection, Mobile Security, Crypto Security The Global Cybersecurity Index (GCI) and Africa's Progress A separate report, "Mapping Africa's Cybersecurity Development," using the ITU's Global Cybersecurity Index (GCI) 2024, provides some context. - Host: The GCI measures a country's commitment to cybersecurity across five pillars: legal, technical, organisational, capacity development, and cooperation. - Host: The report reveals that more than half of African nations remain below the global average in cybersecurity, despite progress in government-led cybersecurity measures. - Host: However, there are leading countries in Africa, like Egypt, Mauritius, Ghana, Tanzania, Kenya, Rwanda, and Morocco, that have achieved "Role-modelling" status in their cybersecurity commitments. - Host: Most countries are in the "Evolving" or "Establishing" stages of cybersecurity commitment. - Host: The report also shows that countries that perform well on the E-Government Development Index (EGDI) tend to have higher GCI scores, demonstrating the interconnectedness of digital development and cybersecurity. - SEO Keywords: Global Cybersecurity Index, GCI, African Cybersecurity, E-Government Development, Digital Transformation, Cybercrime Legislation, Cybersecurity Strategies Recommendations and User Advice - Host: What actions can be taken to improve cybersecurity and protect users in Africa? - Host: The GCI report highlights the need for countries to strengthen legal frameworks, build cybersecurity capacity, develop a skilled workforce, and increase regional and international collaboration, as well as participate in cybersecurity treaties. - Host: For users, it's crucial to be vigilant about the apps you use. Check for updates, use strong passwords, and report any suspicious activity. - SEO Keywords: Cybersecurity Collaboration, Data Protection Laws, Cybersecurity Education, Incident Response, Cyber Resilience, Di This content was created in partnership and with the help of Artificial Intelligence AI. 1592 https://player.megaphone.fm/NPTNI8937963707 In this episode of Upwardly Mobile, we delve into the critical issue of mobile app security and explore the argument that Apple and Google's monopolistic practices are hindering innovation and increasing long-term cyber risks for consumers1.... We examine how the dominance of these two tech giants in the mobile app ecosystem may be inadvertently creating vulnerabilities and limiting the potential for more robust security solutions. We also discuss potential alternative approaches to mobile app security. Key Discussion Points: • Monopolistic Behavior: We discuss how Apple and Google control the mobile app ecosystem, restricting competition and innovation.... This control extends to app stores, operating systems and browsers5. • Impact on Security: The episode will explain how the lack of competition in mobile app security could lead to a monoculture that is vulnerable to attack... The podcast highlights that while Apple and Google currently provide reasonable cybersecurity, their dominance stifles innovation from third-party vendors. • The Offense-Defense Imbalance: We explore the concept that in cybersecurity, attackers have an inherent advantage over defenders2. It's much easier to attack than defend2. • Lack of Vendor Diversity: We highlight the absence of major cybersecurity vendors in the mobile app security space, unlike the cloud security sector, which has a thriving ecosystem of vendors such as Wiz and Palo Alto Networks. • Google Mobile Services (GMS): The episode examines how GMS locks down the Android mobile app environment, potentially hindering external mobile app security vendors11.... Alternatives exist, but the dominance of GMS is a barrier. • Alternative Ecosystems: We discuss non-GMS mobile phone manufacturers, primarily from China, such as Transsion, Huawei, Xiaomi, and Oppo. These manufacturers offer alternatives but raise geopolitical concerns16.... • The UK's CMA Investigation: We examine the Competition and Markets Authority (CMA) investigation into Apple and Google's mobile ecosystems, which aims to determine if these companies have "strategic market status" and are stifling innovation and competition5.... The CMA is assessing the level of competition and barriers to entry within these ecosystems, and if Apple and Google are favouring their own apps and services21.... The investigation will also explore if app developers are required to sign up to unfair terms and conditions23.... • Proposed Solutions: The podcast delves into recommendations such as: ◦ Apple and Google facilitating the use of third-party mobile app security vendors. ◦ Incentivising developers to use third-party security solutions through reduced commission rates. ◦ Adopting open standards for mobile app security evaluations, such as those developed by the Open Web Application Security Project (OWASP). • The Bigger Picture: We discuss how greater competition and open standards can improve mobile app security and potentially enhance user trust in mobile techn This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 30 Jan 2025 08:25:06 -0000 full Skye MacIntyre In this episode of Upwardly Mobile, we delve into the critical issue of mobile app security and explore the argument that Apple and Google's monopolistic practices are hindering innovation and increasing long-term cyber risks for consumers1.... We examine how the dominance of these two tech giants in the mobile app ecosystem may be inadvertently creating vulnerabilities and limiting the potential for more robust security solutions. We also discuss potential alternative approaches to mobile app security. Key Discussion Points: • Monopolistic Behavior: We discuss how Apple and Google control the mobile app ecosystem, restricting competition and innovation.... This control extends to app stores, operating systems and browsers5. • Impact on Security: The episode will explain how the lack of competition in mobile app security could lead to a monoculture that is vulnerable to attack... The podcast highlights that while Apple and Google currently provide reasonable cybersecurity, their dominance stifles innovation from third-party vendors. • The Offense-Defense Imbalance: We explore the concept that in cybersecurity, attackers have an inherent advantage over defenders2. It's much easier to attack than defend2. • Lack of Vendor Diversity: We highlight the absence of major cybersecurity vendors in the mobile app security space, unlike the cloud security sector, which has a thriving ecosystem of vendors such as Wiz and Palo Alto Networks. • Google Mobile Services (GMS): The episode examines how GMS locks down the Android mobile app environment, potentially hindering external mobile app security vendors11.... Alternatives exist, but the dominance of GMS is a barrier. • Alternative Ecosystems: We discuss non-GMS mobile phone manufacturers, primarily from China, such as Transsion, Huawei, Xiaomi, and Oppo. These manufacturers offer alternatives but raise geopolitical concerns16.... • The UK's CMA Investigation: We examine the Competition and Markets Authority (CMA) investigation into Apple and Google's mobile ecosystems, which aims to determine if these companies have "strategic market status" and are stifling innovation and competition5.... The CMA is assessing the level of competition and barriers to entry within these ecosystems, and if Apple and Google are favouring their own apps and services21.... The investigation will also explore if app developers are required to sign up to unfair terms and conditions23.... • Proposed Solutions: The podcast delves into recommendations such as: ◦ Apple and Google facilitating the use of third-party mobile app security vendors. ◦ Incentivising developers to use third-party security solutions through reduced commission rates. ◦ Adopting open standards for mobile app security evaluations, such as those developed by the Open Web Application Security Project (OWASP). • The Bigger Picture: We discuss how greater competition and open standards can improve mobile app security and potentially enhance user trust in mobile techn This content was created in partnership and with the help of Artificial Intelligence AI. 1123 https://player.megaphone.fm/NPTNI7085757032 Episode: "Digital Markets Act Under Scrutiny: Fair Competition or Tech Giant Tussle?" Episode Summary: In this episode of Upwardly Mobile, we delve into the complexities surrounding the EU's Digital Markets Act (DMA) and its impact on the tech industry. We explore the ongoing debate about whether the DMA is achieving its goals of fostering fair competition and innovation or if it is facing challenges from powerful tech gatekeepers. We also examine how the DMA may be affecting app security. Key Talking Points: • The Digital Markets Act (DMA): We discuss the DMA's objectives to curb the power of dominant tech platforms and create a level playing field for smaller businesses1. The DMA is intended to promote innovation and provide greater consumer choice in online markets1. • Non-Compliance and Enforcement: Several sources highlight concerns that some gatekeepers are circumventing the DMA through "sham compliance strategies"1.... There is an urgent call for the European Commission to take "swift and decisive action" against non-compliant companies, including concluding ongoing investigations and imposing fines1.... • Impact on European Competitiveness: The episode considers the potential consequences of failing to enforce the DMA. It is argued that the lack of enforcement could threaten Europe's position as a leader in innovation, competitiveness, and digital fairness1.... Effective enforcement of the DMA is seen as crucial for creating a digital market where European businesses can thrive5.... • Reassessment of Tech Probes: The European Commission is reevaluating its probes into tech giants such as Apple, Google, and Meta, which were launched since March 2024 under the DMA7.... This review is occurring partly due to the implications of the incoming Trump presidency8. All decisions and potential fines are paused while the review is completed9. • Third-Party App Security: We examine how the DMA, by allowing alternative app stores, could increase security risks for end-users, who will face a wider range of threats10. App vendors also face risks such as reverse engineering and API abuse, which is a key concern11. • App Attestation Solutions: The importance of app attestation solutions, such as Approov, is highlighted in light of increased security risks12.... These solutions ensure that only official apps from the original vendor can access backend APIs12. Approov offers a more comprehensive cross-platform attestation solution13 that has a lower integration burden than the Apple alternative, and also provides runtime secrets to further protect API keys14.... • EUTA's Stance: The European Tech Alliance (EUTA), representing leading European tech companies, is also urging the European Commission to enforce the DMA and ensure fair competition4.... EUTA stresses that a competitive digital ecosystem is essential for European businesses and consumers16. Relevant Links: • Coalition for App Fairness: https://www.google.com/url?sa=E&q=https%3A%2F%2Fcoalitionf This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 28 Jan 2025 18:00:10 -0000 full Skye MacIntyre Episode: "Digital Markets Act Under Scrutiny: Fair Competition or Tech Giant Tussle?" Episode Summary: In this episode of Upwardly Mobile, we delve into the complexities surrounding the EU's Digital Markets Act (DMA) and its impact on the tech industry. We explore the ongoing debate about whether the DMA is achieving its goals of fostering fair competition and innovation or if it is facing challenges from powerful tech gatekeepers. We also examine how the DMA may be affecting app security. Key Talking Points: • The Digital Markets Act (DMA): We discuss the DMA's objectives to curb the power of dominant tech platforms and create a level playing field for smaller businesses1. The DMA is intended to promote innovation and provide greater consumer choice in online markets1. • Non-Compliance and Enforcement: Several sources highlight concerns that some gatekeepers are circumventing the DMA through "sham compliance strategies"1.... There is an urgent call for the European Commission to take "swift and decisive action" against non-compliant companies, including concluding ongoing investigations and imposing fines1.... • Impact on European Competitiveness: The episode considers the potential consequences of failing to enforce the DMA. It is argued that the lack of enforcement could threaten Europe's position as a leader in innovation, competitiveness, and digital fairness1.... Effective enforcement of the DMA is seen as crucial for creating a digital market where European businesses can thrive5.... • Reassessment of Tech Probes: The European Commission is reevaluating its probes into tech giants such as Apple, Google, and Meta, which were launched since March 2024 under the DMA7.... This review is occurring partly due to the implications of the incoming Trump presidency8. All decisions and potential fines are paused while the review is completed9. • Third-Party App Security: We examine how the DMA, by allowing alternative app stores, could increase security risks for end-users, who will face a wider range of threats10. App vendors also face risks such as reverse engineering and API abuse, which is a key concern11. • App Attestation Solutions: The importance of app attestation solutions, such as Approov, is highlighted in light of increased security risks12.... These solutions ensure that only official apps from the original vendor can access backend APIs12. Approov offers a more comprehensive cross-platform attestation solution13 that has a lower integration burden than the Apple alternative, and also provides runtime secrets to further protect API keys14.... • EUTA's Stance: The European Tech Alliance (EUTA), representing leading European tech companies, is also urging the European Commission to enforce the DMA and ensure fair competition4.... EUTA stresses that a competitive digital ecosystem is essential for European businesses and consumers16. Relevant Links: • Coalition for App Fairness: https://www.google.com/url?sa=E&q=https%3A%2F%2Fcoalitionf This content was created in partnership and with the help of Artificial Intelligence AI. 1053 https://player.megaphone.fm/NPTNI2483181270 Episode Summary: In this episode of Upwardly Mobile, we delve into the fascinating, and sometimes concerning, world of automotive data monetisation. Your car is no longer just a mode of transport; it's a data-generating machine, and manufacturers are increasingly looking to leverage this information for profit1.... We explore how the vast amounts of data collected from connected vehicles are being used, the potential benefits for consumers, and the challenges surrounding privacy and data security. From personalised insurance rates to predictive maintenance, we uncover the various ways car data is being monetised, and what this means for you as a driver. Key Discussion Points: • What is Automotive Data Monetisation? We define what automotive data monetisation means and how car manufacturers are generating revenue from vehicle data1. An average car can generate around 25 gigabytes of data per hour1. • The Growing Market: The automotive data monetization market is projected to grow from USD 0.55 billion in 2025 to USD 3.09 billion by 2030, at a compound annual growth rate (CAGR) of 41.16%4. Some estimates suggest the market could reach over $20 billion by 20305. • Key Drivers of Data Monetisation: We explore the main drivers behind this trend, including: ◦ Connected Services: How automakers are using data to enhance customer experiences through features like remote diagnostics and predictive maintenance5.... ◦ Insurance and Risk Management: The increasing value of driving data for insurance companies to tailor premiums based on individual driving habits, including pay-as-you-drive (PAYD) and pay-how-you-drive (PYHD) models5.... ◦ Strategic Partnerships: Collaborations between manufacturers and tech companies to utilise vehicle data for traffic analytics and predictive maintenance7. ◦ Emerging Business Models: The rise of Data-as-a-Service (DaaS) and usage-based insurance7. • The Customer Experience: We look at how connectivity is a key factor for consumers, with a significant percentage of consumers willing to switch brands for improved connectivity8.... The McKinsey Connected Car Customer Experience (C3X) framework is described10. • Data Privacy Concerns: The challenges around customer hesitancy to share data due to privacy concerns and lack of awareness, as well as the need for incentives to share11.... • OEM Challenges: We discuss the challenges faced by automotive OEMs in monetising data, including hesitancy to share data, lack of industry standards, and lack of necessary infrastructure14. • Service Provider Issues: The problems faced by service providers, such as the cost and risk of sharing data, and restricted data sharing by OEMs15. • BMW's Approach: How BMW handles data collection, anonymization, and customer transparency16.... • The GM Data Privacy Settlement: We discuss the recent settlement with the FTC, which prohibits GM from selling customer driving data without explicit consent12.... • Future Opportunities: The potential of OTA upda This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 27 Jan 2025 08:30:07 -0000 full Skye MacIntyre Episode Summary: In this episode of Upwardly Mobile, we delve into the fascinating, and sometimes concerning, world of automotive data monetisation. Your car is no longer just a mode of transport; it's a data-generating machine, and manufacturers are increasingly looking to leverage this information for profit1.... We explore how the vast amounts of data collected from connected vehicles are being used, the potential benefits for consumers, and the challenges surrounding privacy and data security. From personalised insurance rates to predictive maintenance, we uncover the various ways car data is being monetised, and what this means for you as a driver. Key Discussion Points: • What is Automotive Data Monetisation? We define what automotive data monetisation means and how car manufacturers are generating revenue from vehicle data1. An average car can generate around 25 gigabytes of data per hour1. • The Growing Market: The automotive data monetization market is projected to grow from USD 0.55 billion in 2025 to USD 3.09 billion by 2030, at a compound annual growth rate (CAGR) of 41.16%4. Some estimates suggest the market could reach over $20 billion by 20305. • Key Drivers of Data Monetisation: We explore the main drivers behind this trend, including: ◦ Connected Services: How automakers are using data to enhance customer experiences through features like remote diagnostics and predictive