Upwardly Mobile - API & App Security News Podcast By Approov Limited cover art

Upwardly Mobile - API & App Security News

Upwardly Mobile - API & App Security News

By: Approov Limited
Listen for free

Dive into the high-stakes world of mobile app development and API security with Upwardly Mobile, your ultimate guide to defending apps in today’s volatile digital landscape. Hosted by Skye Macintyre and George McGregor, and proudly sponsored by Approov, the gold standard in mobile app attestation and API security. This podcast unpacks the evolving AI enabled threats and innovative solutions shaping mobile cybersecurity. Explore why built-in protection from Apple, Google, Samsung and Huawei often fall short, leaving sensitive data vulnerable. Learn how advanced techniques—like runtime attestation and dynamic API security—thwart attackers and secure your app ecosystem. Each episode delivers insights into major data breaches, emerging trends, and actionable strategies to fortify your apps and APIs against ever-advancing cyber threats. From development best practices to navigating compliance and regulation, Upwardly Mobile equips iOS, Android and HarmonyOS mobile developers, security professionals, and tech enthusiasts with the knowledge to safeguard their creations. Stay informed, stay secure, and stay ahead with expert guidance on the future of mobile cybersecurity. Subscribe now on Spotify and Apple Podcasts, and elevate your security game!2025 Approov Limited Economics Personal Finance Politics & Government
Episodes
  • Smart Home Security: Navigating IoT Risks with Advanced Mobile App Protection

    Smart Home Security: Navigating IoT Risks with Advanced Mobile App Protection
    Jul 14 2025
    In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:The Alarming State of IoT Security:A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins.Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks.Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data".Building a Secure Foundation: Solutions and Best Practices:Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair.Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token.Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which inherently trusts nothing by default. Instead, each and every API request must cryptographically prove it originates from a legitimate, unmodified mobile app at runtime. This involves per-request attestation using ...
    Show more Show less
    14 mins
  • Unlocking Zero Trust for Mobile Apps: Bridging the Security Gap

    Unlocking Zero Trust for Mobile Apps: Bridging the Security Gap
    Jul 11 2025
    In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue.Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.Key takeaways include:• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated in real-time.Relevant Links & Resources:• Approov Mobile Security Knowledge Base: Approov Mobile Security Knowledge Base• How to Implement Zero Trust for Mobile Apps (Approov): How to Implement Zero Trust for Mobile Apps• Why Is Zero Trust Not Systematically Applied to Mobile App Security? (Approov): Why is Zero Trust Not Systematically Applied to Mobile App Security?• Promon SHIELD® for Mobile & More: Products• A guide to Zero Trust for your mobile apps (Promon): Bringing Zero Trust to mobile applications• OWASP Zero Trust Architecture Cheat Sheet: OWASP Zero Trust Architecture Cheat Sheet• OWASP Mobile App Security Verification Standard (MASVS): What is the OWASP MASVS?• Promon Mobile App Security Library: All Resources--------------------------------------------------------------------------------
    Show more Show less
    12 mins
  • Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat

    Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat
    Jul 7 2025
    Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's ThreatIn this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.Key Takeaways from the Breach:Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen.Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure.The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset.Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems.Industry Recommendations & Solutions:Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks.Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding backend APIs from abuse and enabling the removal of hardcoded API keys and secrets from apps.Organizations are urged to gain complete visibility across their infrastructure, identity systems, and critical management services, focusing on securing self-service password reset platforms, help desks, and third-party identity vendors.Qantas's Response: Qantas detected unusual activity, took immediate steps to contain the system, and confirmed that all Qantas systems remain secure. They notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. However, the airline faced criticism for its public relations approach, as CEO Vanessa Hudson was on leave, and neither the acting CEO nor other executives made public appearances, relying instead on personalized emails to customers.Learn more about the incident from the articles that informed this episode:"Qantas confirms cyberattack on third-party call center app | SC Media""Qantas discloses cyberattack amid Scattered Spider aviation breaches""Qantas executives nowhere to be seen after data breach affecting up to 6 million customers - ABC News"Sponsor Shoutout: Our episode today is brought to you by Approov. As highlighted in this episode, securing backend APIs and mobile applications is paramount in today's threat landscape. Approov provides robust solutions for mobile app security and API protection, ensuring the authenticity of your apps and devices, and safeguarding your data against sophisticated attacks. Learn more about their comprehensive zero-trust approach to API security at approov.io.Keywords: Qantas cyberattack, data breach, Scattered Spider, aviation security, third-party risk, supply chain attack, social engineering, API security, mobile security, data privacy, frequent flyer data, cybersecurity, Qantas, zero-trust, identity verification, call center breach, corporate response.
    Show more Show less
    13 mins
No reviews yet