Approov Mobile Security

The Triangle of Trust: Mastering Mobile App Attestation & Zero Trust API Security Welcome to another episode of Upwardly Mobile! In this episode, we take a deep dive into the evolution of runtime security for mobile API access. Traditional methods like API keys are easily stolen because they are static and stored directly inside the user's app. To combat this vulnerability, we explore the groundbreaking "Triangle of Trust" architecture developed by CriticalBlue, the company behind the Approov mobile security service. We unpack the technical details of US Patent 11,163,858 B2, titled "Client Software Attestation," which establishes a Zero Trust proof of software integrity for apps operating on the public internet. This episode breaks down how the patented system calculates a cryptographic hash fingerprint of an executing code image to detect tampering in real-time, ensuring that malicious actors cannot spoof access. We also discuss how Approov's platform-agnostic approach provides a significant competitive advantage over OS-native solutions like Google Play Integrity and Apple App Attest, especially in global markets featuring Huawei's HarmonyOS NEXT and non-GMS Android devices. Key Takeaways from this Episode: - The Triangle of Trust: A tripartite architecture separating the security check from the access itself, involving an Issuer (Approov Cloud Attestation Server), a Holder (the Mobile Client Device), and a Verifier (the Backend Server Device). - Dynamic Code Fingerprinting: How client applications calculate a cryptographic hash of their own executing code image to prove integrity, ensuring no sensitive "master keys" are ever stored on the device where they could be extracted. - Protection Against Advanced Threats: The system's ability to thwart "living-off-the-land" attacks (like memory hooking with Frida) and Man-in-the-Middle (MITM) attacks by verifying code dynamically in memory, rather than just checking the static OS state. - Superiority Over OS-Native Tools: Why a unified, cross-platform attestation approach is critical for the global market, bypassing the latency, platform restrictions, and hardware dependencies of Google Play Integrity and Apple App Attest. - A Defensible Security Moat: An analysis of why CriticalBlue's patent is highly defensible and has been cited over 60 times as prior art, acting as a major technical blocker for competitors in the cybersecurity industry. Sponsor: This episode is brought to you by Approov. Stop relying on static API keys and secure your mobile business with deterministic, zero-trust software integrity. With global reach across iOS, GMS Android, non-GMS Android, and HarmonyOS, Approov ensures your backend APIs are shielded from malicious bots and tampered apps. Visit https://approov.com/ to learn more and secure your mobile ecosystem today. Source Materials & Relevant Links: - US Patent 11,163,858 B2: Client Software Attestation by Richard Michael Taylor / Critical Blue Ltd. (Filed 2015, Granted Nov 2, 2021). - Whitepaper Excerpt: Attestation: The Triangle of Trust. - Approov Official Website: https://approov.com/ SEO Keywords: Mobile API security, Zero Trust architecture, App attestation, Approov, CriticalBlue, Cryptographic hash fingerprint, Google Play Integrity alternative, Apple App Attest alternative, Man-in-the-Middle protection, US Patent 11163858, Mobile app tampering, Cybersecurity podcast. 

📣 New Podcast! "The Triangle of Trust: Mastering Mobile App Attestation & Zero Trust API Security" on @Spreaker #apiprotection #appattestation #approov #criticalblue #cybersecurity #devsecops #mobilesecurity #upwardlymobilepodcast #zerotrust

We're delighted to be named a finalist for the Scottish Cyber Awards 2026 - Cybersecurity Company of the Year 🏆

Congrats to our fellow finalists and a huge thank you to our amazing team, partners, and investors for making this possible.

#CyberSecurity #ScottishCyberAwards #MobileSecurity

Why SOC 2 Compliance Matters for Mobile App and API Security Ensure your mobile apps & APIs align with SOC 2 compliance to protect sensitive data, gain enterprise trust, & reduce risk, even in less regulated sectors.

If you’re pursuing #SOC2 compliance, don’t overlook your mobile apps & APIs.

Mobile clients, SDKs, and security vendors are part of your trust boundary - and attackers know it

🔒 Secure the full mobile supply chain

approov.io/blog/why-soc...