maintenance5.... ◦ Insurance and Risk Management: The increasing value of driving data for insurance companies to tailor premiums based on individual driving habits, including pay-as-you-drive (PAYD) and pay-how-you-drive (PYHD) models5.... ◦ Strategic Partnerships: Collaborations between manufacturers and tech companies to utilise vehicle data for traffic analytics and predictive maintenance7. ◦ Emerging Business Models: The rise of Data-as-a-Service (DaaS) and usage-based insurance7. • The Customer Experience: We look at how connectivity is a key factor for consumers, with a significant percentage of consumers willing to switch brands for improved connectivity8.... The McKinsey Connected Car Customer Experience (C3X) framework is described10. • Data Privacy Concerns: The challenges around customer hesitancy to share data due to privacy concerns and lack of awareness, as well as the need for incentives to share11.... • OEM Challenges: We discuss the challenges faced by automotive OEMs in monetising data, including hesitancy to share data, lack of industry standards, and lack of necessary infrastructure14. • Service Provider Issues: The problems faced by service providers, such as the cost and risk of sharing data, and restricted data sharing by OEMs15. • BMW's Approach: How BMW handles data collection, anonymization, and customer transparency16.... • The GM Data Privacy Settlement: We discuss the recent settlement with the FTC, which prohibits GM from selling customer driving data without explicit consent12.... • Future Opportunities: The potential of OTA upda This content was created in partnership and with the help of Artificial Intelligence AI. 1119 https://player.megaphone.fm/NPTNI7388485943 Code Obfuscation in the Age of AI: Key Mobile App Security Concerns - Evolving Threat Landscape: Mobile apps face a constantly changing environment with increasingly diverse cyberattacks. This requires organisations to be proactive in their security measures. - Compliance: There is growing emphasis on adhering to strict security regulations from financial and other regulatory bodies, including the need for malware detection and prevention of sideloading. - User Privacy: Operating systems are introducing enhanced privacy features, such as granular app permissions and real-time data access alerts, which developers must consider. - Proactive Security: Traditional security approaches are often inadequate, necessitating proactive strategies with real-time monitoring and incident response capabilities. - Security Operations: Organisations are moving towards holistic security operations solutions rather than standalone products. This includes centralised management, proactive threat detection, and compliance adherence. - Expanded Stakeholders: Compliance, fraud prevention, and business teams are now vital in shaping mobile app security strategies. Code Obfuscation - Definition: Code obfuscation is the practice of making an app's logic difficult to understand or reverse engineer, while maintaining its functionality. It is used to protect intellectual property and sensitive data. - Techniques: Code obfuscation can be applied to source code or app binaries, and common techniques include: - Aggregation Obfuscation: Removes structure from binaries by disassembling and reassembling code without symbolic information. - Arithmetic Obfuscation: Replaces simple arithmetic operations with more complex expressions. - Call Hiding: Obscures function calls by renaming, using indirect calls, dynamic resolution, and control flow manipulation. - Code and Resource Encryption: Encrypts code and resources to make them unreadable without decryption keys. - Code Transposition: Rearranges the order of functions and instructions to hide the app’s logic. - Renaming Obfuscation: Replaces meaningful names with confusing ones. - Storage Obfuscation: Manipulates data storage to make it harder to understand. - String Encryption: Encrypts sensitive strings like API keys. - Data Transformation: Changes the form of data to make it less readable. - Code Flow Obfuscation: Alters the control flow of the code to make it less understandable. - Address Obfuscation: Randomizes memory addresses. - Metadata Obfuscation: Encrypts sensitive information such as names of categories, classes, methods and protocols. - Assembly Code Obfuscation: Transforms assembly code to make it harder to reverse engineer. - Obfuscating Debug Information: Changes or removes debug data to block unauthorized access and debugging. - Binary vs Traditional: Binary obfuscation operates on the compiled binary, while traditional obfuscation modifies source code or bytecode. B This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 25 Jan 2025 08:50:06 -0000 full Skye MacIntyre Code Obfuscation in the Age of AI: Key Mobile App Security Concerns - Evolving Threat Landscape: Mobile apps face a constantly changing environment with increasingly diverse cyberattacks. This requires organisations to be proactive in their security measures. - Compliance: There is growing emphasis on adhering to strict security regulations from financial and other regulatory bodies, including the need for malware detection and prevention of sideloading. - User Privacy: Operating systems are introducing enhanced privacy features, such as granular app permissions and real-time data access alerts, which developers must consider. - Proactive Security: Traditional security approaches are often inadequate, necessitating proactive strategies with real-time monitoring and incident response capabilities. - Security Operations: Organisations are moving towards holistic security operations solutions rather than standalone products. This includes centralised management, proactive threat detection, and compliance adherence. - Expanded Stakeholders: Compliance, fraud prevention, and business teams are now vital in shaping mobile app security strategies. Code Obfuscation - Definition: Code obfuscation is the practice of making an app's logic difficult to understand or reverse engineer, while maintaining its functionality. It is used to protect intellectual property and sensitive data. - Techniques: Code obfuscation can be applied to source code or app binaries, and common techniques include: - Aggregation Obfuscation: Removes structure from binaries by disassembling and reassembling code without symbolic information. - Arithmetic Obfuscation: Replaces simple arithmetic operations with more complex expressions. - Call Hiding: Obscures function calls by renaming, using indirect calls, dynamic resolution, and control flow manipulation. - Code and Resource Encryption: Encrypts code and resources to make them unreadable without decryption keys. - Code Transposition: Rearranges the order of functions and instructions to hide the app’s logic. - Renaming Obfuscation: Replaces meaningful names with confusing ones. - Storage Obfuscation: Manipulates data storage to make it harder to understand. - String Encryption: Encrypts sensitive strings like API keys. - Data Transformation: Changes the form of data to make it less readable. - Code Flow Obfuscation: Alters the control flow of the code to make it less understandable. - Address Obfuscation: Randomizes memory addresses. - Metadata Obfuscation: Encrypts sensitive information such as names of categories, classes, methods and protocols. - Assembly Code Obfuscation: Transforms assembly code to make it harder to reverse engineer. - Obfuscating Debug Information: Changes or removes debug data to block unauthorized access and debugging. - Binary vs Traditional: Binary obfuscation operates on the compiled binary, while traditional obfuscation modifies source code or bytecode. B This content was created in partnership and with the help of Artificial Intelligence AI. 1135 https://player.megaphone.fm/NPTNI1615142828 India's App Store Showdown: Will Apple and Google Bend to Government Demands? Episode Description: In this episode of Upwardly Mobile, we delve into the escalating conflict between the Indian government and tech giants Apple and Google. India, a rapidly growing smartphone market, is pushing for greater control over its digital landscape, demanding that Apple and Google include a state-backed app store, GOV.in, on their platforms1.... We explore the potential implications of this move, from cybersecurity to market dominance, and discuss whether these tech giants will concede to government pressure. Will India's push set a new precedent for tech regulation globally7...? Tune in to find out! Key Talking Points: • The Indian Government's Demands: India’s Ministry of Electronics and Information Technology (MeitY) has requested Apple and Google to feature a government-backed app store (GOV.in) within their respective app marketplaces1.... ◦ The government wants direct access for Indian users to its suite of apps2.... ◦ They aim to have the app suite pre-installed on devices and available for download without "untrusted source" warnings4.... ◦ The goal is to expand the distribution of public welfare services via technology3.... • Apple and Google's Resistance: Both companies are reportedly pushing back against the request6.... ◦ Apple traditionally does not allow third-party app stores within its App Store2. ◦ Google's Android accounts for over 90% of the smartphone market in India and is also resisting the initiative6.... • Precedents and Possible Actions: ◦ Apple previously complied with similar regulations in Russia by offering users an option to install government-suggested apps during setup7.... ◦ India may consider policy mandates or legal measures if Apple and Google do not comply6.... • Cybersecurity and App Revenue: ◦ The Indian government believes that a state-backed app store could improve cybercrime statistics3.... ◦ Apple and Google currently manage app development to reduce exposure to viruses and cyber threats12.... ◦ Apple and Google take a 30% cut of app revenue from their app stores, giving them significant control over smartphones globally12.... • India's Tech Regulation History: ◦ India has a history of imposing strict regulations on global tech companies7.... ◦ This includes banning TikTok in 2020 and demanding access to encrypted WhatsApp messages7.... ◦ India's tech policies often influence other countries7.... • Market Implications: ◦ India is a crucial growth market for smartphones, including for Apple and Google1.... ◦ Apple suppliers are increasing their manufacturing presence in India14. ◦ Google also plans to invest billions in India for smartphone assembly and services14. Keywords: India, Apple, Google, App Store, GOV.in, state-backed apps, smartphone market, technology regulation, cybersecurity, digital services, public welfare, mobile apps, iOS, Android, MeitY, government apps, cybercrime, India tech policy   Relevant L This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 23 Jan 2025 19:13:30 -0000 full Skye MacIntyre India's App Store Showdown: Will Apple and Google Bend to Government Demands? Episode Description: In this episode of Upwardly Mobile, we delve into the escalating conflict between the Indian government and tech giants Apple and Google. India, a rapidly growing smartphone market, is pushing for greater control over its digital landscape, demanding that Apple and Google include a state-backed app store, GOV.in, on their platforms1.... We explore the potential implications of this move, from cybersecurity to market dominance, and discuss whether these tech giants will concede to government pressure. Will India's push set a new precedent for tech regulation globally7...? Tune in to find out! Key Talking Points: • The Indian Government's Demands: India’s Ministry of Electronics and Information Technology (MeitY) has requested Apple and Google to feature a government-backed app store (GOV.in) within their respective app marketplaces1.... ◦ The government wants direct access for Indian users to its suite of apps2.... ◦ They aim to have the app suite pre-installed on devices and available for download without "untrusted source" warnings4.... ◦ The goal is to expand the distribution of public welfare services via technology3.... • Apple and Google's Resistance: Both companies are reportedly pushing back against the request6.... ◦ Apple traditionally does not allow third-party app stores within its App Store2. ◦ Google's Android accounts for over 90% of the smartphone market in India and is also resisting the initiative6.... • Precedents and Possible Actions: ◦ Apple previously complied with similar regulations in Russia by offering users an option to install government-suggested apps during setup7.... ◦ India may consider policy mandates or legal measures if Apple and Google do not comply6.... • Cybersecurity and App Revenue: ◦ The Indian government believes that a state-backed app store could improve cybercrime statistics3.... ◦ Apple and Google currently manage app development to reduce exposure to viruses and cyber threats12.... ◦ Apple and Google take a 30% cut of app revenue from their app stores, giving them significant control over smartphones globally12.... • India's Tech Regulation History: ◦ India has a history of imposing strict regulations on global tech companies7.... ◦ This includes banning TikTok in 2020 and demanding access to encrypted WhatsApp messages7.... ◦ India's tech policies often influence other countries7.... • Market Implications: ◦ India is a crucial growth market for smartphones, including for Apple and Google1.... ◦ Apple suppliers are increasing their manufacturing presence in India14. ◦ Google also plans to invest billions in India for smartphone assembly and services14. Keywords: India, Apple, Google, App Store, GOV.in, state-backed apps, smartphone market, technology regulation, cybersecurity, digital services, public welfare, mobile apps, iOS, Android, MeitY, government apps, cybercrime, India tech policy   Relevant L This content was created in partnership and with the help of Artificial Intelligence AI. 730 https://player.megaphone.fm/NPTNI3094549609 Upwardly Mobile Podcast -  Episode Title: Open Mobile Hub - Revolutionizing Mobile App Development Episode Description: This week we delve into the evolving landscape of mobile app development, exploring how new regulations and open-source initiatives are challenging the dominance of closed ecosystems. We'll discuss the implications of Japan's new law forcing Apple and Google to open their mobile platforms, and the impact of the Linux Foundation's new Open Mobile Hub. We will also explore how developers can secure their apps in open environments, using solutions like Approov. Key Discussion Points: ● Japan's New Law: ○ Japan's parliament has passed a law requiring Apple and Google to allow third-party app stores and payment providers on their mobile devices. ○ This law aims to foster a more innovative and open smartphone market by addressing the current oligopoly. ○ The law also mandates that users be able to change default settings and that developers have access to the same level of performance as the designated providers4. ○ Fines for non-compliance could reach 20% of relevant turnover5. ○ This is similar to the EU's Digital Markets Act (DMA)6. ● The Linux Foundation's Open Mobile Hub (OMH): ○ The Linux Foundation Europe has launched the Open Mobile Hub, an open-source framework for cross-platform mobile development78. ○ The OMH aims to reduce complexity and accelerate app development with a unified suite of SDKs and tools8. ○ Key features include SDKs for Login & Authentication, Maps & Location, and Storage9. ○ The OMH also features extensible plugins, allowing third-party services to be integrated, such as mapping services910. ○ Founding organizations include Futurewei, Squid, Meetkai, BharOS, and Amaze8. ● Security in Open Ecosystems: ○ Non-GMS (Google Mobile Services) apps face unique security challenges, including a lack of Google's security services and increased risk of malware11. App attestation is crucial for verifying the integrity of apps and devices, protecting against tampering12. ○ Approov offers an alternative to Google's PlayIntegrity and SafetyNet for app attestation, especially for non-GMS apps131415. ○ Approov provides real-time threat detection, customizable policies, and continuous monitoring1416. ○ Open ecosystems can be as secure as closed ones and can offer increased flexibility and adaptability1718. ○ Openness fosters innovation, collaboration, and better standards18. Links Mentioned: ● The Register Article: https://www.theregister.com/2024/06/13/japan_dma_law/ ● Linux Foundation Europe: https://linuxfoundation.eu/ ● Open Mobile Hub: https://openmobilehub.org/ ● Approov: https://www.approov.io/ ● Approov Blog post on Enhancing Android App Security: https://www.approov.io/blog/enhancing-android-app-security-approovs-role-with-non-gms-apps/ ● Japan Fair Trade Commission (JFTC) Act Outline [PDF]: (This PDF needs to be located and linked) Keywords: ● Mobile app development ● Open ecosystems ● Third-party app This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 20 Jan 2025 08:05:06 -0000 full Skye MacIntyre Upwardly Mobile Podcast -  Episode Title: Open Mobile Hub - Revolutionizing Mobile App Development Episode Description: This week we delve into the evolving landscape of mobile app development, exploring how new regulations and open-source initiatives are challenging the dominance of closed ecosystems. We'll discuss the implications of Japan's new law forcing Apple and Google to open their mobile platforms, and the impact of the Linux Foundation's new Open Mobile Hub. We will also explore how developers can secure their apps in open environments, using solutions like Approov. Key Discussion Points: ● Japan's New Law: ○ Japan's parliament has passed a law requiring Apple and Google to allow third-party app stores and payment providers on their mobile devices. ○ This law aims to foster a more innovative and open smartphone market by addressing the current oligopoly. ○ The law also mandates that users be able to change default settings and that developers have access to the same level of performance as the designated providers4. ○ Fines for non-compliance could reach 20% of relevant turnover5. ○ This is similar to the EU's Digital Markets Act (DMA)6. ● The Linux Foundation's Open Mobile Hub (OMH): ○ The Linux Foundation Europe has launched the Open Mobile Hub, an open-source framework for cross-platform mobile development78. ○ The OMH aims to reduce complexity and accelerate app development with a unified suite of SDKs and tools8. ○ Key features include SDKs for Login & Authentication, Maps & Location, and Storage9. ○ The OMH also features extensible plugins, allowing third-party services to be integrated, such as mapping services910. ○ Founding organizations include Futurewei, Squid, Meetkai, BharOS, and Amaze8. ● Security in Open Ecosystems: ○ Non-GMS (Google Mobile Services) apps face unique security challenges, including a lack of Google's