August 11, 2025 • 13 mins
The Future of App Development with Vibe Coding and Approov
Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.
However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.
So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.
For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.
Key Takeaways:
• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.
• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.
• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.
• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.
Relevant Links:
• CBS News: Tea dating app disables direct messaging as it investigates data breach: https://www.cbsnews.com/news/tea-dating-app-data-breach-cbs-news/
• VIBE Apps | Fast to Market, Risky to Deploy? The Security Debt in Rapid App Development: https://www.linkedin.com/pulse/vibe-apps-fast-market-risky-deploy-security-debt-rapid-approov-mobile-security
• From Vibe to Venture: A Guide to Building and Securing Your App: https://approov.io/blog/from-vibe-to-venture
Sponsor: This episode is brought to you by Approov Mobile Security. Learn more about securing your mobile app and APIs, including the new Founder-Friendly Tier, at approov.io.
Keywords: vibe coding, app development, mobile security, API security, data breach, Tea app, Lovable, Approov, startup security, founder-friendly tier, fast to market, app launch, investor confidence, user trust, cybersecurity, no-code, low-code, app protection, digital security
This content was created in partnership and with the help of Artificial Intelligence AI
Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.
However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.
So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.
For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.
Key Takeaways:
• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.
• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.
• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.
• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.
Relevant Links:
• CBS News: Tea dating app disables direct messaging as it investigates data breach: https://www.cbsnews.com/news/tea-dating-app-data-breach-cbs-news/
• VIBE Apps | Fast to Market, Risky to Deploy? The Security Debt in Rapid App Development: https://www.linkedin.com/pulse/vibe-apps-fast-market-risky-deploy-security-debt-rapid-approov-mobile-security
• From Vibe to Venture: A Guide to Building and Securing Your App: https://approov.io/blog/from-vibe-to-venture
Sponsor: This episode is brought to you by Approov Mobile Security. Learn more about securing your mobile app and APIs, including the new Founder-Friendly Tier, at approov.io.
Keywords: vibe coding, app development, mobile security, API security, data breach, Tea app, Lovable, Approov, startup security, founder-friendly tier, fast to market, app launch, investor confidence, user trust, cybersecurity, no-code, low-code, app protection, digital security
This content was created in partnership and with the help of Artificial Intelligence AI
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to Upwardly Mobile, your guide to navigating the complex
world of mobile app and API security. I'm Skymac and Tyre.
Speaker 2 (00:07):
I'm George McGregor.
Speaker 1 (00:08):
Great to be here today. We're looking into something vital
for anyone involved with mobile apps, whether you're building them,
using them, or investing in them. We're talking about security,
specifically the vulnerabilities that can hide beneath the surface.
Speaker 2 (00:23):
It's right, and we saw a really stark example of
this recently with the te dating app ins.
Speaker 1 (00:27):
Oh yeah, that one made headlines. It was what one
of Apple's most downloaded free apps at one point.
Speaker 2 (00:33):
Exactly hugely popular, yet it ended up exposing incredibly personal stuff,
direct messages, photos, all accessible when they shouldn't have been.
Speaker 1 (00:43):
It was definitely a shock for a lot of people.
I mean, you download something from the app store, you
sort of expect a certain level of safety, don't you you.
Speaker 2 (00:49):
Do, and that tea app breach, well, it wasn't just
a one off mistake. It really highlights a bigger issue
in mobile development, which is it's this constant push and pull,
this tension between getting apps out fast, you know, innovation
and making sure they're actually secure.
Speaker 1 (01:05):
Ah, the speed versus security dilemma.
Speaker 2 (01:07):
Precisely the way many apps are built today, Speed often
wins out and security diligence can get well overlooked. The
t incident is really a symptom of that broader trend.
Speaker 1 (01:17):
Okay, So that's what we're going to unpack today. We
want to explore why apps that seem fine on the
surface can be vulnerable, figure out where the real risks
lie the attack surfaces, and most importantly, talk about what
developers and businesses need to do to secure their apps,
especially now with AI adding new layers to the threat landscape.
