Approov Mobile Security

Supply chain attacks are exploiting our assumptions Supply chain attacks exploit fundamental trust assumptions in modern software development, from typosquatting to compromised build pipelines, while new defensive tools are emerging to make these trust...

Supply chain attacks are exploiting our assumptions

blog.trailofbits.com/2025/09/24/s...

#supplychain #cybersecurity #devsecops #developer

Fraudsters are getting smarter. Are your defenses? Join @approov.bsky.social ’s George McGregor & Axionym's Maya Fudim on Nov 12 for a webinar on future-proofing your mobile app security. Don’t fight 2025 threats with 2015 tactics. #AppSec #MobileSecurity #ZeroTrust
approov.io/info/future-...

The Edge Advantage: Why Cloudflare and Approov Outpace Zscaler in API Security? Remote Attestation vs. RASP: Securing Mobile APIs at the Edge (Zscaler vs. Approov/Cloudflare) On this episode of Upwardly Mobile, we dive deep into the most critical architectural debate in mobile API security today: Does security enforcement belong on the client device (RASP) or off-device at the network edge (Remote Attestation)? We break down the philosophical and technical differences between the integrated Zscaler ZSDK approach, which bundles Runtime Application Self-Protection (RASP), and the specialized, edge-native partnership between Approov and Cloudflare. Discover why security experts argue that because the attacker ultimately controls the client environment, remote attestation is superior for defense against sophisticated, targeted attacks. Episode Highlights & Key Concepts The Philosophical Divide: RASP vs. Remote Attestation The core of the debate centers on where security decision logic is insulated. - RASP (Runtime Application Self-Protection): This approach implements security logic within the application code to detect threats locally during runtime, often used for real-time overlay fraud, app tampering, and emulator abuse detection. - The Risk: Any locally enforced logic provides a target for advanced adversaries. Attackers can potentially reverse-engineer RASP checks and bypass local controls to execute API requests from a tampered application instance. - Remote Attestation (Approov/Cloudflare): This specialized approach verifies that only a genuine, untampered app can access APIs, protecting backend systems from unauthorized or rogue applications. - Superior Resilience: Approov’s architecture minimizes local enforcement, ensuring attestation decisions are made entirely in the cloud service. This insulates the enforcement logic on the backend, offering superior resilience against sophisticated, targeted attacks. - Zero Feedback Loop: A key security advantage is that the attacker receives no feedback from the client on why the token validation failed at the edge, significantly raising the cost and complexity of a successful attack bypass. Architectural and Operational Advantages The comparison between the integrated Zscaler Zero Trust Exchange (ZTNA/SSE) model and the Approov/Cloudflare Edge-First (WAAP) model highlights major differences in deployment, performance, and operational cost. - Enforcement Location and TCO: The Approov/Cloudflare model focuses enforcement entirely at the Cloudflare edge using serverless functions (Workers or API Shield). This is described as a zero-operations deployment model that removes the need for customer-managed infrastructure components like Zscaler’s required App Connectors. The serverless model accelerates time-to-value and minimizes maintenance overhead. - API Key Protection: Approov provides a critical security layer by leveraging attestation guarantees to securely deliver secrets, such as API keys, just-in-time to the application only when the environment is verified as genuine and unmodified. This capability directly mitigates the risks associated with reverse engineering hard-coded keys. - Performance and Scale: The Cloudflare/Approov integration leverages Cloudflare’s global, high-performance network. Comparative tests show Cloudflare is significantly faster than Zscaler in various Zero Trust scenarios, a crucial factor for a smooth user experience and ensuring users don't bypass security controls. Furthermore, Approov offers a commercial attestation fabric built for scale, guaranteeing no quotas or throttling on attestation traffic for high-volume apps. - API Governance: Cloudflare API Shield enhances protection with rigorous positive security via OpenAPI schema validation at the edge. This preemptively guards against modern API security risks like Broken Object Level Authorization (BOLA) by ensuring that only traffic conforming to the documented API structure is accepted. Secure Your Mobile APIs with the Industry's Leading Attestation Solution This episode is proudly brought to you by Approov, the definitive solution for continuous and deterministic mobile app attestation. Approov ensures that only genuine, untampered instances of your mobile application can access your backend APIs, protecting against bot attacks, API abuse, and sophisticated tampering. Learn how to deploy mobile API security today: 🔗 https://approov.io/  Keywords: Mobile API Security, Remote Attestation, RASP, Approov, Cloudflare, Zscaler, API Integrity, Mobile App Protection, Zero Trust Architecture, Edge Security, API Abuse Prevention, Serverless Security, JWT Attestation, Mobile Bot Mitigation, Cloudflare Workers, App Attestation. 