#mobilesecurity #apiprotection #appsec

The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis 🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks. 🚀 Key Topics Discussed - The Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking. - How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb. - Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit. - The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register. - API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly. 🔗 Resources & Links Dopamine Jailbreak: - Official Project: https://github.com/opa334/Dopamine - Installation Guide: https://ios.cfw.guide/installing-dopamine/ - Technical Insight: https://ellekit.space/dopamine/ EBT & Mobile Fraud Analysis: - The Mechanics of Theft: https://www.propel.app/ebt-theft/how-are-ebt-benefits-being-stolen/ - Systemic Vulnerabilities: https://www.pa.gov/agencies/osig/what-we-do/bureau-of-fraud-prevention-and-prosecution/snap-skimming 🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: https://approov.com/ 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation.

📣 New Podcast! "The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis" on @Spreaker #approov #appsec #cybersecurity #dopamine #fintechsecurity #infosec #jailbreak #mobilesecurity #upwardlymobile

The rise of Moltbook suggests viral AI prompts may be the next big security threat We don't need self-replicating AI models to have problems, just self-replicating prompts.

Viral AI prompts are the new malware. Moltbook proves you don’t need rogue AI - just prompts that spread faster than security can react.

arstechnica.com/ai/2026/02/t...

#malware #aithreat #cybersecurity #moltbook

Mobile App API Scraping: The Market Signal Your Competitors Can Buy Mobile app API scraping is increasingly used for competitive intelligence, monitoring pricing, availability, routes, and promotions in real time.

Your mobile app is broadcasting your strategy.

#Mobileapp APIs expose pricing, availability, routes, and promos & that data is being scraped and sold as competitive intelligence.

Traditional bot blocking won’t stop it.

approov.io/blog/mobile-...

#apisecurity #appsec #scraping

No-Code Mobile App Security: Myths, Realities, and Best Practices Explore the myths of no-code mobile app security and discover why minimal-code solutions like Approov offer superior, tamper-resistant app attestation.

There’s always code in mobile security.

What matters is where it runs, who controls it, and how resilient it is to tampering.

“No-code” app attestation is a myth — architecture is what really counts.

approov.io/blog/no-code...

#mobileappsecurity #appattestation

Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy In this episode of Upwardly Mobile, we dive deep into the often-misunderstood world of mobile app security to debunk the myth that hardware-backed key attestation is a "silver bullet." Drawing from expert analysis by Approov, Oasis, and community discussions, we explore why relying solely on Apple’s App Attest or Google’s Play Integrity can leave your APIs vulnerable to sophisticated attacks like device farming and runtime instrumentation. We explain why attestation is merely a "snapshot" in time and how to implement a true defense-in-depth strategy. Key Takeaways: - The Hardware Myth: Companies like Google and Apple promote hardware-backed key attestation (using TEEs or Secure Elements) as a primary security measure, but this approach has critical limitations when used in isolation. While it proves a cryptographic key is stored in secure hardware, it does not guarantee the integrity of the app calling that key or the user operating it. - The "Receipt" Analogy: Remote attestation is effectively just a receipt proving that a specific binary ran on specific hardware at a specific moment. It fails to prove that the state hasn't been rolled back, that the operator isn't malicious, or that the inputs haven't been manipulated since that snapshot was taken. - The Threat of Device Farms: Attackers can physically amass legitimate iPhones in "Device Farms" to generate valid App Attest tokens. These tokens are then sold via APIs to bots, allowing scripts to impersonate genuine devices and bypass standard hardware checks. - Runtime Manipulation: Tools like Frida and Magisk allow hackers to hook into API calls and forge attestation results or manipulate the application's behavior after the boot process. Without Runtime Application Self Protection (RASP), a validly attested device can still run a compromised app. - The Solution is Multi-Layered: Effective security requires moving verification off the device to the cloud and implementing dynamic checks. A robust strategy includes RASP, dynamic certificate pinning, and cloud-based mobile attestation that verifies the app's integrity continuously, not just at boot. Featured Resources & Source Material: - Article: https://approov.io/blog/limitations-of-hardware-backed-key-attestation-in-mobile-security – An analysis of why verification must always occur off-device. - Article: https://approov.io/blog/how-to-defeat-apple-devicecheck-and-appattest – A technical look at how hackers bypass iOS security using instrumentation and device farms. - Community Insight: https://dev.to/adityasingh_32/tee-attestation-isnt-trust-its-just-a-receipt-2m3k – A breakdown of why attestation does not equal trust. - Deep Dive: https://oasis.net/blog/tee-attestation-is-not-enough – Exploring the nuances of remote attestation within trust systems. - Definition: https://en.wikipedia.org/wiki/Trusted_execution_environment – Understanding the history and hardware behind TEEs. Sponsored By: This episode is brought to you by Approov. Approov Mobile Security provides a comprehensive solution that goes beyond simple attestation. By combining RASP, dynamic certificate pinning, and cloud-based verification, Approov ensures that only genuine, untampered instances of your app can access your APIs. - Website: https://approov.io/ - Talk to an Expert: https://approov.io/product/demo - Check Your Security: https://approov.io/product/assessment Keywords: Mobile Security, API Security, App Attestation, RASP, Device Farms, Man-in-the-Middle Attacks, Jailbreak Detection, Apple App Attest, Google Play Integrity, Approov, Cybersecurity, Trusted Execution Environment (TEE). 