Speaker 2 (01:36):
Yeah, what are the must dos in today's environment. We'll
be drawing on various reports and expert insights to explore this.
Speaker 1 (01:42):
Let's start with that tension you mentioned, George, this rapid
development cycle. We hear terms like vibe coding, building fat
almost on instinct, and you've got these amazing cross platform
tools like Flutter, React native build ones run on iOS, Android,
even HarmonyOS super.
Speaker 2 (01:59):
Efficient, absolutely and now AI platforms like Lovable are taking
it even further. You can describe an app idea and
AI helps generate the code, sometimes a whole functional sack,
incredibly quickly.
Speaker 1 (02:10):
It's mind blowing. Really turning ideas into MVPs minimum viable
products in just days. It feels like pure acceleration.
Speaker 2 (02:18):
It is.
Speaker 1 (02:19):
It's fantastic for innovation, But there's always a butt, isn't there?
What's the hid and cost here? What are we potentially
giving up when we move that fast?
Speaker 2 (02:27):
Well, that's where we circle back to the T app.
It's a perfect, if unfortunate example of what we call
security debt.
Speaker 1 (02:34):
Security debt like technical debt, but specifically for security measures
that get skipped exactly.
Speaker 2 (02:39):
You tofer security work to hit a deadline, and that
risk accumulates with T The weak spot wasn't the app's interface,
the part users interact with. That looks fine, right, The
problem's deeper. It was in the back end. APIs the
application programming interfaces. Think of them as the communication lines
between the app on your phone the servers where the
(03:00):
data lives.
Speaker 1 (03:00):
Okay, the digital messengers kind of yeah.
Speaker 2 (03:03):
So attackers didn't need to break into the app itself. Instead,
they reverse engineered the mobile.
Speaker 1 (03:09):
Client, meaning they took the app apart to see how
it worked.
Speaker 2 (03:12):
Essentially, yes, they figured out how the app talked to
the servers. Once they understood that communication protocol, they could
just mimic it, pretend to be a legitimate.
Speaker 1 (03:21):
App, and the servers just believed them.
Speaker 2 (03:23):
That was the critical failure. The back at API was insecure,
It wasn't properly authenticated. It didn't rigorously check who was
making the request. Wow, so the attackers could just ask
for user data and the server handed it over no
real verification. That's how those fifty nine thousand images and
messages got exposed.
Speaker 1 (03:43):
Just hand it over. That's chilling. It really reads the
question why are APIs the weak links? So often it
feels like the front door is locked, but the back
door is wide open.
Speaker 2 (03:52):
That's a good analogy. Often the focus is heavily on
the user facing features, getting the app to look good
and work smoothly. The underlying plumbing the APIs might not
get the same level of security scrutiny during that rapid
build phase. They become that forgotten back door, which.
Speaker 1 (04:08):
Leads to this really interesting point about app stores. Most
of us probably think it's on the Apple App Store,
it's on Google Play, it must be safe. We trust
the platform. But Ted Morocco, who's the CEO at a
Proof they specialize in mobile security. He basically said that's
the first mistake people make, assuming app store approval equals security.
Speaker 2 (04:28):
He's absolutely right to point that out. It's a common, understandable,
but technically flawed assumption.
Speaker 1 (04:33):
Why is it flawed? I mean Apple and Google and
Samsung Huawei two. They have strong security on their operating systems,
right sandboxing and all that they do.
Speaker 2 (04:42):
The OS level protections are robust. They protect the device,
and they keep apps running in their own isolated spaces,
their sandboxes, so they can't interfere with each other or
the system. That's great for on device security. Yet, but
those protections stop at the edge of the device OS.
They don't and really can't secure the communication channel between
(05:03):
your app and its back end server out on the
Internet that happens outside the sandbox.
Speaker 1 (05:08):
Ah okay, so the journey that data takes off the
phone isn't covered by the phone's owned security.