security services and increased risk of malware11. App attestation is crucial for verifying the integrity of apps and devices, protecting against tampering12. ○ Approov offers an alternative to Google's PlayIntegrity and SafetyNet for app attestation, especially for non-GMS apps131415. ○ Approov provides real-time threat detection, customizable policies, and continuous monitoring1416. ○ Open ecosystems can be as secure as closed ones and can offer increased flexibility and adaptability1718. ○ Openness fosters innovation, collaboration, and better standards18. Links Mentioned: ● The Register Article: https://www.theregister.com/2024/06/13/japan_dma_law/ ● Linux Foundation Europe: https://linuxfoundation.eu/ ● Open Mobile Hub: https://openmobilehub.org/ ● Approov: https://www.approov.io/ ● Approov Blog post on Enhancing Android App Security: https://www.approov.io/blog/enhancing-android-app-security-approovs-role-with-non-gms-apps/ ● Japan Fair Trade Commission (JFTC) Act Outline [PDF]: (This PDF needs to be located and linked) Keywords: ● Mobile app development ● Open ecosystems ● Third-party app This content was created in partnership and with the help of Artificial Intelligence AI. 913 https://player.megaphone.fm/NPTNI4867011345 Little Red Book, Big Data Risk: The REDnote Security Threat In this episode of Upwardly Mobile, we dive into the complex and concerning rise of REDnote, the Chinese social media app gaining traction in the US after the TikTok ban. Is it just a new platform for social media users or a significant threat to data security and national security? We explore the reasons why millions of Americans are migrating to this app, the potential dangers it poses, and what it means for the future of social media regulation. Join us as we unpack the paradox of users flocking to a platform with even greater potential risks than the one they left behind. Audio Summary/Episode Notes: •Introduction: The US Supreme Court has upheld the ban on TikTok, causing a mass migration of users to the Chinese social media platform, REDnote1.... This episode explores the security and privacy implications of this move. • The Rise of REDnote: We discuss the rapid increase in REDnote users, with over 3 million Americans joining in a single day2.... The app is now at the top of the US App Store4. This surge in popularity is driven by users seeking an alternative platform after the TikTok ban, with some jokingly saying they are willingly giving their data to China as payback for the ban4.... • What is REDnote? REDnote, known as Xiaohongshu in China, is a lifestyle-focused platform combining features of Instagram, Pinterest, and TikTok6. It has over 300 million monthly users globally6. It is one of the few social media platforms that operate on both sides of the Great Firewall7. • The Cybersecurity Risks: ◦ Data Storage: Unlike TikTok, which has attempted to store some data on US servers, REDnote's servers are primarily located in China8. This means user data is subject to Chinese cybersecurity laws, requiring companies to grant government access upon request8.... ◦ Terms of Service: REDnote's terms of service are written in Mandarin, making it difficult for US users to understand the implications of data usage7.... ◦ Government Access: Experts warn that the app could be used by the Chinese government for espionage and influence operations10. It is easier for the Chinese government to spy on Americans and push propaganda through this platform7. ◦ Lack of Vetting: REDnote has not been vetted as extensively as TikTok, making it potentially more dangerous. • The Paradox of the Ban: The attempt to protect American users from Chinese data collection has led many to voluntarily join another Chinese-owned app, highlighting a paradox in digital platform regulation6.... • Content Control: REDnote’s content moderation policies appear stricter than TikTok’s, with searches for terms like "Xi Jinping" and "Free Hong Kong" yielding no results. • Potential Regulatory Scrutiny: Like TikTok, REDnote could face similar scrutiny under the Protecting Americans from Foreign Adversary Controlled Applications Act12. However, the chances of a Chinese company like REDnote complying with US requirements seem s This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 19 Jan 2025 17:02:23 -0000 full Skye MacIntyre Little Red Book, Big Data Risk: The REDnote Security Threat In this episode of Upwardly Mobile, we dive into the complex and concerning rise of REDnote, the Chinese social media app gaining traction in the US after the TikTok ban. Is it just a new platform for social media users or a significant threat to data security and national security? We explore the reasons why millions of Americans are migrating to this app, the potential dangers it poses, and what it means for the future of social media regulation. Join us as we unpack the paradox of users flocking to a platform with even greater potential risks than the one they left behind. Audio Summary/Episode Notes: •Introduction: The US Supreme Court has upheld the ban on TikTok, causing a mass migration of users to the Chinese social media platform, REDnote1.... This episode explores the security and privacy implications of this move. • The Rise of REDnote: We discuss the rapid increase in REDnote users, with over 3 million Americans joining in a single day2.... The app is now at the top of the US App Store4. This surge in popularity is driven by users seeking an alternative platform after the TikTok ban, with some jokingly saying they are willingly giving their data to China as payback for the ban4.... • What is REDnote? REDnote, known as Xiaohongshu in China, is a lifestyle-focused platform combining features of Instagram, Pinterest, and TikTok6. It has over 300 million monthly users globally6. It is one of the few social media platforms that operate on both sides of the Great Firewall7. • The Cybersecurity Risks: ◦ Data Storage: Unlike TikTok, which has attempted to store some data on US servers, REDnote's servers are primarily located in China8. This means user data is subject to Chinese cybersecurity laws, requiring companies to grant government access upon request8.... ◦ Terms of Service: REDnote's terms of service are written in Mandarin, making it difficult for US users to understand the implications of data usage7.... ◦ Government Access: Experts warn that the app could be used by the Chinese government for espionage and influence operations10. It is easier for the Chinese government to spy on Americans and push propaganda through this platform7. ◦ Lack of Vetting: REDnote has not been vetted as extensively as TikTok, making it potentially more dangerous. • The Paradox of the Ban: The attempt to protect American users from Chinese data collection has led many to voluntarily join another Chinese-owned app, highlighting a paradox in digital platform regulation6.... • Content Control: REDnote’s content moderation policies appear stricter than TikTok’s, with searches for terms like "Xi Jinping" and "Free Hong Kong" yielding no results. • Potential Regulatory Scrutiny: Like TikTok, REDnote could face similar scrutiny under the Protecting Americans from Foreign Adversary Controlled Applications Act12. However, the chances of a Chinese company like REDnote complying with US requirements seem s This content was created in partnership and with the help of Artificial Intelligence AI. 760 https://player.megaphone.fm/NPTNI6071673566 Episode Title: The Coalition for App Fairness: - Welcome to today's discussion on the app store ecosystem and the challenges of anti-competitive policies imposed by tech giants like Apple and Google. - We will explore how these companies' practices affect developers and consumers. The Problem: A Broken Marketplace - Apple and Google charge up to 30% on most in-app purchases, which is significantly higher than transaction fees in any other industry. - This "app tax" impacts consumer spending power and significantly reduces developer revenue. - This fee creates an unfair competitive advantage for Apple's own apps that compete with third party apps, as they do not have to pay this tax. - Some developers have been forced out of business due to these fees, with one developer describing it as a "nuclear bomb". - Example: Treehouse's reading app, iFlow Reader. - SEO Keywords: app tax, in-app purchases, revenue, developer, competitive disadvantage Lack of Consumer Freedom - The Apple App Store and Google Play Store act as "prisons" for consumers and developers, limiting options and competition. - Unlike personal computer software, mobile apps are restricted to their respective app stores. - Consumers cannot freely install software from any source they choose. - App developers are not allowed to inform customers about less expensive options outside the app store. - Example: Fortnite upgrades cost less when purchased directly from Epic. - This is akin to a store preventing a brand from offering coupons. - SEO Keywords: consumer choice, app store restrictions, monopolistic behavior, software distribution Anti-Competitive Policies - Apple and Google use their operating system control to favour their own products and limit options for consumers. - They force developers to sell via their app stores and may steal ideas from competitors. - The Coalition for App Fairness believes all developers are entitled to compete in a fair marketplace. Coalition for App Fairness Vision - The Coalition for App Fairness advocates for the following principles for app stores: - Developers should not be required to use an app store exclusively or use the app store's ancillary services. - Developers should not be discriminated against or blocked from the platform. - Developers should have access to the same information and interoperability interfaces as the app store owners. - Developers should always have access to app stores as long as they meet fair standards. - A developer's data should not be used to compete with them. - Developers should have the right to communicate directly with their users. - App store owners should not favour their own apps or services. - Developers should not pay unfair fees or be forced to sell anything they do not wish to. - Third-party app stores should be allowed on the platform. - App store rules should be transparent. - SEO Keywords: app store principles, fair marketplace, developer rights, plat This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 15 Jan 2025 08:15:06 -0000 full Skye MacIntyre Episode Title: The Coalition for App Fairness: - Welcome to today's discussion on the app store ecosystem and the challenges of anti-competitive policies imposed by tech giants like Apple and Google. - We will explore how these companies' practices affect developers and consumers. The Problem: A Broken Marketplace - Apple and Google charge up to 30% on most in-app purchases, which is significantly higher than transaction fees in any other industry. - This "app tax" impacts consumer spending power and significantly reduces developer revenue. - This fee creates an unfair competitive advantage for Apple's own apps that compete with third party apps, as they do not have to pay this tax. - Some developers have been forced out of business due to these fees, with one developer describing it as a "nuclear bomb". - Example: Treehouse's reading app, iFlow Reader. - SEO Keywords: app tax, in-app purchases, revenue, developer, competitive disadvantage Lack of Consumer Freedom - The Apple App Store and Google Play Store act as "prisons" for consumers and developers, limiting options and competition. - Unlike personal computer software, mobile apps are restricted to their respective app stores. - Consumers cannot freely install software from any source they choose. - App developers are not allowed to inform customers about less expensive options outside the app store. - Example: Fortnite upgrades cost less when purchased directly from Epic. - This is akin to a store preventing a brand from offering coupons. - SEO Keywords: consumer choice, app store restrictions, monopolistic behavior, software distribution Anti-Competitive Policies - Apple and Google use their operating system control to favour their own products and limit options for consumers. - They force developers to sell via their app stores and may steal ideas from competitors. - The Coalition for App Fairness believes all developers are entitled to compete in a fair marketplace. Coalition for App Fairness Vision - The Coalition for App Fairness advocates for the following principles for app stores: - Developers should not be required to use an app store exclusively or use the app store's ancillary services. - Developers should not be discriminated against or blocked from the platform. - Developers should have access to the same information and interoperability interfaces as the app store owners. - Developers should always have access to app stores as long as they meet fair standards. - A developer's data should not be used to compete with them. - Developers should have the right to communicate directly with their users. - App store owners should not favour their own apps or services. - Developers should not pay unfair fees or be forced to sell anything they do not wish to. - Third-party app stores should be allowed on the platform. - App store rules should be transparent. - SEO Keywords: app store principles, fair marketplace, developer rights, plat This content was created in partnership and with the help of Artificial Intelligence AI. 1254 https://player.megaphone.fm/NPTNI4878696954 Upwardly Mobile: Apple Under Fire: £1.5 Billion App Store Lawsuit Episode Summary: In this episode of Upwardly Mobile, we delve into the groundbreaking £1.5 billion class-action lawsuit that Apple is facing in the UK. We break down the complex legal battle, the arguments from both sides, and what it could mean for consumers and the tech industry as a whole. Is Apple abusing its dominant position in the app market, or is this just another example of opportunistic litigation? We'll explore the details of this landmark case. Key Discussion Points: - The Lawsuit: A detailed look at the class action lawsuit filed against Apple, alleging anti-competitive practices related to its App Store. The case claims that Apple forces iOS users to download apps exclusively from its App Store while charging developers significant commissions. - The Allegations: The claimants argue that Apple has established a monopoly by requiring developers to use its App Store and that the commissions, up to 30% on purchases, are excessive and unfairly passed on to consumers. These commissions are claimed to be much higher than if alternative platforms existed. - Who's Involved?: We cover the key players, including Rachael Kent, the "class representative" from King’s College London, who is leading the case on behalf of 19.6 million UK iPhone and iPad users. The legal teams are led by Mark Hoskins KC and Tim Ward KC. - Apple's Defence: Apple has dismissed the lawsuit as "meritless", arguing that its App Store commissions are comparable to other digital marketplaces. They claim that most apps are free and many developers qualify for a reduced 15% commission rate. Apple further argues that the market definition used by the claimants is too narrow. - Market Dominance: The claimants argue Apple has entrenched market power in its "ecosystem" of devices and software. Apple disputes that they have a dominant position in the broader digital transaction and device market. - The Legal Battle: This is the first case of its kind to reach trial in the UK. The seven-week trial at the UK's Competition Appeal Tribunal is being closely watched. The newly appointed CFO of Apple, Kevan Parekh, is expected to testify. - Broader Context: This lawsuit is part of a wider trend of legal challenges against Big Tech companies. We also mention other legal actions against Apple, including a £785 million UK lawsuit related to developer fees and a €500 million fine by the European Commission for breaching competition rules relating to music streaming services. There is also a class action lawsuit by Which? against Apple for alleged iCloud Monopoly. - Implications: The outcome of this case could have significant implications for app developers, consumers, and other tech companies facing similar antitrust claims. Relevant Links: - Financial Times Article: https://www.ft.com/content/4781c5b9-c6cb-4c94-8e35-1a5676c0c660 - MacRumors Article: https://www.macrumors.com/2025/01/13/apple-1-5-billion-uk-lawsuit-app-sto This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 13 Jan 2025 22:19:45 -0000 full Skye MacIntyre Upwardly Mobile: Apple Under Fire: £1.5 Billion App Store Lawsuit Episode Summary: In this episode of Upwardly Mobile, we delve into the groundbreaking £1.5 billion class-action lawsuit that Apple is facing in the UK. We break down the complex legal battle, the arguments from both sides, and what it could mean for consumers and the tech industry as a whole. Is Apple abusing its dominant position in the app market, or is this just another example of opportunistic litigation? We'll explore the details of this landmark case. Key Discussion Points: - The Lawsuit: A detailed look at the class action lawsuit filed against Apple, alleging anti-competitive practices related to its App Store. The case claims that Apple forces iOS users to download apps exclusively from its App Store while charging developers significant commissions. - The Allegations: The claimants argue that Apple has established a monopoly by requiring developers to use its App Store and that the commissions, up to 30% on purchases, are excessive and unfairly passed on to consumers. These commissions are claimed to be much higher than if alternative platforms existed. - Who's Involved?: We cover the key players, including Rachael Kent, the "class representative" from King’s College London, who is leading the case on behalf of 19.6 million UK iPhone and iPad users. The legal teams are led by Mark Hoskins KC and Tim Ward KC. - Apple's Defence: Apple has dismissed the lawsuit as "meritless", arguing that its App Store commissions are comparable to other digital marketplaces. They claim that most apps are free and many developers qualify for a reduced 15% commission rate. Apple further argues that the market definition used by the claimants is too narrow. - Market Dominance: The claimants argue Apple has entrenched market power in its "ecosystem" of devices and software. Apple disputes that they have a dominant position in the broader digital transaction and device market. - The Legal Battle: This is the first case of its kind to reach trial in the UK. The seven-week trial at the UK's Competition Appeal Tribunal is being closely watched. The newly appointed CFO of Apple, Kevan Parekh, is expected to testify. - Broader Context: This lawsuit is part of a wider trend of legal challenges against Big Tech companies. We also mention other legal