📣 New Podcast! "The Edge Advantage: Why Cloudflare and Approov Outpace Zscaler in API Security?" on @Spreaker #apiprotection #appintegrity #approov #cloudflare #cybersecurity #edgesecurity #mobileappdev #mobilesecurity #rasp #remoteattestation #zerotrust #zscaler #zsdk

SonicWall Confirms State-Sponsored Hackers Behind September Cloud Backup Breach SonicWall confirms a state-sponsored breach of its cloud backups, exposing under 5% of users’ firewall data.

SonicWall confirms a breach by state-sponsored actors in September, exploiting a cloud backup API to access firewall configuration files.

thehackernews.com/2025/11/soni...

#apisecurity #cloudsecurity #sonicwall

Multiple Django Vulnerabilities Enable SQL injection and DoS Attack

Multiple Django Vulnerabilities Enable SQL injection and DoS Attack

CMA confirms Apple and Google have strategic market status in mobile platforms Following extensive consultation, the CMA confirms proposed decisions.

The Competition and Markets Authority (CMA) has confirmed that #Apple and #Google hold strategic market status in the UK mobile ecosystem - marking a major step in how digital markets will be regulated.

www.gov.uk/government/n...

#mobileappdevelopment #CMA

Google Play now allows Android apps to use other billing systems in the US Following a court ruling, Google has been forced to open up the Play Store in the US to allow Android...

Following a court ruling, #Google has been forced to open up the #PlayStore in the US to allow #Android apps to use other billing systems or direct users to alternate pricing options.

9to5google.com/2025/10/30/g...

#mobileappsecurity #appdev

Frida remains a top challenge for #MobileAppSecurity teams. See:

• How #Frida hooks & manipulates runtime
• Real-world attack examples
• How Approov’s cloud-based defenses (RASP, attestation, secret protection) neutralize it

approov.io/knowledge/wh...

#AppSec #APISecurity

Microsoft: OpenAI API moonlights as malware HQ : Redmond uncovers SesameOp, a backdoor hiding its tracks by using OpenAI’s Assistants API as a command channel

Redmond uncovers SesameOp, a backdoor hiding its tracks by using OpenAI’s Assistants API as a command channel

www.theregister.com/2025/11/04/o... via @theregister.com

#openai #apisecurity #sesameop

Telecom provider Ribbon Communications reports nation-state hack Cyberattack on the telecom supply chain compared to May 2021 Colonial pipeline attack.

Supply-chain vendors are increasingly the backyard of stealthy attacks. "Both attacks featured an exceptionally long period of unauthorized access” - @tedmiracco.bsky.social on the Ribbon Communications suspected #NationStateAttack.

www.scworld.com/news/telecom...

#CyberSecurity

App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Upwardly Mobile: Episode Notes Episode Title: App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Summary: In this episode of Upwardly Mobile, we break down the monumental shift in the Android ecosystem following the Supreme Court’s refusal to hear Google's final appeal. Google has finally opened its Google Play app store to third-party payment options for U.S. developers, settling a multi-year legal battle initiated by Epic Games. We discuss what this means for developers seeking to maximize revenue, the new freedom to direct users to cheaper external payment options, and the resulting challenges in maintaining app integrity and security now that developers are operating outside Google Play Billing exclusivity. Plus, we explore crucial security solutions, like Approov, that can help developers protect their apps when relying less on Google Mobile Services (GMS) for integrity checks. Key Takeaways - Policy Shift: Following years of legal challenges, Google is now required to allow U.S. app developers to use alternative payment methods and link users directly to external payment sources. This means developers can process payments outside of Google’s ecosystem and inform users about alternative pricing. - End of Exclusivity: Previously, Google generally mandated the use of Google Play Billing and collected a commission on nearly every in-app purchase. Now, developers can provide direct links to external checkout pages and offer options like PayPal or their own payment systems. - Timeline and Scope: This change became effective immediately as of October 29, 2025. However, the new rules currently apply only in the U.S. and the District Court order is set to expire on November 1, 2027. - Security Challenges: While developers gain freedom and potential revenue maximization by avoiding Play Store commissions, distributing and processing payments externally requires implementing their own robust security, update, and analytics systems, as Play services like integrity verification may not be available. - App Attestation Alternative: For developers building non-GMS Android apps or those seeking customizable security outside of Google’s structure, Approov provides a solution. Approov is a runtime application self-protection (RASP) tool that offers app attestation—verifying the integrity and authenticity of an app and the device it runs on—without relying on Google PlayIntegrity or SafetyNet. Sponsored by Approov Protect your app and APIs regardless of your payment processing choices. Approov offers comprehensive runtime application self-protection (RASP) and serves as a reliable, GMS-independent alternative to Google PlayIntegrity for robust app attestation and real-time threat detection. Learn more or start a free trial today: https://notebooklm.google.com/notebook/approov.io Relevant Links & Resources - Google Opens App Store to Third-Party Payment Systems (PaymentsJournal): https://www.paymentsjournal.com/google-opens-app-store-to-third-party-payment-systems/ - Google Play now allows Android apps to use other billing systems in the US (9to5Google): https://9to5google.com/2025/10/30/google-play-now-allows-android-apps-to-use-other-billing-systems-in-the-us/ - How Organizations Can Chart the Course to Agentic Commerce (Must Read): [Relevant link to PaymentsJournal content on commerce] (October 31, 2025) Keywords Google Play, third-party payments, Epic Games, app store, commission, app security, app attestation, Approov, U.S. court ruling, Google Play Billing, non-GMS apps, developer revenue, digital payments, emerging payments, API security.            