Speaker 2 (05:12):
Precisely, and critically, the app store review process doesn't vet
the security of the developer's back end API infrastructure that's
outside their scope. They check the app code for malware
guideline compliance performance, but not the cloud services it connects to.
Speaker 1 (05:29):
So the app itself might be clean, but the API
it relies on could be completely exposed.
Speaker 2 (05:35):
Exactly, which means for many mobile apps today, the real
attack surface, the place attackers are targeting isn't the app
setting safely in the OS sandbox. It's the APIs out
in the cloud that the app needs to function. That's
often where the vulnerabilities lie.
Speaker 1 (05:49):
Okay, that paints a clear picture. We've got this pressure
for speed leading to potential security debt and this common
misconception about app store safety hiding the real risks in
the APIs. But what do we do about it? For
all the developers listening iOS, Android, HarmonyOS, flutter React, native
developers and the security folks, what are the essential defenses?
What are the non negotiables?
Speaker 2 (06:10):
Right? We need to move beyond just identifying the problem.
We need concrete, advanced techniques. Let's talk about some key ones.
First up, something called app attestation. This is fundamental. Think
of it as giving your app a unique, verifiable identity.
Speaker 1 (06:25):
Like a digital passport for the app.
Speaker 2 (06:27):
Sort of. Yeah. It cryptographically verifies that the requests hitting
your back end API are actually coming from a genuine,
untampered instance of your specific app running on a device
that hasn't been compromised.
Speaker 1 (06:40):
How does that help.
Speaker 2 (06:41):
It blocks automated bots, it stops fake or repackaged apps
from accessing your API, and it makes it much much
harder for attackers who've reversed engineered your app to successfully
impersonate it. Without attestation, your server is basically guessing if
the request is legitimate.
Speaker 1 (06:56):
Got it, so verifying the source of the request is
the real app.
Speaker 2 (06:59):
What else next? Ephemeral API keys. A huge mistake is
hard coding apikeys or other secrets directly into the app's code, like.
Speaker 1 (07:07):
Putting the password in plain sight.
Speaker 2 (07:09):
Pretty much, if someone decompile of your app, they find
the keys and then they can potentially use them forever.
Ifphemeral keys solve this, they aren't stored in the app,
They're delivered securely, just in time when the app needs them.
They expire quickly, maybe after one use or a short
time window.
Speaker 1 (07:25):
So even if an attacker intercepts one, its value is
very limited.
Speaker 2 (07:30):
Exactly. It drastically reduces the window of opportunity and the
potential damage from a leaked key makes sense.
Speaker 1 (07:36):
What's next?
Speaker 2 (07:37):
Dynamic certificate pinning. This is crucial for preventing man in
the middle.
Speaker 1 (07:41):
Attacks, where someone intercepts the communication between the app and server.
Speaker 2 (07:46):
Yes, potentially reading or even changing the data in transit.
Certificate pinning basically tells the app only trust this specific
server certificate or certificate signed by this specific authority. Dynamic
pinning is an improvement because it allows you to up
update the pin certificates without having to release a whole
new version of your app, which avoids deployment delays and
keeps security agile.
Speaker 1 (08:07):
Okay, So attestation verifies the app, ephemeral keys protects secrets.
Pinning secures the connection. What about protecting the app while
it's running.
Speaker 2 (08:16):
That's where RASP comes in. Runtime application self protection. Think
of it as building security into the app itself, giving
it the ability to defend itself while it's executing.
Speaker 1 (08:26):
How does it do that?
Speaker 2 (08:27):
RISP can detect threatening conditions in the environment where the
app is running, like is this a jail broken or
rooted device where the OS security is disabled? Are there
debugging or instrumentation tools attached to the app trying to
analyze or tamper with it?
Speaker 1 (08:42):
Things attackers use?
Speaker 2 (08:43):
Exactly? If RASP detects these things, the app can react,
maybe shut itself down, alert the user, notify the security team,
refuse to perform sensitive operations. It's about self defense in
real time.