📣 New Podcast! "Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security Strategy" on @Spreaker #androiddev #apisecurity #approov #appsec #iosdevelopment #mobilesecurity

AI Showdown: Machines Clash in Cyber Trenches Artificial intelligence turns cybersecurity into machine duels, as Chinese hackers wield Claude for espionage and militaries deploy counters. 2026 forecasts autonomous agents dominating attacks, urgin...

“Expect more of the same, but much faster with machine-speed warfare.” — @tedmiracco.bsky.social on why traditional defenses struggle against AI-driven cyber threats.

Read more: www.webpronews.com/ai-showdown-...

#aisecurity #cybersecurity

Stop AI Scraping on Marketplace Apps with App Attestation Learn how app attestation can protect your resale and marketplace apps from AI-driven scraping, ensuring data security and integrity.

If you run a resale or eCommerce marketplace, your mobile app exposes pricing, listings, inventory, and demand signals.

AI scraping targets these because it’s cheap and automated. Login and rate limits aren’t enough — app attestation proves requests come from your app.

approov.io/blog/stop-ai...

Mobile security’s biggest risk in 2026 isn’t new attacks — it’s outdated assumptions.

AI is breaking #obfuscation, APIs are the real target, and #ZeroTrust is coming to mobile (for the better).

Read more > approov.io/blog/seven-m...

#APISecurity #mobilesecurity #appsec

AI-Driven Mobile API Abuse: How Travel Apps are Being Bypassed Learn how mobile API risks in travel apps can compromise data security and business integrity, and why app attestation is essential in an AI-driven world.

Attackers don't just scrape travel websites - they impersonate mobile apps to bypass APIs & harvest real-time data. Learn why today’s defenses fail and how #AppAttestation is essential in an AI-driven world.

approov.io/blog/ai-driv...

#MobileSecurity #APIAbuse #AIAttack

SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud? Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds. We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions. This episode is sponsored by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2F. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices. Key Topics & Takeaways: • The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025. • How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders. • The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase. • The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems. • Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited. Featured Stories & Data: • Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features. • Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks. • State Data: Top states for reported fraud include Georgia, New York, and California. Relevant Links & Resources: • USDA SNAP Replacement of Stolen Benefits Dashboard • Report Fraud: USDA Office of Inspector General Hotline [(800) 424-9121] • Technical Deep Dive: https://www.google.com/url?sa=E&q=https%3A%2F%2Fbreached.company%2Febt-cyberattacks-multi-state-crisis-threatens-food-security-for-millions%2F • News Coverage: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.wsbtv.com%2Fnews%2Flocal%2Fatlanta%2Fgeorgia-officials-say-state-snap-system-subject-cyberattack%2FCRX6VB4INZH2VJNVJ3DPWY3DBQ%2F • Propel App Resource: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.propel.app%2Febt-theft%2Fhow-are-ebt-benefits-being-stolen%2F Keywords: SNAP fraud, EBT skimming, food stamp theft, mobile app security, Approov, ConnectEBT, cybercrime, magnetic stripe vulnerability, USDA, social safety net, financial fraud, IVR bot attacks.