📣 New Podcast! "App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath)" on @Spreaker #approov #appsecurity #appstore #developerfreedom #digitalbanking #emergingpayments #epicgames #fintech #googleplay #mobilepayments #thirdpartypayments

NPM Nightmare: & Cloudflare AI That Secured End Users From 2 Billion Weekly Malicious Downloads The Billion-Download Backdoor: Defending Client-Side Supply Chains Against Crypto-Draining NPM Attacks -------------------------------------------------------------------------------- Episode Notes In early September 2025, the open-source software ecosystem faced a massive supply chain attack when attackers compromised trusted maintainer accounts on npm using targeted phishing emails. This security breach led to the injection of malicious code into 18 widely used npm packages—such as chalk, debug, and ansi-styles—which together account for more than 2 billion downloads per week. This episode dives into the mechanics of the attack, the threat posed by the complex malware deployed, and the role of advanced AI-powered defenses in preventing client-side disaster. Key Takeaways The Threat Landscape The attackers' primary goal was crypto-stealing or wallet draining. The compromised packages contained obfuscated JavaScript, which, when included in end-user applications (including web projects and mobile apps built with frameworks like React Native or Ionic), was activated at the browser level. This malware would intercept network traffic and API requests, ultimately swapping legitimate cryptocurrency addresses (including Bitcoin, Ethereum, and Solana) with the attackers' wallets. The attack leveraged the human factor, as maintainers were tricked by phishing emails urging them to update two-factor authentication credentials via a fake domain, npmjs[.]help. The Evolution of Malware: Shai-Hulud Beyond crypto-hijacking, researchers detected a complex self-replicating worm dubbed Shai-Hulud. This advanced payload targets development and CI/CD environments: • Autonomous Propagation: Shai-Hulud uses existing trust relationships to automatically infect additional NPM packages and projects. • Credential Theft: Using stolen GitHub access tokens, the worm lists and clones private repositories to attacker-controlled accounts. • Secret Harvesting: It downloads and utilizes the secret-scanning tool TruffleHog to harvest secrets, keys, and high-entropy strings from the compromised environment. • Malicious Workflows: Shai-Hulud establishes persistence by injecting malicious GitHub Actions workflows into repositories, enabling automated secret exfiltration. Automated Defense with AI Security Cloudflare’s client-side security offering, Page Shield, proved critical in mitigating this threat. Page Shield assesses 3.5 billion scripts per day (40,000 scripts per second) using machine learning (ML) based malicious script detection. • Page Shield utilizes a message-passing graph convolutional network (MPGCN). This graph-based model learns hacker patterns purely from the structure (e.g., function calling) and syntax of the code, making it resilient against advanced techniques like code obfuscation used in the npm compromise. • Cloudflare verified that Page Shield would have successfully detected all 18 compromised npm packages as malicious, despite the attack being novel and not present in the initial training data. • While patches were released quickly (in 2 hours or less), Page Shield was already equipped to detect and block this threat, helping users "dodge the proverbial bullet". Security Recommendations To protect against fast-moving supply chain attacks, organizations must maintain vigilance and implement automated defenses: 1. Audit Dependencies: Review your dependency tree, checking for versions published around early–mid September 2025. Developers should pin dependencies to known-good versions. 2. Rotate Credentials: Immediately revoke and reissue any exposed CI/CD tokens, cloud credentials, or service keys that might have been used in the build pipeline. 3. Enforce MFA: Tighten access policies and enforce multi-factor authentication (MFA) on all developer and CI/CD access points. 4. Proactive Monitoring: Monitor build logs and environments for signs of suspicious scanning activity, such as the use of TruffleHog. -------------------------------------------------------------------------------- 🔗 Relevant Links and Resources • Cloudflare: https://blog.cloudflare.com/how-cloudflares-client-side-security-made-the-npm-supply-chain-attack-a-non/     ◦ Cloudflare Page Shield Script detection • Trend Micro Research: What We Know About the NPM Supply Chain Attack • Kaspersky Blog: Popular npm packages compromised 🛡️ Sponsor This episode of Upwardly Mobile is brought to you by our friends at https://approov.io/mobile-app-security/rasp/. -------------------------------------------------------------------------------- Keywords: NPM supply chain attack, Cloudflare Page Shield, Shai-Hulud worm, Cryptohijacker, crypto-stealing malware, client-side security, JavaScript obfuscation, open-source security, dependency audit, CI/CD security, phishing attack, MPGCN, machine learning security, developer accounts compromise, npm packages, software security.          