Speaker 1 (08:56):
That sounds powerful. Is there one more key piece?
Speaker 2 (08:59):
Yes, time monitoring. You absolutely need visibility into how your
APIs are being used. This isn't just about logging after
the fact. It's about actively monitoring traffic, looking for anomalies,
spotting patterns of abuse as they happen.
Speaker 1 (09:12):
So you can react quickly block malicious actors precisely.
Speaker 2 (09:16):
You need to see at tax forming or underway to
adapt your defenses dynamically. And the good news is you
don't have to build all this from scratch. Modern tools
like those from a proof for instance, provide these capabilities attestation,
dynamic keys, threat detection, often integrating smoothly and ensuring you
stay compliant with privacy laws like GDPR or CCPA.
Speaker 1 (09:38):
That's a really solid technical toolkit. It's clear that proper
security involves multiple layers. Let's shift gear slightly though. We've
talked technical defenses, but what about the business side. Security
often gets seen as a cost center, a tax on development.
How do we frame it as a strategic advantage? How
does doing this right actually benefit a company, whether it's
(09:58):
a startup or a big play.
Speaker 2 (10:00):
Oh, it's hugely strategic YEA far from being just a robust,
security is a massive asset. Think about startup seeking investment.
If you can walk into a VC pitch and demonstrate
that you've built security in from day one, that your
APIs are protected, that you're using advanced techniques like attestation,
that sends a powerful message. What message is that it
iss You're serious, you're thinking long term. You're building a sustainable,
(10:22):
trustworthy business, not just a flashy feature that could collapse
under attack. Being able to say our app uses enterprise
grade security like appruits protection that really resonates with investors.
It signals maturity and reduces perceived risk.
Speaker 1 (10:37):
So investor confidence is one big benefit. What else?
Speaker 2 (10:40):
User trust? This is becoming paramount. We live in an
age where data breaches are constantly in the news. Users
are more aware, more concerned about their privacy and data
security than ever before. Definitely, protecting their data isn't just
a compliance checkbox. It's fundamental to building and keeping their loyalty.
If users try trust your app, they're more likely to
(11:01):
use it, recommend it, and stick with it. Lose that
trust and it's incredibly hard to win back.
Speaker 1 (11:06):
True and practically speaking, for the development teams fewer.
Speaker 2 (11:09):
Fires to fight. Integating security early, making it part of
the process devschops is far less costly and disruptive than
trying to bolt it on later after a breacher of
vulnerability scan forces your hand. Retrofitting security is painful and expensive.
Building it in allows teams to focus on innovation, on growth,
on delivering value instead of constantly reacting to security crises.
(11:33):
It actually enables that speed we talked about, but makes
it sustainable and safe.
Speaker 1 (11:37):
So it's not really speed versus security anymore. It's about
finding ways to have both. You can use rapid development tools,
embrace that vibe coding energy, but pairrot with strong integrated
security from.
Speaker 2 (11:49):
The start exactly. That's the modern paradigm. Speed and security.
They enable each other when done right, and.
Speaker 1 (11:55):
We're seeing solutions tailored for this. You mentioned producing. I
know they recently introduced something like a founder friendly tier right,
aimed at helping startups get that enterprise level security early
on without breaking the bank.
Speaker 2 (12:07):
Yeah. Initiatives like that show the industry is recognizing the
need to make strong security accessible from day one, not
just an expensive add on for large enterprises. It allows
startups to scale securely.
Speaker 1 (12:18):
It feels like the whole mindset is shifting.
Speaker 2 (12:21):
I think it has to, which brings me to a
final thought, maybe something to leave our listeners with. There's
a phrase catching on secure APIs are the new uptime.
Speaker 1 (12:29):
Secure APIs are the new uptime. What does that mean exactly?
Speaker 2 (12:33):
It means that just having your service available, just being
up isn't enough anymore. If your APIs are insecure, if
they're leaking data or allowing unauthorized actions, your service is
effectively broken. It might be technically running, but it's compromised.