📣 New Podcast! "SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud?" on @Spreaker #approov #cybersecurity #ebt #fintech #infosec #mobilesecurity #snapfraud #upwardlymobile

#AIscraping is becoming a major threat to #mobileapps — but there are ways to detect & stop it before it impacts your business. Bind API access to verified, untampered app instances to improve your app integrity >

approov.io/blog/ai-scra...

#appsec #apiprotection #mobilesecurity

The Punkt MC03: Can You De-Google Without the Headache? In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps: - The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling. - AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks. - Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications. - Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability. - Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey. - The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS. Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released. - Visit https://approov.com/ to learn more about comprehensive mobile app security. Relevant Links & Source Materials: - ZDNET Review: https://www.zdnet.com/article/punkt-mc03-phone-ces-2026/ – Coverage of the US launch, pricing, and removable battery features. - Android Police Coverage: https://www.androidauthority.com/punkt-mc03-hands-on-ces-2026-3630101/ – An in-depth look at the onboarding improvements and specs. - Punkt Official Site: https://www.punkt.ch/products/mc03-premium-secure-smartphone – Direct specs and philosophy from the manufacturer. - Murena / /e/OS: https://thisgetthoughts.bearblog.dev/fairphone-5-murena-eos-review-part-2-the-os/ – Context on the competitor mentioned in the episode. Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security.  Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026.

📣 New Podcast! "The Punkt MC03: Can You De-Google Without the Headache?" on @Spreaker #android #approov #cybersecurity #degoogle #mobileprivacy #punktmc03 #righttorepair #technews #upwardlymobile

Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed: - The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads. - Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests. - The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents. - Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs. - Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns. Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io/ Relevant Links & Source Materials: - The Hacker News: https://thehackernews.com/2025/12/android-malware-operations-merge.html - SC Media: https://www.scworld.com/brief/android-malware-wonderland-evolves-with-dropper-apps-targeting-uzbekistan - Cypro: https://www.cypro.se/2025/12/22/android-malware-operations-merge-droppers-sms-theft-and-rat-capabilities-at-scale/ Keywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov.     

📣 New Podcast! "Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers" on @Spreaker #androidmalware #approov #appsecurity #cybersecurity #infosec #mobilesecurity #technews #upwardlymobile #wonderlandmalware

How to Secure Mobile Health App Success in 2026 Ensure the success of your mobile health app in 2026 by implementing advanced security measures to protect patient data & comply with evolving regulations.

In 2026, #mHealth security is foundational - not optional.

API abuse, AI-driven attacks, and outdated trust models put patient data at risk.

approov.io/blog/how-to-...

#APISecurity #CyberSecurity #DigitalHealth #AppSec

2026 Mobile API and AI Security Predictions 2026 Mobile API and AI Security Predictions Episode Summary: In this episode of Upwardly Mobile, we audit the accuracy of Approov’s 2025 cybersecurity forecast. Of the seven trends predicted, four proved to be "absolutely correct." We break down these key hits: the dual-use of AI by attackers and defenders, the undeniable dominance of cross-platform development, the crackdown on open-source supply chain risks, and the heavy impact of new global breach reporting mandates. The 4 Mobile Security Trends That Defined the Year Key Topics — The 4 Correct Predictions: • 1. AI’s Double-Edged Sword: We discuss how 2025 wasn't just about AI hype—it was about operational impact. Attackers utilized LLMs to lower the bar for API abuse and generate scripts to bypass WAFs, while defenders leaned on AI for anomaly detection and scan interpretation to speed up code reviews. • 2. Cross-Platform is King: The prediction that cross-platform development would be "the way forward" held true. We analyze how Flutter and React Native maintained dominance in 2025, becoming the norm for enterprise and fintech apps, though Huawei’s HarmonyOS remained a regional outlier. • 3. The Open Source Crackdown: Scrutiny on open-source software (OSS) intensified as predicted. With attackers targeting ecosystems like npm and PyPI, and regulations like the EU CRA enforcing SBOMs, organizations were forced to verify their supply chains and adopt runtime protection to catch tampering. • 4. The Breach Reporting Crunch: Approov correctly forecasted that breach reporting would demand massive investment. With the EU NIS2 Directive and PCI DSS 4.0 coming into full effect, the focus shifted from simple disclosure to operational resilience—requiring companies to report incidents in hours, not days. Featured Resources & Links: • Approov Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fblog%2Fapproov-predicted-7-mobile-cybersecurity-trends-for-2025-did-they-happen – The full retrospective on which predictions hit the mark and which were too optimistic (like the adoption of certificate pinning). • Expert Insights: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.lastwatchdog.com%2Flw-roundtable-part-2-mandates-surge-guardrails-lag-intel-from-the-messy-middle%2F – Further reading on the friction between compliance mandates and security realities. Sponsor: This episode is brought to you by Approov. Don’t let your mobile app be the weak link. Approov provides comprehensive runtime security, ensuring that only your genuine app communicates with your API. • Visit: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io • Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fruntime-secrets-protection and https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fapi-security. Keywords: Mobile Security, Cybersecurity Predictions, AI Threats, Flutter, ReactNative, Open Source Security, SBOM, NIS2 Compliance, Supply Chain Attacks, Approov, API Security. 