📣 New Podcast! "NPM Nightmare: & Cloudflare AI That Secured End Users From 2 Billion Weekly Malicious Downloads" on @Spreaker #aiinsecurity #approov #clientsidesecurity #cloudflarepageshield #cryptostealing #cybersecurity #devsecops #javascriptsecurity #npmsecurity #shaihulud #supplychainattack

The Unseen Storm: Securing APIs and Protecting Against Key Exposure The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection. - App Attestation: https://approov.io/ uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image. - Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API. - Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation. - Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets. Links & Resources Source Material Reference: - Excerpts from "https://undercodetesting.com/the-unseen-storm-how-a-simple-weather-app-exposes-critical-api-security-flaws/" - Excerpts from "https://approov.io/addressing-the-security-trust-gap-in-a-mobile-world" Sponsor: - Learn how Approov protects your revenue and business data by deploying Mobile Security: https://www.approov.io/ Keywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 

📣 New Podcast! "The Unseen Storm: Securing APIs and Protecting Against Key Exposure" on @Spreaker #apikeys #apisecurity #appauthentication #approov #cybersecurity #devsecops #infosec #mobilesecurity #websecurity #zerotrust

Securing Mobile API with Approov & Cloudflare: A Powerful Integration Secure your mobile app APIs with Approov and Cloudflare integration, ensuring only genuine apps on uncompromised devices can access backend infrastructure.

Cloudflare now integrates Approov into its #Bot Management & #API Shield solutions. While #Cloudflare protects at the perimeter, Approov verifies what’s really making the request - crucial in mobile-first environments where fake requests abound. #security

approov.io/blog/securin...

The GitHub API Key Gold Rush: How Exposed Credentials Are Fueling The Next Wave Of Cyber Attacks - Undercode Testing The GitHub API Key Gold Rush: How Exposed Credentials Are Fueling the Next Wave of Cyber Attacks - "Undercode Testing": Monitor hackers like a pro. Get

The #GitHub #APIKey Gold Rush: How Exposed Credentials Are Fueling the Next Wave of #CyberAttacks

undercodetesting.com/the-github-a...

#APISecurity #Cybersecurity

UK Competition and Markets Authority (CMA) designate Apple and Google with Strategic Market Status UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms. - SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms. - Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities: - Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit). - Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink). - Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels. - Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period. - Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming. What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored by Approov We are entering a "pivotal era for mobile technology" where regulatory interventions like the CMA’s SMS designation and the EU's DMA are weakening the centralized control over app distribution held by Apple and Google. This shift "opens the floodgates for alternative app stores, sideloading, and direct-to-consumer models". As mobile security risks move beyond platform constraints, secure your applications and APIs with a truly cross-platform, developer-centric solution. Visit approov.io for more information on how to implement modern app and API protection. 🔗 Useful Links & Resources - https://assets.publishing.service.gov.uk/media/68f8c09325d7d8af156dc294/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://assets.publishing.service.gov.uk/media/68f8bf4780cf98c6e8ed8f83/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://www.gov.uk/government/news/cma-confirms-apple-and-google-have-strategic-market-status-in-mobile-platforms: [www.gov.uk/cma] 💡 Keywords CMA, Strategic Market Status (SMS), Digital Markets Competition and Consumers Act 2024 (DMCCA), Apple Mobile Platform, Google Mobile Platform, mobile platform, app distribution, mobile browser, mobile security, iOS, Android, App Store, Play Store, WebKit, Blink, API protection, sideloading, app economy, tech regulation. 