Speaker 1 (12:48):
So API security is as fundamental as basic availability.
Speaker 2 (12:51):
Absolutely for any modern digital business, Securing those APIs is
non negotiable. It's foundational to trust, reputation, and viability.
Speaker 1 (13:00):
That really drives the point home. The old choice between
moving fast and being secure, it's a false dichotomy. Now,
with the right approach, the right tools, and viewing security
as an enabler not a blocker, you really can achieve both.
It's something for everyone in this space to think about.
How can you embed proactive security into your workflow to
protect your apps, your business, and ultimately your users. Well said,
(13:22):
that brings us to the end of this discussion on
upwardly mobile. Thanks for joining us. Just a note, this
exploration was put together using expert human insights and sources,
with assistance from AI to ensure we covered the key
aspects thoroughly.
Speaker 2 (13:34):
Thanks for listening. Stay secure out there,
Welcome to Upwardly Mobile, your guide to navigating the complex
world of mobile app and API security. I'm Skymac and Tyre.
Speaker 2 (00:07):
I'm George McGregor.
Speaker 1 (00:08):
Great to be here today. We're looking into something vital
for anyone involved with mobile apps, whether you're building them,
using them, or investing in them. We're talking about security,
specifically the vulnerabilities that can hide beneath the surface.
Speaker 2 (00:23):
It's right, and we saw a really stark example of
this recently with the te dating app ins.
Speaker 1 (00:27):
Oh yeah, that one made headlines. It was what one
of Apple's most downloaded free apps at one point.
Speaker 2 (00:33):
Exactly hugely popular, yet it ended up exposing incredibly personal stuff,
direct messages, photos, all accessible when they shouldn't have been.
Speaker 1 (00:43):
It was definitely a shock for a lot of people.
I mean, you download something from the app store, you
sort of expect a certain level of safety, don't you you.
Speaker 2 (00:49):
Do, and that tea app breach, well, it wasn't just
a one off mistake. It really highlights a bigger issue
in mobile development, which is it's this constant push and pull,
this tension between getting apps out fast, you know, innovation
and making sure they're actually secure.
Speaker 1 (01:05):
Ah, the speed versus security dilemma.
Speaker 2 (01:07):
Precisely the way many apps are built today, Speed often
wins out and security diligence can get well overlooked. The
t incident is really a symptom of that broader trend.
Speaker 1 (01:17):
Okay, So that's what we're going to unpack today. We
want to explore why apps that seem fine on the
surface can be vulnerable, figure out where the real risks
lie the attack surfaces, and most importantly, talk about what
developers and businesses need to do to secure their apps,
especially now with AI adding new layers to the threat landscape.
Speaker 2 (01:36):
Yeah, what are the must dos in today's environment. We'll
be drawing on various reports and expert insights to explore this.
Speaker 1 (01:42):
Let's start with that tension you mentioned, George, this rapid
development cycle. We hear terms like vibe coding, building fat
almost on instinct, and you've got these amazing cross platform
tools like Flutter, React native build ones run on iOS, Android,
even HarmonyOS super.
Speaker 2 (01:59):
Efficient, absolutely and now AI platforms like Lovable are taking
it even further. You can describe an app idea and
AI helps generate the code, sometimes a whole functional sack,
incredibly quickly.
Speaker 1 (02:10):
It's mind blowing. Really turning ideas into MVPs minimum viable
products in just days. It feels like pure acceleration.
Speaker 2 (02:18):
It is.
Speaker 1 (02:19):
It's fantastic for innovation, But there's always a butt, isn't there?
What's the hid and cost here? What are we potentially
giving up when we move that fast?
Speaker 2 (02:27):
Well, that's where we circle back to the T app.
It's a perfect, if unfortunate example of what we call
security debt.
Speaker 1 (02:34):
Security debt like technical debt, but specifically for security measures
that get skipped exactly.