actions against Apple, including a £785 million UK lawsuit related to developer fees and a €500 million fine by the European Commission for breaching competition rules relating to music streaming services. There is also a class action lawsuit by Which? against Apple for alleged iCloud Monopoly. - Implications: The outcome of this case could have significant implications for app developers, consumers, and other tech companies facing similar antitrust claims. Relevant Links: - Financial Times Article: https://www.ft.com/content/4781c5b9-c6cb-4c94-8e35-1a5676c0c660 - MacRumors Article: https://www.macrumors.com/2025/01/13/apple-1-5-billion-uk-lawsuit-app-sto This content was created in partnership and with the help of Artificial Intelligence AI. 1086 https://player.megaphone.fm/NPTNI7093561222 Upwardly Mobile | Episode: Level Up Your Revenue: How to Reduce App Store Fees and Combat Cheating Episode Summary: Are you a mobile game developer struggling with the high costs of app store fees and the persistent threat of cheating? In this episode of Upwardly Mobile, we dive deep into strategies to maximise your revenue and protect your games. We'll explore how to navigate the complex landscape of app store fees charged by Apple and Google and introduce innovative solutions to help you keep more of your earnings. We'll also tackle the crucial topic of game security, with a focus on preventing exploits using tools like GameGuardian, which can damage your game's integrity and reputation. Key Topics Discussed: - The Financial Burden of App Store Fees: Apple and Google charge substantial fees for in-app purchases, ranging from 15% to 30%. These costs can severely impact a developer's profitability, particularly for smaller studios. We'll discuss how to minimise these costs. - Flexion: An Alternative Approach: Learn how Flexion (NASDAQ: FLEXM) offers an alternative to traditional app distribution, allowing you to bypass some of the high fees imposed by major platforms. Flexion enables developers to distribute games across various alternative app stores, such as the Samsung Galaxy Store, Huawei AppGallery, Xiaomi GetApps, and Amazon Appstore. This approach not only broadens your audience reach but also reduces reliance on high-fee models. - Benefits of Using Flexion: - Reduced Upfront Costs: Enter alternative markets with little to no upfront investment. - Enhanced Revenue: Games distributed through Flexion’s channels have seen an increase in revenue by approximately 10% compared to Google Play. - Simplified Integration: Flexion offers a streamlined onboarding process. - Expertise in User Acquisition: Flexion aids developers in user acquisition strategies tailored for alternative app stores. - Monetisation Strategies: Explore alternative monetisation strategies beyond in-app purchases, such as subscription models, advertising and partnerships, to potentially lower the percentage of fees paid to platform holders. Structuring in-app purchases strategically can also help maximise revenue and minimise fees. - GameGuardian and Cheating: The impact of cheating on a game’s reputation and the user experience will be discussed. GameGuardian, a tool that allows users to modify in-game values, is a significant threat. - Approov Mobile Security: Discover how Approov Mobile Security can detect and prevent cheating attempts, including those using GameGuardian. Approov provides real-time protection with RASP (Runtime Application Self Protection) and customisable measures. Integrating the Approov SDK is straightforward and provides benefits like fair play, improved reputation, and increased user retention. Links Mentioned in This Episode: - Flexion: https://www.flexionmobile.com/ - Flexion and Digital Turbine Unlock Alternative App Distribution: This content was created in partnership and with the help of Artificial Intelligence AI. Sun, 12 Jan 2025 18:34:32 -0000 full Skye MacIntyre Upwardly Mobile | Episode: Level Up Your Revenue: How to Reduce App Store Fees and Combat Cheating Episode Summary: Are you a mobile game developer struggling with the high costs of app store fees and the persistent threat of cheating? In this episode of Upwardly Mobile, we dive deep into strategies to maximise your revenue and protect your games. We'll explore how to navigate the complex landscape of app store fees charged by Apple and Google and introduce innovative solutions to help you keep more of your earnings. We'll also tackle the crucial topic of game security, with a focus on preventing exploits using tools like GameGuardian, which can damage your game's integrity and reputation. Key Topics Discussed: - The Financial Burden of App Store Fees: Apple and Google charge substantial fees for in-app purchases, ranging from 15% to 30%. These costs can severely impact a developer's profitability, particularly for smaller studios. We'll discuss how to minimise these costs. - Flexion: An Alternative Approach: Learn how Flexion (NASDAQ: FLEXM) offers an alternative to traditional app distribution, allowing you to bypass some of the high fees imposed by major platforms. Flexion enables developers to distribute games across various alternative app stores, such as the Samsung Galaxy Store, Huawei AppGallery, Xiaomi GetApps, and Amazon Appstore. This approach not only broadens your audience reach but also reduces reliance on high-fee models. - Benefits of Using Flexion: - Reduced Upfront Costs: Enter alternative markets with little to no upfront investment. - Enhanced Revenue: Games distributed through Flexion’s channels have seen an increase in revenue by approximately 10% compared to Google Play. - Simplified Integration: Flexion offers a streamlined onboarding process. - Expertise in User Acquisition: Flexion aids developers in user acquisition strategies tailored for alternative app stores. - Monetisation Strategies: Explore alternative monetisation strategies beyond in-app purchases, such as subscription models, advertising and partnerships, to potentially lower the percentage of fees paid to platform holders. Structuring in-app purchases strategically can also help maximise revenue and minimise fees. - GameGuardian and Cheating: The impact of cheating on a game’s reputation and the user experience will be discussed. GameGuardian, a tool that allows users to modify in-game values, is a significant threat. - Approov Mobile Security: Discover how Approov Mobile Security can detect and prevent cheating attempts, including those using GameGuardian. Approov provides real-time protection with RASP (Runtime Application Self Protection) and customisable measures. Integrating the Approov SDK is straightforward and provides benefits like fair play, improved reputation, and increased user retention. Links Mentioned in This Episode: - Flexion: https://www.flexionmobile.com/ - Flexion and Digital Turbine Unlock Alternative App Distribution: This content was created in partnership and with the help of Artificial Intelligence AI. 660 https://player.megaphone.fm/NPTNI2741138016 This episode of Upwardly Mobile explores the security challenges in automotive mobile application development. As cars become more connected, they also become prime targets for cyberattacks. Insecure mobile apps represent a significant attack vector in the connected car ecosystem, as they provide criminals with a gateway to access vehicle systems and sensitive data12. APIs, which are essential to the automotive data ecosystem, also introduce security risks. Hackers can exploit vulnerabilities in APIs to gain unauthorised access to or control over vehicle systems. Cases have already occurred where hackers accessed account credentials to launch remote attacks on vehicle APIs23. Connected car apps face various threats, such as unauthorised access, insecure data transmission, app vulnerabilities, malware, and physical security risks. These threats can endanger user safety, compromise data privacy, and disrupt vehicle functionality3. Traditional approaches to cybersecurity have relied on perimeter-based static defences. This approach is insufficient for the automotive industry due to the lack of a clear perimeter in connected vehicles and the dynamic nature of cyber threats. Zero trust is a security concept that assumes no implicit trust, regardless of whether the connection is external or internal45. Approov Mobile Security can enhance vehicle API security by allowing only authorised apps access, preventing API abuse and unauthorized data access. Approov's adaptable security policies enable a dynamic threat response, offering continuous protection for connected car systems against evolving cyber risks. Learn more about Approov Mobile Security at https://www.approov.io/. Read the BMW case study here: https://www.approov.io/customers/bmw. Please note that this podcast was created with the assistance of AI. This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 10 Jan 2025 09:15:06 -0000 full Skye MacIntyre This episode of Upwardly Mobile explores the security challenges in automotive mobile application development. As cars become more connected, they also become prime targets for cyberattacks. Insecure mobile apps represent a significant attack vector in the connected car ecosystem, as they provide criminals with a gateway to access vehicle systems and sensitive data12. APIs, which are essential to the automotive data ecosystem, also introduce security risks. Hackers can exploit vulnerabilities in APIs to gain unauthorised access to or control over vehicle systems. Cases have already occurred where hackers accessed account credentials to launch remote attacks on vehicle APIs23. Connected car apps face various threats, such as unauthorised access, insecure data transmission, app vulnerabilities, malware, and physical security risks. These threats can endanger user safety, compromise data privacy, and disrupt vehicle functionality3. Traditional approaches to cybersecurity have relied on perimeter-based static defences. This approach is insufficient for the automotive industry due to the lack of a clear perimeter in connected vehicles and the dynamic nature of cyber threats. Zero trust is a security concept that assumes no implicit trust, regardless of whether the connection is external or internal45. Approov Mobile Security can enhance vehicle API security by allowing only authorised apps access, preventing API abuse and unauthorized data access. Approov's adaptable security policies enable a dynamic threat response, offering continuous protection for connected car systems against evolving cyber risks. Learn more about Approov Mobile Security at https://www.approov.io/. Read the BMW case study here: https://www.approov.io/customers/bmw. Please note that this podcast was created with the assistance of AI. This content was created in partnership and with the help of Artificial Intelligence AI. 1218 https://player.megaphone.fm/NPTNI6875557670 FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks FireScam employs several techniques to evade detection and maintain persistence on a device. - Disguise: The malware is distributed disguised as the "Telegram Premium" application, through a phishing website that mimics the legitimate RuStore application store. This disguise is intended to trick users into installing the malware, as they may believe they are installing a legitimate application. - Dropper: A dropper named ‘ru.store.installer’ is used to install FireScam on devices running Android 8 and newer. The dropper requests several permissions, including the ability to query and list all installed applications, access and modify external storage, delete and install applications, and update applications without user consent. These permissions allow it to install FireScam and maintain control over it. - Restricting App Updates: FireScam declares itself as the designated owner and restricts app updates to it, which prevents other installers from updating it, ensuring its persistence on the device. This prevents a user or another application from removing or replacing the malicious app with a legitimate version. - Background activity: FireScam requests permissions that allow it to run in the background without restriction. This allows it to continue to function and collect data without the user being aware of it. - Environment Checks: The malware checks process names at runtime, checks installed applications, and fingerprints the device to detect if it is running in a sandboxed or virtualized environment. This indicates that the malware is designed to avoid detection by security analysis tools. - Firebase Cloud Messaging (FCM): FireScam registers a service to check for FCM notifications, enabling it to receive commands from its command-and-control (C&C) server. It also defines permissions to control access to it, effectively creating a backdoor for communication between the malware and its components. This allows the malware to receive instructions and exfiltrate data without direct user interaction. In summary, FireScam uses a combination of disguise, a dropper, persistence mechanisms, background activity, environment checks and a communication backdoor to evade detection and maintain its presence on an infected device. ●Approov Website: approov.io ●OWASP Mobile Security Project: https://owasp.org/www-project-mobile-security-testing-guide/ This link provides information about mobile security testing, app security, and API channel integrity. ○OWASP Mobile Security Testing Guide: This is a key document from the OWASP Mobile Security Project, focusing on the development phase and identifying vulnerabilities in mobile app code. ○Mobile App Sec Verification Standard (MASVS): This document provides a security checklist for when an app is ready to be released and acts as a baseline for penetration testing. It also defines security verification levels fo This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 09 Jan 2025 02:40:06 -0000 full Skye MacIntyre FireScam Android Malware: How Fake Telegram Premium Apps Exploit Firebase for Stealth Attacks FireScam employs several techniques to evade detection and maintain persistence on a device. - Disguise: The malware is distributed disguised as the "Telegram Premium" application, through a phishing website that mimics the legitimate RuStore application store. This disguise is intended to trick users into installing the malware, as they may believe they are installing a legitimate application. - Dropper: A dropper named ‘ru.store.installer’ is used to install FireScam on devices running Android 8 and newer. The dropper requests several permissions, including the ability to query and list all installed applications, access and modify external storage, delete and install applications, and update applications without user consent. These permissions allow it to install FireScam and maintain control over it. - Restricting App Updates: FireScam declares itself as the designated owner and restricts app updates to it, which prevents other installers from updating it, ensuring its persistence on the device. This prevents a user or another application from removing or replacing the malicious app with a legitimate version. - Background activity: FireScam requests permissions that allow it to run in the background without restriction. This allows it to continue to function and collect data without the user being aware of it. - Environment Checks: The malware checks process names at runtime, checks installed applications, and fingerprints the device to detect if it is running in a sandboxed or virtualized environment. This indicates that the malware is designed to avoid detection by security analysis tools. - Firebase Cloud Messaging (FCM): FireScam registers a service to check for FCM notifications, enabling it to receive commands from its command-and-control (C&C) server. It also defines permissions to control access to it, effectively creating a backdoor for communication between the malware and its components. This allows the malware to receive instructions and exfiltrate data without direct user interaction. In summary, FireScam uses a combination of disguise, a dropper, persistence mechanisms, background activity, environment checks and a communication backdoor to evade detection and maintain its presence on an infected device. ●Approov Website: approov.io ●OWASP Mobile Security Project: https://owasp.org/www-project-mobile-security-testing-guide/ This link provides information about mobile security testing, app security, and API channel integrity. ○OWASP Mobile Security Testing Guide: This is a key document from the OWASP Mobile Security Project, focusing on the development phase and identifying vulnerabilities in mobile app code. ○Mobile App Sec Verification Standard (MASVS): This document provides a security checklist for when an app is ready to be released and acts as a baseline for penetration testing. It also defines security verification levels fo This content was created in partnership and with the help of Artificial Intelligence AI. 1823 https://player.megaphone.fm/NPTNI3300342483 Upwardly Mobile API and App Security Podcast Show Notes Episode Title: Epic Games Takes on the App Store Giants: A New Era of Mobile Gaming? Episode Summary: This week, George and Skye discuss the groundbreaking partnership between Epic Games and Telefónica and its potential to reshape the mobile gaming landscape. They'll delve into how this deal challenges the dominance of Google and Samsung in app distribution, explore the implications for developers and consumers, and analyze the future of mobile app security in a more competitive market. Keywords: Epic Games, Telefónica, Google Play Store, Samsung Galaxy Store, mobile gaming, app distribution, app security, antitrust, competition, innovation, developers, consumers, Fortnite, RASP, App Attestation, OWASP MASVS, EU Digital Markets Act Relevant Links: ● Epic Games announcement: https://www.epicgames.com/site/en-US/news/the-epic-games-store-launches-on-mobile ● Android Central article: https://www.androidcentral.com/software/apps/epic-games-store-will-be-preloaded-onto-millions-of-android-phones-in-new-partnership ● Approov blog post: https://approov.io/blog/can-epic-single-handedly-break-the-google-samsung-monopoly ● OWASP MASVS: https://owasp.org/www-project-mobile-security-testing-guide/ ● EU Digital Markets Act: https://eur-lex.europa.eu/dac/summaries/en/2022/305117 Discussion Points: ● The Epic Games and Telefónica Partnership: ○ Telefónica will pre-install the Epic Games Store on all its new Android devices.12 ○ This move will give millions of users in Europe and Latin America access to the Epic Games Store.13 ○ The Epic Games Store offers a more developer-friendly revenue split (88/12) compared to Google Play Store (15-30%).4 ● Challenging the Status Quo: ○ The partnership directly challenges the existing dominance of Google and Samsung in the mobile app market.567 ○ It aims to circumvent the restrictions and high commissions