📣 New Podcast! "UK Competition and Markets Authority (CMA) designate Apple and Google with Strategic Market Status" on @Spreaker #apiprotection #appdistribution #appeconomy #apple #approov #cma #digitalmarkets #dmcc #google #mobilecompetition #sms #strategicmarketstatus

Approov at Cloudflare Connect: Shaping the Future of Mobile Security Approov's participation at Cloudflare Connect 2025 highlighted key insights on API security, strategic partnerships, and the future of secure connectivity.

A fantastic few days at #CloudflareConnect - thanks to #Cloudflare for an amazing event! Great discussions on securing mobile APIs and the future of app protection.

Read more: approov.io/blog/approov...

#APISecurity #mobileappsecurity #appsec

U.S. #cybersecurity firm #F5 Networks was reportedly breached by state-backed hackers from #China. Officials say a “nation-state cyber threat actor” is exploiting F5 product flaws to target federal networks.
CISA warns of risks to any org using this tech.
www.reuters.com/technology/b...

F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps & APIs API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps The F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials: - Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities. - Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws. - Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups. Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action: - Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities. - Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure. - Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network. - Change Credentials: Change all default credentials immediately. Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore https://approov.io/mobile-app-security/rasp/api-security/. Approov provides crucial mobile app and API protection by verifying the authenticity of mobile apps and ensuring only legitimate, untampered clients can access your APIs. Relevant Links - https://my.f5.com/manage/s/article/K000156572:  - https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices:  - Sponsor Website: https://approov.io/ Keywords: F5, BIG-IP, API Security, Mobile App Security, Zero-Day Vulnerability, Source Code Theft, Nation-State Hacking, CISA, Emergency Directive, Zero Trust, Load Balancer, Firewall, Patching, UNC5221, BRICKSTORM, Cybersecurity, Network Topology, Credential Abuse, Upwardly Mobile

📣 New Podcast! "F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps & APIs" on @Spreaker #apisecurity #appsec #bigip #cisa #f5breach #mobileappdev #nationstatehacker #upwardlymobile #zeroday #zerotrust

Approov Turbocharges Global Security: #Cloudflare Argo Smart Routing halves latency for next-gen mobile attestation.

- 30%+ faster connections
- 27% fewer errors
- Stronger API protection for the AI era

www.businesswire.com/news/home/20...

#apisecurity #mobilesecurity #zerotrust

California sets global standards with new landmark AI and data privacy laws UK highly significant cyberattacks jumped by 50% over the past year, Australian cyber incidents rose 11% over the past year, Ofcom fined 4chan under new online safety regime, Researchers eavesdropped ...

Life is short, so check out today's Metacurity for a concise rundown of the most critical infosec developments you should know, including

--California sets global standards with new landmark AI and data privacy laws, 1/4
www.metacurity.com/california-s...

Cloudflare Connect 2025 is underway! We’re here at Booth #9 at the ARIA, Las Vegas. Stop by to chat about API protection done right 🔐

📅 Or book a meeting: meetings.hubspot.com/ted-miracco/...

#CloudflareConnect #LasVegas #APISecurity #Approov #ZeroTrust

Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions: - https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details. - https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses. Tactics and Targets The group employs sophisticated tactics, including exploiting zero-day vulnerabilities, such as a critical flaw in Oracle’s E-Business Suite software (CVE-2025-61882). Furthermore, members of the group have been known to distribute malware—specifically the commercially available ASYNCRAT backdoor—disguised as a Windows screensaver file (.scr) via menacing, targeted emails. This highlights the constant pressure faced by security professionals, often from threat actors derisively called "Advanced Persistent Teenagers" (APTs). Links & Resources - Law Enforcement Takedown: Nameservers used in the FBI seizure: ns1.fbi.seized.gov and ns2.fbi.seized.gov. - Publications Cited: https://www.bleepingcomputer.com/news/security/fbi-takes-down-breachforums-portal-used-for-salesforce-extortion/. - Discord Security Incident: Discord confirmed they would contact impacted users via noreply@discord.com. - Security Validation: Join the Picus BAS Summit to experience the future of security validation. - ASYNCRAT Analysis: Virustotal analysis on the ASYNCRAT malware provided via link. 🛡️ Sponsor: https://approov.io/ To ensure your mobile and web applications are secure against sophisticated attacks, trust the experts. Learn more about enhanced security measures and API protection at approov.io. Keywords ShinyHunters, BreachForums, Salesforce Extortion, FBI Takedown, Scattered Lapsus$ Hunters, Data Breach, Red Hat, Discord Hack, Voice Phishing, Cybercrime, Hacking Forum, ASYNCRAT, UNC6040, CVE-2025-61882, Security Validation. Relevant 