📣 New Podcast! "2026 Mobile API and AI Security Predictions" on @Spreaker #ai #apisecurity #approov #compliance #cybersecurity2025 #mobileappsecurity #opensource #upwardlymobile

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed: - The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries. - The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked. - The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks. - The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting. Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs. - Visit the Sponsor: https://approov.io/ Featured Sources & Further Reading: - BleepingComputer: https://www.bleepingcomputer.com/ – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape. - Malwarebytes: https://www.malwarebytes.com/ – Analysis of the privacy implications, including the exposure of users in restrictive regimes. - Privacy Guides: https://www.privacyguides.org/ – Discussing the patch and how alternative messengers handle contact discovery. Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. 

📣 New Podcast! "The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?" on @Spreaker #apisecurity #approov #cybersecurity #dataprivacy #mobileappsecurity #upwardlymobile #whatsapp

Is an AI hacker targeting old DeFi projects in $5M spree? Old Ribbon Finance, Yearn Finance and Rari Capital contracts were hacked. Are attackers using AI to scan for missed opportunities in DeFi?

Suspicions in the crypto community point to AI-supported hackers carrying out a concentrated campaign to steal around $5 million in old and sometimes abandoned DeFi projects.

Is an AI hacker targeting old DeFi projects in $5M spree?

protos.com/is-an-ai-hac...

A Cybersecurity Playbook for AI Adoption AI adds real value to cybersecurity today, but it cannot yet serve as a single security guardian. Here's how organizations can safely combine AI-driven analysis with deterministic rules and proven security practices.

A Cybersecurity Playbook for AI Adoption

Warning: #Amazon Confirms 5-Year-Long Russian #Cyberattack

www.forbes.com/sites/daveyw...

#AWS #CloudSecurity

7 Mobile Cybersecurity Trends Approov Forecast for 2025 — And the Results Are In Approov reviews its 2025 mobile cybersecurity predictions. See which trends—AI threats, API security, open-source risks, breach rules—actually happened.

Did our 2025 mobile cybersecurity predictions come true? A look back at 7 key trends. From AI-powered attacks & defences to new app distribution models and beyond — it’s clear the threat landscape is accelerating.

approov.io/blog/approov...

#MobileSecurity #AppSec #Cybersecurity #AI

Are Your Mobile APIs The New Weak Link? What Zscaler Just Exposed Learn how to address mobile app and API security gaps in consumer apps, with insights from the Zscaler ThreatLabz report & practical solutions from Approov

Mobile APIs are becoming a bigger threat vector than many realise. @zscalerinc.bsky.social's latest report exposes risky assumptions in traditional #security models — and what teams really need to protect #mobile APIs.

Read more 👉 approov.io/blog/are-you...

#APIsecurity

Apple's DMA Non-Compliance: An Open Letter Apple's DMA Non-Compliance: An Open Letter In this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees. We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?. Key Topics Discussed: *   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store. *   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals. *   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model. *   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%. *   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement. **Sponsor:** This episode is brought to you by **Approov**. Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps. **Visit: [https://approov.io](https://approov.io)** **Resources & Source Materials:** *   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices. *   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez. *   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance. *   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations. Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust.