imposed by the Google Play Store.689 ○ Epic Games has a history of challenging tech giants and advocating for a more open app ecosystem.11011 ● Impact on Developers and Consumers: ○ Developers: The more favourable revenue split could attract more developers to the Epic Games Store.412 ○ Consumers: Increased competition could lead to lower app prices and a wider selection of games and apps.3612 ○ The pre-installation of the Epic Games Store could expose consumers to alternative app marketplaces.17 ● Mobile App Security in a More Competitive Market: ○ The need for robust security measures like RASP, app attestation and notarization in a more fragmented app ecosystem.81314 ○ The importance of open security standards like OWASP MASVS in ensuring app security across platforms.81415 ○ The role of legislation like the EU Digital Markets Act in fostering a more competitive and secure mobile app market.814 Call to Action: ● Encourage listeners to download the Epic Games Store and explore alternative app stores. ● Suggest that developers research and implement robust security m This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 07 Jan 2025 09:35:06 -0000 full Skye MacIntyre Upwardly Mobile API and App Security Podcast Show Notes Episode Title: Epic Games Takes on the App Store Giants: A New Era of Mobile Gaming? Episode Summary: This week, George and Skye discuss the groundbreaking partnership between Epic Games and Telefónica and its potential to reshape the mobile gaming landscape. They'll delve into how this deal challenges the dominance of Google and Samsung in app distribution, explore the implications for developers and consumers, and analyze the future of mobile app security in a more competitive market. Keywords: Epic Games, Telefónica, Google Play Store, Samsung Galaxy Store, mobile gaming, app distribution, app security, antitrust, competition, innovation, developers, consumers, Fortnite, RASP, App Attestation, OWASP MASVS, EU Digital Markets Act Relevant Links: ● Epic Games announcement: https://www.epicgames.com/site/en-US/news/the-epic-games-store-launches-on-mobile ● Android Central article: https://www.androidcentral.com/software/apps/epic-games-store-will-be-preloaded-onto-millions-of-android-phones-in-new-partnership ● Approov blog post: https://approov.io/blog/can-epic-single-handedly-break-the-google-samsung-monopoly ● OWASP MASVS: https://owasp.org/www-project-mobile-security-testing-guide/ ● EU Digital Markets Act: https://eur-lex.europa.eu/dac/summaries/en/2022/305117 Discussion Points: ● The Epic Games and Telefónica Partnership: ○ Telefónica will pre-install the Epic Games Store on all its new Android devices.12 ○ This move will give millions of users in Europe and Latin America access to the Epic Games Store.13 ○ The Epic Games Store offers a more developer-friendly revenue split (88/12) compared to Google Play Store (15-30%).4 ● Challenging the Status Quo: ○ The partnership directly challenges the existing dominance of Google and Samsung in the mobile app market.567 ○ It aims to circumvent the restrictions and high commissions imposed by the Google Play Store.689 ○ Epic Games has a history of challenging tech giants and advocating for a more open app ecosystem.11011 ● Impact on Developers and Consumers: ○ Developers: The more favourable revenue split could attract more developers to the Epic Games Store.412 ○ Consumers: Increased competition could lead to lower app prices and a wider selection of games and apps.3612 ○ The pre-installation of the Epic Games Store could expose consumers to alternative app marketplaces.17 ● Mobile App Security in a More Competitive Market: ○ The need for robust security measures like RASP, app attestation and notarization in a more fragmented app ecosystem.81314 ○ The importance of open security standards like OWASP MASVS in ensuring app security across platforms.81415 ○ The role of legislation like the EU Digital Markets Act in fostering a more competitive and secure mobile app market.814 Call to Action: ● Encourage listeners to download the Epic Games Store and explore alternative app stores. ● Suggest that developers research and implement robust security m This content was created in partnership and with the help of Artificial Intelligence AI. 1250 https://player.megaphone.fm/NPTNI9387927122 Upwardly Mobile - Episode Details The Pegasus spyware has a wider reach and impact than previously understood, affecting not only high-profile targets but also a broader range of individuals. Here's a breakdown of its reach and impact based on the sources: - Targeted individuals: While initially known for targeting journalists, political activists, and government officials, Pegasus has also been found on the devices of business leaders and people in government or commercial enterprises. The spyware can be used to surveil individuals who may not seem like likely targets. - Infection rate: iVerify's investigation found an infection rate of 2.5 infected devices per 1,000 scans, which is significantly higher than previously reported. This suggests that mobile spyware, particularly Pegasus, may be more prevalent than security researchers had estimated. - Affected devices: Pegasus infections have been found on both iOS and Android devices. The spyware has been found on various iOS versions, including 14, 15 and 16.6. Some infections date back to 2021 and 2022. - Method of infection: Pegasus uses zero-click attacks, meaning it can compromise a device without any action from the user. Receiving an infected iMessage is enough to compromise an iPhone. It exploits operating system vulnerabilities to gain access. - Data access: Once a device is infected, Pegasus allows attackers to access and extract messages, emails, media files, passwords, and detailed location information. It can silently monitor a device and compromise data without the owner’s knowledge. - Detection challenges: Traditional endpoint security measures often fail to detect Pegasus, suggesting that mobile users need to be included in the detection process. - Dissemination: The NSO Group, which developed Pegasus, sells it to governments who use it to target various individuals. iVerify refers to the NSO Group as "Rainbow Ronin". In summary, Pegasus spyware has a wide-reaching impact, affecting not just high-profile individuals but also a broader range of people, with a higher infection rate than previously thought. It can silently monitor and extract data from both iOS and Android devices using zero-click attacks, making it difficult to detect with traditional security measures. These findings underscore the need for proactive measures, such as regular security scans, to protect against mobile spyware threats. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 06 Jan 2025 23:13:27 -0000 full Skye MacIntyre Upwardly Mobile - Episode Details The Pegasus spyware has a wider reach and impact than previously understood, affecting not only high-profile targets but also a broader range of individuals. Here's a breakdown of its reach and impact based on the sources: - Targeted individuals: While initially known for targeting journalists, political activists, and government officials, Pegasus has also been found on the devices of business leaders and people in government or commercial enterprises. The spyware can be used to surveil individuals who may not seem like likely targets. - Infection rate: iVerify's investigation found an infection rate of 2.5 infected devices per 1,000 scans, which is significantly higher than previously reported. This suggests that mobile spyware, particularly Pegasus, may be more prevalent than security researchers had estimated. - Affected devices: Pegasus infections have been found on both iOS and Android devices. The spyware has been found on various iOS versions, including 14, 15 and 16.6. Some infections date back to 2021 and 2022. - Method of infection: Pegasus uses zero-click attacks, meaning it can compromise a device without any action from the user. Receiving an infected iMessage is enough to compromise an iPhone. It exploits operating system vulnerabilities to gain access. - Data access: Once a device is infected, Pegasus allows attackers to access and extract messages, emails, media files, passwords, and detailed location information. It can silently monitor a device and compromise data without the owner’s knowledge. - Detection challenges: Traditional endpoint security measures often fail to detect Pegasus, suggesting that mobile users need to be included in the detection process. - Dissemination: The NSO Group, which developed Pegasus, sells it to governments who use it to target various individuals. iVerify refers to the NSO Group as "Rainbow Ronin". In summary, Pegasus spyware has a wide-reaching impact, affecting not just high-profile individuals but also a broader range of people, with a higher infection rate than previously thought. It can silently monitor and extract data from both iOS and Android devices using zero-click attacks, making it difficult to detect with traditional security measures. These findings underscore the need for proactive measures, such as regular security scans, to protect against mobile spyware threats. This content was created in partnership and with the help of Artificial Intelligence AI. 913 https://player.megaphone.fm/NPTNI3210774554 Apple has agreed to a $95 million settlement in a class action lawsuit alleging that its Siri assistant recorded private conversations and shared them with third parties. The lawsuit claims that Siri's microphone was activated unintentionally, recording conversations without the user's knowledge, and that this audio data was shared with third-party marketers and advertisers. Here's a breakdown of the key points: - Allegations: The lawsuit alleges that Apple violated the federal Wiretap Act and California's Invasion of Privacy Act by recording and sharing private conversations without user consent. Users reported being targeted with advertisements related to sensitive topics discussed in private when Siri had been accidentally activated. - Settlement Terms: - Apple will create a $95 million non-reversionary fund to cover payments to class members, attorney fees, awards for class representatives, and administrative costs. - The settlement applies to U.S.-based current or former owners of Siri-enabled devices (iPhones, iPads, Macs, etc.) whose communications were obtained or shared without consent due to unintentional Siri activations between September 17, 2014, and December 31, 2024. - Class members can claim up to $20 per Siri-enabled device, for up to five devices. - Apple is required to permanently delete all Siri audio recordings obtained in violation of the laws within six months of the settlement's effective date. - Apple is expected to provide clear disclosures on how users can manage Siri settings to protect their data from unintentional disclosure. - Class Action Details: - The lawsuit was filed in August 2019, after an article in The Guardian alleged that Siri's microphone was surreptitiously recording conversations. - The case was submitted by Fumiko Lopez, John Troy Pappas, and David Yacubian. - The proposed settlement still needs to be approved by a judge. A preliminary approval hearing is scheduled for February 14, 2025. If approved, the deadline for claims submission will be 135 days later, on June 29, 2025. - The settlement class includes all individual current or former owners or purchasers of a Siri Device, who reside in the United States and its territories, whose confidential or private communications were obtained by Apple and/or were shared with third parties as a result of an unintended Siri activation between September 17, 2014 and December 31, 2024. - Apple's Response: Apple denies any wrongdoing but chose to settle to avoid further legal costs and potential bad publicity. - How to Disable Siri: Users can disable "Hey Siri" activation, restrict Siri usage from certain apps, and delete Siri and dictation history. Steps to disable Siri include turning off 'Listen for "Hey Siri"' in device settings, and turning off microphone access for individual apps in settings. - Monetary Aspects: The settlement amount will be used to pay for costs of notice and administering the settlement, attorneys' fees, This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 04 Jan 2025 08:30:07 -0000 full Skye MacIntyre Apple has agreed to a $95 million settlement in a class action lawsuit alleging that its Siri assistant recorded private conversations and shared them with third parties. The lawsuit claims that Siri's microphone was activated unintentionally, recording conversations without the user's knowledge, and that this audio data was shared with third-party marketers and advertisers. Here's a breakdown of the key points: - Allegations: The lawsuit alleges that Apple violated the federal Wiretap Act and California's Invasion of Privacy Act by recording and sharing private conversations without user consent. Users reported being targeted with advertisements related to sensitive topics discussed in private when Siri had been accidentally activated. - Settlement Terms: - Apple will create a $95 million non-reversionary fund to cover payments to class members, attorney fees, awards for class representatives, and administrative costs. - The settlement applies to U.S.-based current or former owners of Siri-enabled devices (iPhones, iPads, Macs, etc.) whose communications were obtained or shared without consent due to unintentional Siri activations between September 17, 2014, and December 31, 2024. - Class members can claim up to $20 per Siri-enabled device, for up to five devices. - Apple is required to permanently delete all Siri audio recordings obtained in violation of the laws within six months of the settlement's effective date. - Apple is expected to provide clear disclosures on how users can manage Siri settings to protect their data from unintentional disclosure. - Class Action Details: - The lawsuit was filed in August 2019, after an article in The Guardian alleged that Siri's microphone was surreptitiously recording conversations. - The case was submitted by Fumiko Lopez, John Troy Pappas, and David Yacubian. - The proposed settlement still needs to be approved by a judge. A preliminary approval hearing is scheduled for February 14, 2025. If approved, the deadline for claims submission will be 135 days later, on June 29, 2025. - The settlement class includes all individual current or former owners or purchasers of a Siri Device, who reside in the United States and its territories, whose confidential or private communications were obtained by Apple and/or were shared with third parties as a result of an unintended Siri activation between September 17, 2014 and December 31, 2024. - Apple's Response: Apple denies any wrongdoing but chose to settle to avoid further legal costs and potential bad publicity. - How to Disable Siri: Users can disable "Hey Siri" activation, restrict Siri usage from certain apps, and delete Siri and dictation history. Steps to disable Siri include turning off 'Listen for "Hey Siri"' in device settings, and turning off microphone access for individual apps in settings. - Monetary Aspects: The settlement amount will be used to pay for costs of notice and administering the settlement, attorneys' fees, This content was created in partnership and with the help of Artificial Intelligence AI. 888 https://player.megaphone.fm/NPTNI6758201958 This podcast episode explores the security vulnerabilities of the top financial apps in the US and Europe. A staggering 92% of the top 650 finance apps scanned in Q1 2023 revealed valuable secrets, with 23% exposing high-value secrets such as API keys and other sensitive information. These findings, from the Approov Mobile Threat Lab Security Report, highlight a concerning trend in mobile app security. The report analyses the attack surfaces that hackers target, including: ● Protecting Secrets at Rest: This involves securing sensitive information stored within the app's code. ● Protecting Secrets in Transit: Measures taken to prevent man-in-the-middle attacks, where attackers intercept data being transmitted between the app and the server. ● Device Integrity: Preventing attacks that exploit compromised devices. The report reveals that only a tiny fraction of apps (4%) implemented robust security measures like Transport Layer Security (TLS) certificate pinning to protect against these attacks. This means hackers can easily exploit vulnerabilities, potentially leading to data breaches and financial losses. A surprising finding was the difference in security practices between US and European apps. European apps demonstrated better security practices, likely due to stricter regulations like GDPR. Key takeaways from this episode: ● The vast majority of finance apps are vulnerable to attacks. ● Hackers are actively targeting finance apps to steal sensitive data. ● Developers need to prioritize security measures to protect user data. ● Regulation like GDPR can positively impact app security. For more information on the report and how to improve mobile app security, visit: approov.io1. For insights into the broader landscape of secrets sprawl and how AI can be leveraged for detection and remediation, check out the State of Secrets Sprawl report 2024 by GitGuardian: www.gitguardian.com2. Keywords: mobile app security, finance apps, API keys, data breaches, GDPR, TLS certificate pinning, secrets sprawl, AI-powered security. This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 04 Jan 2025 05:10:06 -0000 full Skye MacIntyre This podcast episode explores the security vulnerabilities of the top financial apps in the US and Europe. A staggering 92% of the top 650 finance apps scanned in Q1 2023 revealed valuable secrets, with 23% exposing high-value secrets such as API keys and other sensitive information. These findings, from the Approov Mobile Threat Lab Security Report, highlight a concerning trend in mobile app security. The report analyses the attack surfaces that hackers target, including: ● Protecting Secrets at Rest: This involves securing sensitive information stored within the app's code. ● Protecting Secrets in Transit: Measures taken to prevent man-in-the-middle attacks, where attackers intercept data being transmitted between the app and the server. ● Device Integrity: Preventing attacks that exploit compromised devices. The report reveals that only a tiny fraction of apps (4%) implemented robust security measures like Transport Layer Security (TLS) certificate pinning to protect against these attacks. This means hackers can easily exploit vulnerabilities, potentially leading to data breaches and financial losses. A surprising finding was the difference in security practices between US and European apps. European apps demonstrated better security practices, likely due to stricter regulations like GDPR. Key takeaways from this episode: ● The