📣 New Podcast! "Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters" on @Spreaker #breachforums #cybersecurity #discord #fbi #hackerforum #redhat #salesforce #shinyhunters #voicephishing

Approov ensures AI endpoints are only accessible to verified mobile apps - using pinned, short-lived, scoped tokens. It blocks cost fraud, data leaks, model theft & injection abuse, all without hurting user experience. #AppSec #GenAI #LLM

Is Your Mobile App & API Security Ready to Handle AI? Ensure your AI-powered mobile app is secure from new threats by implementing robust security measures. Learn how to protect your app and API with insights.

#GenAI is transforming mobile apps. But it also expands the attack surface. Securing GenAI isn’t just about your servers - it’s about verifying every request from app to #LLM and back.

How Approov protects AI-enable apps & APIs →
approov.io/blog/is-your...

#MobileSecurity #AppSec

Next Generation Attestation to Secure Mobile Apps Against Threats from AI Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, https://www.businesswire.com/news/home/20251007833296/en/Approov-Launches-Next-Generation-Attestation-to-Secure-Mobile-Apps-Against-Threats-from-AI-and-Meet-New-EU-Regulations, including AI-driven attacks and new regulatory pressures. The Mobile Tipping Point: 64% and Rising The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone. • This shift is not just a trend; it is the new normal. • Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth. • Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones. • The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%). The Security Gap in a Mobile-First World The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps. Approov 3.5: Protecting the Critical Connection Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data. The latest platform update, Approov 3.5, delivers next-generation attestation: • Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs. • Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible. • Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update. • Immutable App Signature: This feature creates a unique fingerprint upon installation, continuously verifying the app’s integrity against tampering or repackaging with malware. • Memory Dump Detection: A new defense actively blocks attackers attempting to scrape sensitive information, such as AI secrets or user credentials, directly from the device’s memory. Approov has proven that robust security can be achieved without compromising user experience, offering fast and responsive cross-platform security checks for iOS, Android, and HarmonyOS. By verifying API requests, Approov reduces API attacks by over 95%. -------------------------------------------------------------------------------- Keywords Mobile traffic, API security, Approov 3.5, mobile app security, Digital Markets Act (DMA), hardware-backed security, 64% web traffic, AI-powered attacks, mobile-first, app cloning, fraud prevention, mobile API. Sponsor Link For more information on securing your mobile application and APIs, please visit our sponsor: https://approov.io/.

📣 New Podcast! "Next Generation Attestation to Secure Mobile Apps Against Threats from AI" on @Spreaker #apisecurity #approov #approov35 #cybersecurity #digitalmarketsact #dma #fraudprevention #mobilefirst #mobilesecurity #webtraffic

We’re excited to announce Approov 3.5 - delivering hardware-backed security and advanced threat analytics to protect brands & consumers in an era of AI-driven attacks and new EU #DMA regulations.

Learn more > www.businesswire.com/news/home/20...

#MobileSecurity #APISecurity #AI #AppSec

👀👀👀👀🫣🫣

Approov - proud Gold Sponsor of #CloudflareConnect 2025!

Whether you want to dive into API and mobile app security or just catch up, we’re looking forward to some great conversations.

Stop by Booth 9 or book a meeting: meetings.hubspot.com/ted-miracco/...

#APISecurity #MobileAppSecurity

"Scattered LAPSUS$ Hunters" claims theft of 1 billion Salesforce records Game engine developer Unity urges users to patch severe flaw, Hackers stole some Discord user data after a third-party compromise, US immigration dramatically expands its spying ability, Asahi reverts...

No such thing as a quiet weekend in cybersecurity, so check out today's Metacurity for the infosec developments you might have missed since Friday, including

--Scattered LAPSUS$ Hunters claims theft of 1 billion Salesforce records, 1/5

www.metacurity.com/scattered-la...