📣 New Podcast! "Apple's DMA Non-Compliance: An Open Letter" on @Spreaker #antitrust #apple #approov #appstore #digitalmarketsact #dma #eu #mobiledev #upwardlymobile

React2Shell lands on CISA’s KEV list: patch right away! 10.0 RSC flaw actively exploited in the wild by China-based threat groups within hours of public disclosure leads the pack for December's Patch Tuesday.

CISA added #React2Shell to the KEV list after confirmed exploitation. @tedmiracco.bsky.social warns it’s a “100% reliable, fileless attack” and a perfect storm for enterprise risk. Security experts urge immediate patching.

www.scworld.com/news/react2s...

YouTube video by TAG Infosphere Ted Miracco, CEO of Approov (Full Interview)

“Don’t trust an app just because it’s in the app store.”

Our CEO, @tedmiracco.bsky.social , joined TAG Cyber's Ed Amoroso to talk about the rise of mobile traffic, why #APIsecurity > device security, and how #AI is boosting attacks

Watch now 🎥 youtu.be/L-fIrz6Utgk

#mobilesecurity

Chinese Hackers & the React2Shell Crisis Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and Links - SecurityWeek (Source Context): (Note: Specific articles discussed are embedded within the episode content.) - Expo Changelog: For specific SDK patch instructions. - Sponsor Link: Protecting mobile app integrity against security threats is vital: https://approov.io/podcast Keywords (Optimized for SEO) React2Shell, , Remote Code Execution (RCE), China-linked hackers, Earth Lamia, Jackpot Panda, React Server Components (RSC), Next.js vulnerability, React 19 security, web security, patch management, cyber espionage, critical vulnerability, application security

📣 New Podcast! "Chinese Hackers & the React2Shell Crisis" on @Spreaker #cve_2025_55182 #cve202555182 #cybersecurity #earthlamia #jackpotpanda #nextjs #react2shell #upwardlymobile #websecurity

Thrilled to announce that we are opening our new headquarters in Edinburgh’s New Town! This step reflects our growth and commitment to strengthening mobile app & API security from the heart of Scotland.

approov.io/news/approov...

#cybersecurity #Edinburgh #TechNews #MobileSecurity

Sanchar Saathi |The Mobile App Triggering India's Surveillance Firestorm Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance Firestorm In this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. Snooping - The Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates. - Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages. - Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'. Technical Deep Dive into Privacy Risks - The Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions. - The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph. - It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking. - If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall. - The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature. Industry Resistance - Tech giants were given 90 days to comply with the pre-installation mandate. - Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration. - The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market. Keywords Sanchar Saathi, India digital privacy, state surveillance, government mandate, telecom fraud, cyber safety app, IMEI tracking, pre-installation controversy, Android security, iOS privacy, Apple resistance, call log permissions, data deletion rights, digital rights, Indian politics. Digital Autonomy and the Sanchar Saathi App - - Link 1: https://indianexpress.com/article/explained/explained-sci-tech/telecom-scindia-sanchar-saathi-optional-key-concerns-10397728/ - Link 2: https://www.ndtv.com/india-news/sanchar-saathi-communications-ministry-jyotiraditya-scindia-big-brother-or-cybersafety-boost-deep-dive-into-sanchar-saathi-app-9735477 - Link 3: https://indianexpress.com/article/technology/tech-news-technology/sanchar-saathi-app-preinstalled-android-ios-privacy-security-concerns-10397922/ - Link 4: https://www.bbc.com/news/articles/cedxyvx74p4o - Link 5: https://www.reuters.com/sustainability/boards-policy-regulation/what-is-indias-politically-contentious-sanchar-saathi-cyber-safety-app-2025-12-02/ Sponsor This episode is brought to you by https://approov.io/podcast, helping developers secure their mobile APIs and prevent reverse engineering and unauthorized data access. - Sponsor Website: approov.io

📣 New Podcast! "Sanchar Saathi |The Mobile App Triggering India's Surveillance Firestorm" on @Spreaker #android #apple #approov #bigbrother #cybersafety #digitalprivacy #indiatech #samsung #sancharsaathi #statesurveillance #telecomfraud #upwardlymobile #xiaomi