vast majority of finance apps are vulnerable to attacks. ● Hackers are actively targeting finance apps to steal sensitive data. ● Developers need to prioritize security measures to protect user data. ● Regulation like GDPR can positively impact app security. For more information on the report and how to improve mobile app security, visit: approov.io1. For insights into the broader landscape of secrets sprawl and how AI can be leveraged for detection and remediation, check out the State of Secrets Sprawl report 2024 by GitGuardian: www.gitguardian.com2. Keywords: mobile app security, finance apps, API keys, data breaches, GDPR, TLS certificate pinning, secrets sprawl, AI-powered security. This content was created in partnership and with the help of Artificial Intelligence AI. 1611 https://player.megaphone.fm/NPTNI9725818021 The U.S. Department of Health and Human Services (HHS) is proposing updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to address increasing data breaches and cyberattacks in the healthcare sector, which have significant implications for mobile apps and APIs that handle electronic protected health information (ePHI). These updates aim to enhance the security of patient data by enforcing stricter cybersecurity measures. Here's a summary of how the proposed HIPAA rules apply to mobile apps and APIs: ● Data Encryption: The new rules mandate the encryption of protected health information (PHI)13. This means that data must be encrypted end-to-end, so that even if intercepted, it remains unreadable to unauthorized individuals1. This is particularly crucial for mobile applications, as they often operate over potentially insecure networks1. ● Multifactor Authentication (MFA): The proposed rules require the implementation of multifactor authentication (MFA), which enhances security by requiring multiple forms of verification before granting access to sensitive systems134. This is essential for mitigating unauthorized access to mobile apps and APIs that manage patient data4. Adaptive MFA, which adjusts requirements based on risk factors, can further strengthen this security layer4. ● Network Segmentation: Healthcare organizations will be required to segment their networks to contain potential breaches and limit lateral movement within systems34. This involves isolating sensitive patient data in restricted segments to reduce the risk of widespread exposure during a cyber incident4. This practice is particularly relevant for mobile applications that may connect to various backend services4. ● Comprehensive Risk Analysis: Regular assessments will be mandated to identify vulnerabilities within healthcare IT infrastructures5. This proactive approach is essential for both mobile app developers and healthcare providers to ensure compliance with cybersecurity protocols and to address emerging threats effectively5. Implications for Mobile App Development: ● Compliance Requirements: Developers must ensure their applications comply with the new HIPAA regulations56. This includes implementing robust encryption protocols and MFA systems, which builds trust with users and protects against potential legal repercussions arising from data breaches56. ● Design Considerations: Security measures must be integrated into the design phase, ensuring all aspects of the application are secure and compliant with HIPAA standards6. This includes adopting best practices like role-based access control (RBAC) and continuous monitoring for unusual access patterns67. Additional Key Points: ● The new rules would apply to all ePHI created, received, maintained, or transmitted by a covered entity or business associate8. ● Regulated entities must also protect the electronic information systems that create, receive, maintain, or transmit ePHI and those that othe This content was created in partnership and with the help of Artificial Intelligence AI. Thu, 02 Jan 2025 22:39:20 -0000 full Skye MacIntyre The U.S. Department of Health and Human Services (HHS) is proposing updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to address increasing data breaches and cyberattacks in the healthcare sector, which have significant implications for mobile apps and APIs that handle electronic protected health information (ePHI). These updates aim to enhance the security of patient data by enforcing stricter cybersecurity measures. Here's a summary of how the proposed HIPAA rules apply to mobile apps and APIs: ● Data Encryption: The new rules mandate the encryption of protected health information (PHI)13. This means that data must be encrypted end-to-end, so that even if intercepted, it remains unreadable to unauthorized individuals1. This is particularly crucial for mobile applications, as they often operate over potentially insecure networks1. ● Multifactor Authentication (MFA): The proposed rules require the implementation of multifactor authentication (MFA), which enhances security by requiring multiple forms of verification before granting access to sensitive systems134. This is essential for mitigating unauthorized access to mobile apps and APIs that manage patient data4. Adaptive MFA, which adjusts requirements based on risk factors, can further strengthen this security layer4. ● Network Segmentation: Healthcare organizations will be required to segment their networks to contain potential breaches and limit lateral movement within systems34. This involves isolating sensitive patient data in restricted segments to reduce the risk of widespread exposure during a cyber incident4. This practice is particularly relevant for mobile applications that may connect to various backend services4. ● Comprehensive Risk Analysis: Regular assessments will be mandated to identify vulnerabilities within healthcare IT infrastructures5. This proactive approach is essential for both mobile app developers and healthcare providers to ensure compliance with cybersecurity protocols and to address emerging threats effectively5. Implications for Mobile App Development: ● Compliance Requirements: Developers must ensure their applications comply with the new HIPAA regulations56. This includes implementing robust encryption protocols and MFA systems, which builds trust with users and protects against potential legal repercussions arising from data breaches56. ● Design Considerations: Security measures must be integrated into the design phase, ensuring all aspects of the application are secure and compliant with HIPAA standards6. This includes adopting best practices like role-based access control (RBAC) and continuous monitoring for unusual access patterns67. Additional Key Points: ● The new rules would apply to all ePHI created, received, maintained, or transmitted by a covered entity or business associate8. ● Regulated entities must also protect the electronic information systems that create, receive, maintain, or transmit ePHI and those that othe This content was created in partnership and with the help of Artificial Intelligence AI. 1690 https://player.megaphone.fm/NPTNI7585164440 Podcast Episode Title: Exploring the OpenWallet Foundation and the EU Open Source Policy Summit  - Welcome to Upwardly Mobile, where we explore the latest trends in technology and innovation. In this episode, we'll be discussing the importance of open source in shaping our digital future, with a particular focus on the OpenWallet Foundation (OWF) and the upcoming EU Open Source Policy Summit. Part 1: The OpenWallet Foundation (OWF) - What is the OWF? The OpenWallet Foundation, hosted at the Linux Foundation, aims to bring developers, standard development organisations, and academia together to facilitate global interoperability of verifiable credentials. - Mission: The OWF's mission is to enable a trusted digital future through interoperability for a wide range of wallet use cases. - Key Goals: The foundation seeks to establish best practices and collaboratively develop digital wallet technology, creating standards-based open-source (OSS) components for issuers and wallet providers. These components should preserve user choice, security and privacy. - Recent Developments: - Animo and Lissi teams have made progress in the SPRIND Funke competition. - The OWF will hold its inaugural High-Level Panel Meeting in Davos on 22nd January, focusing on digital wallet interoperability. - The Government Consultative Committee (GCC) has 23 Member States and 9 intergovernmental organisations participating, with a leadership team to be confirmed on 28th January. - A Global Summit is scheduled for early July 2025 in Geneva, to facilitate dialogue between OWF developers and GCC members. - The Technical Advisory Council (TAC) meets bi-weekly, with the first meeting of 2025 scheduled for 8th January. - Executive Director: Daniel Goldscheider, the OWF Executive Director, recently discussed the UN and OpenWallet Digital Public Infrastructure Collaboration and will be on a panel about public sector collaboration across Europe on 31st December. - How to Get Involved: The OWF encourages collaboration to drive the adoption of open, secure and interoperable digital wallet solutions. You can explore OWF Projects, OWF Labs, and connect via LinkedIn, X (formerly Twitter), and Discord. Part 2: The EU Open Source Policy Summit - What is it? The EU Open Source Policy Summit is a premier event for high-level open source policy discussions. It provides a platform for the new EU administration to engage with the European open source community. - When and Where: The summit is set for 31st January 2025 in Brussels, with online access. - Purpose: The summit will explore how to use open source and global collaboration to create a competitive and sovereign digital environment. - Key Topics: - The EU Digital Strategy - Open Source in the Manufacturing Industry - International Open Source Governance - Economic & Social Value of Open Source - Public Sector Open Source Strategies - Digital Markets Regulation - EU Funding Priorities: Digita This content was created in partnership and with the help of Artificial Intelligence AI. Wed, 01 Jan 2025 08:25:06 -0000 full Skye MacIntyre Podcast Episode Title: Exploring the OpenWallet Foundation and the EU Open Source Policy Summit  - Welcome to Upwardly Mobile, where we explore the latest trends in technology and innovation. In this episode, we'll be discussing the importance of open source in shaping our digital future, with a particular focus on the OpenWallet Foundation (OWF) and the upcoming EU Open Source Policy Summit. Part 1: The OpenWallet Foundation (OWF) - What is the OWF? The OpenWallet Foundation, hosted at the Linux Foundation, aims to bring developers, standard development organisations, and academia together to facilitate global interoperability of verifiable credentials. - Mission: The OWF's mission is to enable a trusted digital future through interoperability for a wide range of wallet use cases. - Key Goals: The foundation seeks to establish best practices and collaboratively develop digital wallet technology, creating standards-based open-source (OSS) components for issuers and wallet providers. These components should preserve user choice, security and privacy. - Recent Developments: - Animo and Lissi teams have made progress in the SPRIND Funke competition. - The OWF will hold its inaugural High-Level Panel Meeting in Davos on 22nd January, focusing on digital wallet interoperability. - The Government Consultative Committee (GCC) has 23 Member States and 9 intergovernmental organisations participating, with a leadership team to be confirmed on 28th January. - A Global Summit is scheduled for early July 2025 in Geneva, to facilitate dialogue between OWF developers and GCC members. - The Technical Advisory Council (TAC) meets bi-weekly, with the first meeting of 2025 scheduled for 8th January. - Executive Director: Daniel Goldscheider, the OWF Executive Director, recently discussed the UN and OpenWallet Digital Public Infrastructure Collaboration and will be on a panel about public sector collaboration across Europe on 31st December. - How to Get Involved: The OWF encourages collaboration to drive the adoption of open, secure and interoperable digital wallet solutions. You can explore OWF Projects, OWF Labs, and connect via LinkedIn, X (formerly Twitter), and Discord. Part 2: The EU Open Source Policy Summit - What is it? The EU Open Source Policy Summit is a premier event for high-level open source policy discussions. It provides a platform for the new EU administration to engage with the European open source community. - When and Where: The summit is set for 31st January 2025 in Brussels, with online access. - Purpose: The summit will explore how to use open source and global collaboration to create a competitive and sovereign digital environment. - Key Topics: - The EU Digital Strategy - Open Source in the Manufacturing Industry - International Open Source Governance - Economic & Social Value of Open Source - Public Sector Open Source Strategies - Digital Markets Regulation - EU Funding Priorities: Digita This content was created in partnership and with the help of Artificial Intelligence AI. 861 https://player.megaphone.fm/NPTNI1554649147 Episode Title: US Treasury Department: Chinese Hackers Exploit API Vulnerability Introduction: - This episode examines the cyberattack on the U.S. Treasury Department, which was facilitated by a compromised API key from BeyondTrust's Remote Support SaaS platform. - The breach is attributed to Chinese state-sponsored threat actors. Key Events and Timeline: - Compromised API Key: A BeyondTrust API key was exploited by attackers to gain initial access. The method of initial access remains unclear. - Detection: BeyondTrust detected suspicious activity on December 2, 2024. - Key Revoked: The compromised API key was revoked on December 8 after the breach was confirmed. - Zero-Day Exploitation: The attackers exploited two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686. - CVE-2024-12356 was a critical command injection flaw, allowing execution of arbitrary commands on the system. This flaw was due to improper input sanitization. - Unauthorized Access: Attackers reset passwords and gained unauthorized access to several Treasury workstations. - Data Exfiltration: The attackers were able to steal unclassified documents. Technical Details: - The attackers used a compromised API key to access BeyondTrust’s Remote Support SaaS platform. - The exploitation of CVE-2024-12356 allowed attackers to execute arbitrary commands without authentication. - This command injection vulnerability allowed the attackers to run commands on the operating system and enabled further attacks, such as resetting passwords. - The use of zero-day vulnerabilities indicates the sophistication of the attack. Impact: - The U.S. Treasury Department was breached, resulting in the theft of unclassified documents. - The incident is considered a major security breach involving a third-party provider. - The attack highlights the risk of supply chain vulnerabilities where a breach of a third-party provider like BeyondTrust can lead to significant impacts on their customers. Response and Remediation: - BeyondTrust revoked the compromised API key. - Patches were released to address the exploited vulnerabilities. - The vulnerability CVE-2024-12356 was addressed with an urgent patch by BeyondTrust . Attribution: - The attack is attributed to Chinese state-sponsored threat actors. - The specific APT (Advanced Persistent Threat) group involved was not named, but they are linked to the Chinese government. Conclusion: - The breach of the U.S. Treasury Department through the exploitation of a vulnerability in BeyondTrust's platform highlights the need for robust cybersecurity practices and vigilance regarding third-party risks. - The incident emphasizes the importance of patching vulnerabilities promptly and monitoring for suspicious activities. Additional Notes: - The initial access point of the API key remains unclear. - This incident underscores the potential damage from compromised third-party services and API keys. - The incident involved the compromise of BeyondTrust's Remote Suppo This content was created in partnership and with the help of Artificial Intelligence AI. Tue, 31 Dec 2024 15:17:07 -0000 full Skye MacIntyre Episode Title: US Treasury Department: Chinese Hackers Exploit API Vulnerability Introduction: - This episode examines the cyberattack on the U.S. Treasury Department, which was facilitated by a compromised API key from BeyondTrust's Remote Support SaaS platform. - The breach is attributed to Chinese state-sponsored threat actors. Key Events and Timeline: - Compromised API Key: A BeyondTrust API key was exploited by attackers to gain initial access. The method of initial access remains unclear. - Detection: BeyondTrust detected suspicious activity on December 2, 2024. - Key Revoked: The compromised API key was revoked on December 8 after the breach was confirmed. - Zero-Day Exploitation: The attackers exploited two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686. - CVE-2024-12356 was a critical command injection flaw, allowing execution of arbitrary commands on the system. This flaw was due to improper input sanitization. - Unauthorized Access: Attackers reset passwords and gained unauthorized access to several Treasury workstations. - Data Exfiltration: The attackers were able to steal unclassified documents. Technical Details: - The attackers used a compromised API key to access BeyondTrust’s Remote Support SaaS platform. - The exploitation of CVE-2024-12356 allowed attackers to execute arbitrary commands without authentication. - This command injection vulnerability allowed the attackers to run commands on the operating system and enabled further attacks, such as resetting passwords. - The use of zero-day vulnerabilities indicates the sophistication of the attack. Impact: - The U.S. Treasury Department was breached, resulting in the theft of unclassified documents. - The incident is considered a major security breach involving a third-party provider. - The attack highlights the risk of supply chain vulnerabilities where a breach of a third-party provider like BeyondTrust can lead to significant impacts on their customers. Response and Remediation: - BeyondTrust revoked the compromised API key. - Patches were released to address the exploited vulnerabilities. - The vulnerability CVE-2024-12356 was addressed with an urgent patch by BeyondTrust . Attribution: - The attack is attributed to Chinese state-sponsored threat actors. - The specific APT (Advanced Persistent Threat) group involved was not named, but they are linked to the Chinese government. Conclusion: - The breach of the U.S. Treasury Department through the exploitation of a vulnerability in BeyondTrust's platform highlights the need for robust cybersecurity practices and vigilance regarding third-party risks. - The incident emphasizes the importance of patching vulnerabilities promptly and monitoring for suspicious activities. Additional Notes: - The initial access point of the API key remains unclear. - This incident underscores the potential damage from compromised third-party services and API keys. - The incident involved the compromise of BeyondTrust's Remote Suppo This content was created in partnership and with the help of Artificial Intelligence AI. 1066 https://player.megaphone.fm/NPTNI5327909846 Episode Notes: Prometheus Security Breach - Are Your Mobile Secrets Safe? Headline: Hundreds of thousands of Prometheus servers and exporters found vulnerable to attacks, potentially leaking sensitive credentials and API keys. Description: In this episode, we discuss the recent security breach impacting Prometheus, a widely used open-source monitoring and alerting tool. We'll explore the vulnerabilities, the potential impact on organisations, and most importantly, the steps you can take to protect your systems. Key Takeaways: ● Vulnerability: The root of the issue lies in RepoJacking, where attackers exploit abandoned or renamed GitHub repositories to introduce malicious exporters.1 ● Impact: Hackers could gain access to sensitive information such as credentials and API keys, potentially leading to data breaches and system compromise.23 ● Scale: The breach affects a staggering number of endpoints – over 296,000 internet-facing exporters and 40,000 Prometheus servers. ● Mitigation: While patches aren't readily available, mitigation strategies involve implementing proper authentication, limiting external exposure, and securing debugging endpoints. ● Past Concerns: This isn't the first time Prometheus has faced scrutiny. Previous research highlighted data leakage concerns in 2021 and 2022, underscoring the need for robust security practices. Call to Action: ● Update: Ensure your Prometheus instances and servers are updated to the latest version to patch any known vulnerabilities. ● Authentication: Implement robust authentication mechanisms to prevent unauthorised access. Resources: ● Aqua Security Research: https://www.aquasec.com/ ● Prometheus Official Website: https://prometheus.io/ ● The Hacker News: https://thehackernews.com/ Keywords: #PrometheusSecurity,  #DataBreach, #CyberSecurity, #APIKeys, #CredentialLeak, #RepoJacking, #OpenSourceSecurity, #Vulnerability,  #CyberThreat Upwardly Mobile is created by Human Sources with AI assistance. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 30 Dec 2024 09:25:07 -0000 full Skye MacIntyre Episode Notes: Prometheus Security Breach - Are Your Mobile Secrets Safe? Headline: Hundreds of thousands of Prometheus servers and exporters found vulnerable to attacks, potentially leaking sensitive credentials and API keys. Description: In this episode, we discuss the recent security breach impacting Prometheus, a widely used open-source monitoring and alerting tool. We'll explore the vulnerabilities, the potential impact on organisations, and most importantly, the steps you can take to protect your systems. Key Takeaways: ● Vulnerability: The root of the issue lies in RepoJacking, where attackers exploit abandoned or renamed GitHub repositories to introduce malicious exporters.1 ● Impact: Hackers could gain access to sensitive information such as credentials and API keys, potentially leading to data breaches and system compromise.23 ● Scale: The breach affects a staggering number of endpoints – over 296,000 internet-facing exporters and 40,000 Prometheus servers. ● Mitigation: While patches aren't readily available, mitigation strategies involve implementing proper authentication, limiting external exposure, and securing debugging endpoints. ● Past Concerns: This isn't the first time Prometheus has faced scrutiny. Previous research highlighted data leakage concerns in 2021 and 2022, underscoring the need for robust security practices. Call to Action: ● Update: Ensure your Prometheus instances and servers are updated to the latest version to patch any known vulnerabilities. ● Authentication: Implement robust authentication mechanisms to prevent unauthorised access. Resources: ● Aqua Security Research: https://www.aquasec.com/ ● Prometheus Official Website: https://prometheus.io/ ● The Hacker News: https://thehackernews.com/ Keywords: #PrometheusSecurity,  #DataBreach, #CyberSecurity, #APIKeys, #CredentialLeak, #RepoJacking, #OpenSourceSecurity, #Vulnerability,  #CyberThreat Upwardly Mobile is created by Human Sources with AI assistance. This content was created in partnership and with the help of Artificial Intelligence AI. 998 https://player.megaphone.fm/NPTNI3758454306 Here are some notes for an episode of the Upwardly Mobile podcast about Apple App Attest and Device Check: What are Apple App Attest and Device Check? ● DeviceCheck is an iOS framework introduced in iOS 11.1 It allows developers to set and query two binary flags per device, helping them track information like whether a user has claimed a free offer.23 ● App Attest, added to DeviceCheck in iOS 14, verifies that an app is genuine and untampered.4 It uses cryptographic keys generated on the device and verified by Apple.3 How do they work? ● DeviceCheck generates a unique token for each device, allowing developers to track basic information about the device.5 ● App Attest uses a challenge-response system. The server sends a challenge to the app, which generates a cryptographic key pair.6 A hash of the challenge and key identifier is sent to Apple for verification.6 What are the limitations? ● iOS only: These solutions only work with iOS devices.789 ● Not all iOS devices are covered: App Attest is not compatible with all devices or most app extensions.10 ● Potential for circumvention: Sophisticated attackers could potentially bypass these checks.11 ● Limited client integrity checks: App Attest only verifies the app's integrity, not the device's.11 It doesn't detect jailbroken devices or runtime manipulation.1112 ● Limited analytics: App Attest provides minimal usage data.13 ● Implementation challenges: App Attest can be difficult to implement.14 ● No API secret protection: App Attest doesn't prevent API secrets from being stolen.15 ● Doesn't prevent MitM attacks: App Attest doesn't stop Man-in-the-Middle attacks.16 ● Performance and rate limits: Apple may throttle requests, impacting app performance.17 ● Reliance on Apple's servers: App Attest relies on Apple's servers, which can experience downtime.18 ● Privacy concerns: Some users have concerns about Apple storing device data.18 Why are these limitations important for developers? ● Developers need to be aware of the limitations to make informed decisions about their app's security.19 ● Relying solely on these tools could leave apps vulnerable to sophisticated attacks.20 ● Developers should consider implementing additional security measures, like those offered by Approov, to enhance protection.821222324 Approov and Apple App Attest/Device Check ● Approov can complement Apple's solutions, mitigating some of their limitations.25 ● It provides comprehensive mobile app security that works across platforms, including iOS and Android.21 Key takeaways for the episode: ● Apple App Attest and Device Check offer basic app and device attestation capabilities. ● However, they have limitations that developers should be aware of. ● To achieve robust mobile app security, developers should consider additional measures, such as Approov, to complement Apple's solutions. This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 28 Dec 2024 04:55:06 -0000 full Skye MacIntyre Here are some notes for an episode of the Upwardly Mobile podcast about Apple App Attest and Device Check: What are Apple App Attest and Device Check? ● DeviceCheck is an iOS framework introduced in iOS 11.1 It allows developers to set and query two binary flags per device, helping them track information like whether a user has claimed a free offer.23 ● App Attest, added to DeviceCheck in iOS 14, verifies that an app is genuine and untampered.4 It uses cryptographic keys generated on the device and verified by Apple.3 How do they work? ● DeviceCheck generates a unique token for each device, allowing developers to track basic information about the device.5 ● App Attest uses a challenge-response system. The server sends a challenge to the app, which generates a cryptographic key pair.6 A hash of the challenge and key identifier is sent to Apple for verification.6 What are the limitations? ● iOS only: These solutions only work with iOS devices.789 ● Not all iOS devices are covered: App Attest is not compatible with all devices or most app extensions.10 ● Potential for circumvention: Sophisticated attackers could potentially bypass these checks.11 ● Limited client integrity checks: App Attest only verifies the app's integrity, not the device's.11 It doesn't detect jailbroken devices or runtime manipulation.1112 ● Limited analytics: App Attest provides minimal usage data.13 ● Implementation challenges: App Attest can be difficult to implement.14 ● No API secret protection: App Attest doesn't prevent API secrets from being stolen.15 ● Doesn't prevent MitM attacks: App Attest doesn't stop Man-in-the-Middle attacks.16 ● Performance and rate limits: Apple may throttle requests, impacting app performance.17 ● Reliance on Apple's servers: App Attest relies on Apple's servers, which can experience downtime.18 ● Privacy concerns: Some users have concerns about Apple storing device data.18 Why are these limitations important for developers? ● Developers need to be aware of the limitations to make informed decisions about their app's security.19 ● Relying solely on these tools could leave apps vulnerable to sophisticated attacks.20 ● Developers should consider implementing additional security measures, like those offered by Approov, to enhance protection.821222324 Approov and Apple App Attest/Device Check ● Approov can complement Apple's solutions, mitigating some of their limitations.25 ● It provides comprehensive mobile app security that works across platforms, including iOS and Android.21 Key takeaways for the episode: ● Apple App Attest and Device Check offer basic app and device attestation capabilities. ● However, they have limitations that developers should be aware of. ● To achieve robust mobile app security, developers should consider additional measures, such as Approov, to complement Apple's solutions. This content was created in partnership and with the help of Artificial Intelligence AI. 939 https://player.megaphone.fm/NPTNI5509076194 Episode Notes: Closing the API Security Gap with a Mobile SDKs In this episode, we delve into the critical topic of mobile app API security and explore how a robust SDK solution like Approov can bridge the gap left by traditional security measures. Key Discussion Points: ● The mobile security gap: Traditional application security vendors, while focusing on web application and API protection (WAAP), often neglect the specific vulnerabilities of mobile apps.12 ● Limitations of backend security: Solutions like WAFs and API gateways rely on observing traffic patterns at the backend. This approach can be ineffective against sophisticated bots mimicking legitimate mobile app behaviour and may lead to false positives, disrupting genuine users.3 ● The rise of mobile SDKs for enhanced protection: Embedding an SDK within a mobile app enables continuous verification of contextual information from the app and the device environment, providing more effective protection against mobile-originated threats.45 ● Two types of SDK approaches: ○ User-behaviour signals: This approach analyses user interactions within the app to identify bot activity, but it can be computationally intensive and prone to false positives and negatives. ○ Software-identity signals: This approach focuses on detecting problematic software or configurations on the device, offering a more deterministic and accurate method of bot detection. ● Approov's unique approach to mobile app security: Approov uses a software-identity signal approach to validate the authenticity of both the app and the device at runtime, ensuring that only legitimate requests reach backend servers. ● Benefits of Approov: ○ Accurate and deterministic bot detection ○ Enhanced API key security through just-in-time delivery ○ Seamless integration with existing backend security solutions ● How Approov enhances existing backend security: Approov complements traditional security measures by providing an additional layer of mobile-specific protection, closing the security gap and offering a comprehensive approach to safeguarding APIs. Call to Action: ● Visit the Approov website to learn more about their mobile app security solutions: https://approov.io/ ● Contact Approov to discuss your specific mobile app security needs: https://approov.io/ Keywords for SEO: Mobile app security, API security, SDK, Approov, bot detection, WAAP, WAF, software-identity signals, user-behaviour signals, mobile threats, runtime protection, API key security. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 23 Dec 2024 09:00:07 -0000 full Skye MacIntyre Episode Notes: Closing the API Security Gap with a Mobile SDKs In this episode, we delve into the critical topic of mobile app API security and explore how a robust SDK solution like Approov can bridge the gap left by traditional security measures. Key Discussion Points: ● The mobile security gap: Traditional application security vendors, while focusing on web application and API protection (WAAP), often neglect the specific vulnerabilities of mobile apps.12 ● Limitations of backend security: Solutions like WAFs and API gateways rely on observing traffic patterns at the backend. This approach can be ineffective against sophisticated bots mimicking legitimate mobile app behaviour and may lead to false positives, disrupting genuine users.3 ● The rise of mobile SDKs for enhanced protection: Embedding an SDK within a mobile app enables continuous verification of contextual information from the app and the device environment, providing more effective protection against mobile-originated threats.45 ● Two types of SDK approaches: ○ User-behaviour signals: This approach analyses user interactions within the app to identify bot activity, but it can be computationally intensive and prone to false positives and negatives. ○ Software-identity signals: This approach focuses on detecting problematic software or configurations on the device, offering a more deterministic and accurate method of bot detection. ● Approov's unique approach to mobile app security: Approov uses a software-identity signal approach to validate the authenticity of both the app and the device at runtime, ensuring that only legitimate requests reach backend servers. ● Benefits of Approov: ○ Accurate and deterministic bot detection ○ Enhanced API key security through just-in-time delivery ○ Seamless integration with existing backend security solutions ● How Approov enhances existing backend security: Approov complements traditional security measures by providing an additional layer of mobile-specific protection, closing the security gap and offering a comprehensive approach to safeguarding APIs. Call to Action: ● Visit the Approov website to learn more about their mobile app security solutions: https://approov.io/ ● Contact Approov to discuss your specific mobile app security needs: https://approov.io/ Keywords for SEO: Mobile app security, API security, SDK, Approov, bot detection, WAAP, WAF, software-identity signals, user-behaviour signals, mobile threats, runtime protection, API key security. This content was created in partnership and with the help of Artificial Intelligence AI. 875 https://player.megaphone.fm/NPTNI1006255930 Synopsis: In this episode, we explore the critical world of mobile app security and how the concept of zero trust is reshaping the way we protect sensitive data. We delve into the vulnerabilities inherent in traditional security models and discuss why a zero trust approach is essential for safeguarding your apps and your users. Guest: Dr. Edward Amoroso, Chief Executive Officer, TAG InfosphereKey Discussion Points: - The Mobile Threat Landscape: Discuss the evolving threats facing mobile apps, including API abuse, infrastructure-in-the-middle attacks, unauthorized usage, fake apps, bots, and data breaches. [1-5] - Zero Trust Principles: Explain the core principles of zero trust and why it's particularly crucial for mobile environments where devices are often outside the traditional security perimeter. - Approov's Role in Zero Trust Mobile Security: Demonstrate how Approov leverages runtime secrets protection, app attestation, and dynamic certificate pinning to establish a robust zero trust framework for mobile apps. - Dynamic API Protection: Highlight the importance of dynamic API protection as a key component of a zero trust strategy and explore how Approov achieves this through real-time threat detection, over-the-air updates, and dynamic defenses. [5, 23, 25, 33, 36, 38, 41] - The Future of Mobile App Security: Speculate on emerging trends and technologies that will shape the future of mobile app security in the context of zero trust and a rapidly evolving threat landscape. Links: - Approov Website: www.approov.io  - Upwardly Mobile Podcast: https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld - Approov Runtime Secrets Protection: https://approov.io/mobile-app-security/rasp/runtime-secrets/  - TAG Infosphere Website: https://tag-infosphere.com/ This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 20 Dec 2024 10:05:06 -0000 full Skye MacIntyre Synopsis: In this episode, we explore the critical world of mobile app security and how the concept of zero trust is reshaping the way we protect sensitive data. We delve into the vulnerabilities inherent in traditional security models and discuss why a zero trust approach is essential for safeguarding your apps and your users. Guest: Dr. Edward Amoroso, Chief Executive Officer, TAG InfosphereKey Discussion Points: - The Mobile Threat Landscape: Discuss the evolving threats facing mobile apps, including API abuse, infrastructure-in-the-middle attacks, unauthorized usage, fake apps, bots, and data breaches. [1-5] - Zero Trust Principles: Explain the core principles of zero trust and why it's particularly crucial for mobile environments where devices are often outside the traditional security perimeter. - Approov's Role in Zero Trust Mobile Security: Demonstrate how Approov leverages runtime secrets protection, app attestation, and dynamic certificate pinning to establish a robust zero trust framework for mobile apps. - Dynamic API Protection: Highlight the importance of dynamic API protection as a key component of a zero trust strategy and explore how Approov achieves this through real-time threat detection, over-the-air updates, and dynamic defenses. [5, 23, 25, 33, 36, 38, 41] - The Future of Mobile App Security: Speculate on emerging trends and technologies that will shape the future of mobile app security in the context of zero trust and a rapidly evolving threat landscape. Links: - Approov Website: www.approov.io  - Upwardly Mobile Podcast: https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld - Approov Runtime Secrets Protection: https://approov.io/mobile-app-security/rasp/runtime-secrets/  - TAG Infosphere Website: https://tag-infosphere.com/ This content was created in partnership and with the help of Artificial Intelligence AI. 1134 https://player.megaphone.fm/NPTNI3250158809 Podcast Notes: TikTok Ban, Data Privacy and the Future of Social Media Keywords: TikTok, ban, data privacy, cybersecurity, free speech, social media, USA, China, Apple, Google, Meta, Amazon, algorithms, surveillance. Links: ● https://www.forbes.com/sites/petersuciu/2024/12/06/tiktok-ban-upheld-by-appeals-court-clock-running-out-for-bytedance/ ● https://www.forbes.com/sites/zakdoffman/2024/10/04/warningtiktok-posts-caught-stealing-iphone-android-user-passwords/ Introduction ● The US Court of Appeals has upheld the ban on TikTok, citing national security concerns over data sharing with China12. ● This decision has ignited debates about free speech, data privacy, and the power of Big Tech3. The TikTok Ban: A Timeline ● President Trump initially attempted to ban TikTok, but the Biden administration overturned it4. ● President Biden signed a new "sell-or-ban" law in April 2024, with bipartisan support3. ● The law requires TikTok to be sold to a US company or face a complete ban by January 19, 20255. The Security Debate ● US lawmakers argue that TikTok could share user data with the Chinese government, posing a national security risk26. ● Critics point out that US companies like Meta and Amazon also collect vast amounts of user data and have faced privacy abuse allegations7. ● They argue that the focus on TikTok is hypocritical and that a broader discussion about data privacy in the US is needed67. Data Privacy in the USA ● The USA lacks a federal data privacy framework, allowing companies like Apple and Google to set their own policies, which often lack transparency68. ● This lack of regulation makes it difficult for users to understand how their data is collected and used68. The Impact on Users ● The ban could disrupt millions of TikTok users and creators who rely on the platform9. ● Users may migrate to platforms like Instagram Reels or Bluesky9. ● The ruling highlights the importance of data privacy and the need for greater transparency from social media companies10. Key Talking Points: ● Is the TikTok ban justified based on national security concerns, or is it a form of censorship? ● Does the ban adequately address the broader issue of data privacy in the US? ● What are the implications of the ban for users and the future of social media? ● How can governments balance national security with individual rights in the digital age? This case is a microcosm of larger issues surrounding cybersecurity, data privacy, and the power of technology companies. It's crucial to have open discussions about these issues to protect user rights and ensure a safer online environment. This content was created in partnership and with the help of Artificial Intelligence AI. Mon, 16 Dec 2024 08:35:06 -0000 full Skye MacIntyre Podcast Notes: TikTok Ban, Data Privacy and the Future of Social Media Keywords: TikTok, ban, data privacy, cybersecurity, free speech, social media, USA, China, Apple, Google, Meta, Amazon, algorithms, surveillance. Links: ● https://www.forbes.com/sites/petersuciu/2024/12/06/tiktok-ban-upheld-by-appeals-court-clock-running-out-for-bytedance/ ● https://www.forbes.com/sites/zakdoffman/2024/10/04/warningtiktok-posts-caught-stealing-iphone-android-user-passwords/ Introduction ● The US Court of Appeals has upheld the ban on TikTok, citing national security concerns over data sharing with China12. ● This decision has ignited debates about free speech, data privacy, and the power of Big Tech3. The TikTok Ban: A Timeline ● President Trump initially attempted to ban TikTok, but the Biden administration overturned it4. ● President Biden signed a new "sell-or-ban" law in April 2024, with bipartisan support3. ● The law requires TikTok to be sold to a US company or face a complete ban by January 19, 20255. The Security Debate ● US lawmakers argue that TikTok could share user data with the Chinese government, posing a national security risk26. ● Critics point out that US companies like Meta and Amazon also collect vast amounts of user data and have faced privacy abuse allegations7. ● They argue that the focus on TikTok is hypocritical and that a broader discussion about data privacy in the US is needed67. Data Privacy in the USA ● The USA lacks a federal data privacy framework, allowing companies like Apple and Google to set their own policies, which often lack transparency68. ● This lack of regulation makes it difficult for users to understand how their data is collected and used68. The Impact on Users ● The ban could disrupt millions of TikTok users and creators who rely on the platform9. ● Users may migrate to platforms like Instagram Reels or Bluesky9. ● The ruling highlights the importance of data privacy and the need for greater transparency from social media companies10. Key Talking Points: ● Is the TikTok ban justified based on national security concerns, or is it a form of censorship? ● Does the ban adequately address the broader issue of data privacy in the US? ● What are the implications of the ban for users and the future of social media? ● How can governments balance national security with individual rights in the digital age? This case is a microcosm of larger issues surrounding cybersecurity, data privacy, and the power of technology companies. It's crucial to have open discussions about these issues to protect user rights and ensure a safer online environment. This content was created in partnership and with the help of Artificial Intelligence AI. 661 https://player.megaphone.fm/NPTNI8067672629 Upwardly Mobile - App Security in the AI Age Episode Overview: This episode dives into the critical importance of over-the-air (OTA) updates for securing mobile apps and APIs in today’s dynamic threat landscape.Key Takeaways: - AI is revolutionising cyberattacks, rendering traditional security methods like obfuscation and white-box cryptography obsolete. These static defenses cannot keep pace with AI’s pattern recognition capabilities and the rapid evolution of threats. - OTA updates provide the agility and adaptability essential for effective app security. They enable real-time threat mitigation, dynamic API protection, enhanced resilience against AI threats, and improved user experience. - Real-world examples illustrate how OTA updates can address pressing security challenges, including real-time policy updates, blocking malicious users and devices, dynamic secret management, updating third-party API dependencies, dynamic pinning of communication channels, and immediate integration of vendor security updates. [4-6] - Leading fintech companies like GrowCredit and Metal Pay demonstrate the value of modern security solutions, including OTA updates and dynamic API shielding, in safeguarding platforms and sensitive data. - Approov offers a unique, patented approach to securing mobile apps and APIs, empowering dynamic, over-the-air management of policies, secrets, certificates, and security product updates. Keywords: - Mobile App Security - Over-The-Air Updates - API Protection - AI-Driven Cyber Threats - Dynamic Security Solutions - Obfuscation Alternatives - White-Box Cryptography Limitations - Advanced Mobile Security - API Abuse Prevention - Mobile Device Protection - Real-Time Security Updates - Runtime Application Self-Protection (RASP) - Fintech App Security - Mobile API Shielding - Secure Mobile Applications - Dynamic Defenses for Mobile Apps - Cybersecurity for APIs - AI-Driven Attacks on Mobile Apps - Future-Proofing Mobile Apps - Mobile Threat Mitigation Strategies [8] Links: - Approov: https://www.approov.io/  - OWASP Mobile Application Security Verification Standard (MASVS): https://owasp.org/www/project/mobile-security-testing-guide/ This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 14 Dec 2024 21:50:06 -0000 full Skye MacIntyre Upwardly Mobile - App Security in the AI Age Episode Overview: This episode dives into the critical importance of over-the-air (OTA) updates for securing mobile apps and APIs in today’s dynamic threat landscape.Key Takeaways: - AI is revolutionising cyberattacks, rendering traditional security methods like obfuscation and white-box cryptography obsolete. These static defenses cannot keep pace with AI’s pattern recognition capabilities and the rapid evolution of threats. - OTA updates provide the agility and adaptability essential for effective app security. They enable real-time threat mitigation, dynamic API protection, enhanced resilience against AI threats, and improved user experience. - Real-world examples illustrate how OTA updates can address pressing security challenges, including real-time policy updates, blocking malicious users and devices, dynamic secret management, updating third-party API dependencies, dynamic pinning of communication channels, and immediate integration of vendor security updates. [4-6] - Leading fintech companies like GrowCredit and Metal Pay demonstrate the value of modern security solutions, including OTA updates and dynamic API shielding, in safeguarding platforms and sensitive data. - Approov offers a unique, patented approach to securing mobile apps and APIs, empowering dynamic, over-the-air management of policies, secrets, certificates, and security product updates. Keywords: - Mobile App Security - Over-The-Air Updates - API Protection - AI-Driven Cyber Threats - Dynamic Security Solutions - Obfuscation Alternatives - White-Box Cryptography Limitations - Advanced Mobile Security - API Abuse Prevention - Mobile Device Protection - Real-Time Security Updates - Runtime Application Self-Protection (RASP) - Fintech App Security - Mobile API Shielding - Secure Mobile Applications - Dynamic Defenses for Mobile Apps - Cybersecurity for APIs - AI-Driven Attacks on Mobile Apps - Future-Proofing Mobile Apps - Mobile Threat Mitigation Strategies [8] Links: - Approov: https://www.approov.io/  - OWASP Mobile Application Security Verification Standard (MASVS): https://owasp.org/www/project/mobile-security-testing-guide/ This content was created in partnership and with the help of Artificial Intelligence AI. 1099 https://player.megaphone.fm/NPTNI9192497631 In this episode, we delve into the significant implications of the recent Atrium Health data breach, where over 585,000 individuals' information was potentially exposed through online tracking tools. This breach underscores the urgent need for robust API security in mobile applications, particularly in healthcare. We explore the key vulnerabilities in API implementations, the risks of insufficient security measures, and how attackers exploit gaps in app ecosystems.Learn about best practices for securing mobile APIs, including implementing app attestation, runtime protection, and API threat management, to safeguard sensitive user data and maintain compliance with evolving privacy laws.This episode is proudly sponsored by https://approov.io, a leading provider of runtime app and API security solutions. Visit page to discover tools and strategies for protecting your mobile app and API ecosystem.Tune in to stay ahead in the ever-changing landscape of mobile app security! This content was created in partnership and with the help of Artificial Intelligence AI. Sat, 14 Dec 2024 01:46:55 -0000 full Skye MacIntyre In this episode, we delve into the significant implications of the recent Atrium Health data breach, where over 585,000 individuals' information was potentially exposed through online tracking tools. This breach underscores the urgent need for robust API security in mobile applications, particularly in healthcare. We explore the key vulnerabilities in API implementations, the risks of insufficient security measures, and how attackers exploit gaps in app ecosystems.Learn about best practices for securing mobile APIs, including implementing app attestation, runtime protection, and API threat management, to safeguard sensitive user data and maintain compliance with evolving privacy laws.This episode is proudly sponsored by https://approov.io, a leading provider of runtime app and API security solutions. Visit page to discover tools and strategies for protecting your mobile app and API ecosystem.Tune in to stay ahead in the ever-changing landscape of mobile app security! This content was created in partnership and with the help of Artificial Intelligence AI. 853 https://player.megaphone.fm/NPTNI7639382369 Podcast Episode Title: "Upwardly Mobile: The Shift to Direct-to-Consumer (DTC) Distribution - Mobile applications and their APIs are vital for accessing data and services, but they are also major targets for security breaches. - Bad actors exploit vulnerabilities to steal data, disrupt services, and hijack devices. - The mobile app security landscape is challenging because app code is easily available and can be reverse-engineered. - A key challenge is determining if an app or its environment has been tampered with. - Client software attestation is important for verifying the authenticity of a mobile client before granting server access. The Shift to Direct-to-Consumer (DTC) Distribution - Mobile app developers are exploring direct-to-consumer (DTC) distribution methods due to the limitations imposed by traditional app stores. - DTC offers advantages such as increased revenue, enhanced user relationships, and greater flexibility and control. - Legislation such as the EU's Digital Markets Act (DMA) is promoting open app ecosystems. - Alternative app stores like the Epic Games Store, Amazon Appstore and Samsung Galaxy Store are gaining traction. The Mobile Threat Model: - There are five key attack surfaces in the mobile ecosystem: - User Credentials - App Integrity - Device Integrity - API Channel Integrity - API and Service Vulnerabilities - Attackers often explore these surfaces to extract information to set up automated attacks on APIs. - User credentials can be stolen through phishing, spoofing, and data breaches. - Attackers may also target the app itself to extract information or transform it into a tool for attacks. - Device integrity can be compromised via rooting or jailbreaking, allowing attackers to bypass security mechanisms. - API channels are vulnerable to man-in-the-middle (MitM) attacks, even when using HTTPS. - APIs can be attacked through credential stuffing, data theft, and denial-of-service (DoS) attacks. Approov's Solution: - Approov provides a client software attestation solution that validates the identity and genuineness of the mobile client. - Approov-enabled servers can determine the integrity of software applications running on client devices. - The client software creates a special code (cryptographic hash) to prove it hasn’t been tampered with. - This code is sent to an attestation service, which checks its validity. - Approov's checks include code signing, detection of jailbroken/rooted devices, and checks on the device's OS and key files. - A device is denied access to the server if it fails to meet these standards. - Approov can be integrated into the Software Development Lifecycle (SDLC). - Approov provides enhanced security, helps ensure regulatory compliance, and offers a cost-effective solution. - Approov's patented technology strengthens server-client interactions by validating client software. - It ensures app originality, detects compromised devices, and verifies device integrity. How This content was created in partnership and with the help of Artificial Intelligence AI. Fri, 13 Dec 2024 19:22:06 -0000 full Skye MacIntyre Podcast Episode Title: "Upwardly Mobile: The Shift to Direct-to-Consumer (DTC) Distribution - Mobile applications and their APIs are vital for accessing data and services, but they are also major targets for security breaches. - Bad actors exploit vulnerabilities to steal data, disrupt services, and hijack devices. - The mobile app security landscape is challenging because app code is easily available and can be reverse-engineered. - A key challenge is determining if an app or its environment has been tampered with. - Client software attestation is important for verifying the authenticity of a mobile client before granting server access. The Shift to Direct-to-Consumer (DTC) Distribution - Mobile app developers are exploring direct-to-consumer (DTC) distribution methods due to the limitations imposed by traditional app stores. - DTC offers advantages such as increased revenue, enhanced user relationships, and greater flexibility and control. - Legislation such as the EU's Digital Markets Act (DMA) is promoting open app ecosystems. - Alternative app stores like the Epic Games Store, Amazon Appstore and Samsung Galaxy Store are gaining traction. The Mobile Threat Model: - There are five key attack surfaces in the mobile ecosystem: - User Credentials - App Integrity - Device Integrity - API Channel Integrity - API and Service Vulnerabilities - Attackers often explore these surfaces to extract information to set up automated attacks on APIs. - User credentials can be stolen through phishing, spoofing, and data breaches. - Attackers may also target the app itself to extract information or transform it into a tool for attacks. - Device integrity can be compromised via rooting or jailbreaking, allowing attackers to bypass security mechanisms. - API channels are vulnerable to man-in-the-middle (MitM) attacks, even when using HTTPS. - APIs can be attacked through credential stuffing, data theft, and denial-of-service (DoS) attacks. Approov's Solution: - Approov provides a client software attestation solution that validates the identity and genuineness of the mobile client. - Approov-enabled servers can determine the integrity of software applications running on client devices. - The client software creates a special code (cryptographic hash) to prove it hasn’t been tampered with. - This code is sent to an attestation service, which checks its validity. - Approov's checks include code signing, detection of jailbroken/rooted devices, and checks on the device's OS and key files. - A device is denied access to the server if it fails to meet these standards. - Approov can be integrated into the Software Development Lifecycle (SDLC). - Approov provides enhanced security, helps ensure regulatory compliance, and offers a cost-effective solution. - Approov's patented technology strengthens server-client interactions by validating client software. - It ensures app originality, detects compromised devices, and verifies device integrity. How This content was created in partnership and with the help of Artificial Intelligence AI. 1204