Speaker 2 (02:39):
You tofer security work to hit a deadline, and that
risk accumulates with T The weak spot wasn't the app's interface,
the part users interact with. That looks fine, right, The
problem's deeper. It was in the back end. APIs the
application programming interfaces. Think of them as the communication lines
between the app on your phone the servers where the
(03:00):
data lives.
Speaker 1 (03:00):
Okay, the digital messengers kind of yeah.
Speaker 2 (03:03):
So attackers didn't need to break into the app itself. Instead,
they reverse engineered the mobile.
Speaker 1 (03:09):
Client, meaning they took the app apart to see how
it worked.
Speaker 2 (03:12):
Essentially, yes, they figured out how the app talked to
the servers. Once they understood that communication protocol, they could
just mimic it, pretend to be a legitimate.
Speaker 1 (03:21):
App, and the servers just believed them.
Speaker 2 (03:23):
That was the critical failure. The back at API was insecure,
It wasn't properly authenticated. It didn't rigorously check who was
making the request. Wow, so the attackers could just ask
for user data and the server handed it over no
real verification. That's how those fifty nine thousand images and
messages got exposed.
Speaker 1 (03:43):
Just hand it over. That's chilling. It really reads the
question why are APIs the weak links? So often it
feels like the front door is locked, but the back
door is wide open.
Speaker 2 (03:52):
That's a good analogy. Often the focus is heavily on
the user facing features, getting the app to look good
and work smoothly. The underlying plumbing the APIs might not
get the same level of security scrutiny during that rapid
build phase. They become that forgotten back door, which.
Speaker 1 (04:08):
Leads to this really interesting point about app stores. Most
of us probably think it's on the Apple App Store,
it's on Google Play, it must be safe. We trust
the platform. But Ted Morocco, who's the CEO at a
Proof they specialize in mobile security. He basically said that's
the first mistake people make, assuming app store approval equals security.
Speaker 2 (04:28):
He's absolutely right to point that out. It's a common, understandable,
but technically flawed assumption.
Speaker 1 (04:33):
Why is it flawed? I mean Apple and Google and
Samsung Huawei two. They have strong security on their operating systems,
right sandboxing and all that they do.
Speaker 2 (04:42):
The OS level protections are robust. They protect the device,
and they keep apps running in their own isolated spaces,
their sandboxes, so they can't interfere with each other or
the system. That's great for on device security. Yet, but
those protections stop at the edge of the device OS.
They don't and really can't secure the communication channel between
(05:03):
your app and its back end server out on the
Internet that happens outside the sandbox.
Speaker 1 (05:08):
Ah okay, so the journey that data takes off the
phone isn't covered by the phone's owned security.
Speaker 2 (05:12):
Precisely, and critically, the app store review process doesn't vet
the security of the developer's back end API infrastructure that's
outside their scope. They check the app code for malware
guideline compliance performance, but not the cloud services it connects to.
Speaker 1 (05:29):
So the app itself might be clean, but the API
it relies on could be completely exposed.
Speaker 2 (05:35):
Exactly, which means for many mobile apps today, the real
attack surface, the place attackers are targeting isn't the app
setting safely in the OS sandbox. It's the APIs out
in the cloud that the app needs to function. That's
often where the vulnerabilities lie.
Speaker 1 (05:49):
Okay, that paints a clear picture. We've got this pressure
for speed leading to potential security debt and this common
misconception about app store safety hiding the real risks in
the APIs. But what do we do about it? For
all the developers listening iOS, Android, HarmonyOS, flutter React, native
developers and the security folks, what are the essential defenses?
What are the non negotiables?
Speaker 2 (06:10):
Right? We need to move beyond just identifying the problem.
We need concrete, advanced techniques. Let's talk about some key ones.
First up, something called app attestation. This is fundamental. Think
of it as giving your app a unique, verifiable identity.
Speaker 1 (06:25):
Like a digital passport for the app.
Speaker 2 (06:27):
Sort of. Yeah. It cryptographically verifies that the requests hitting
your back end API are actually coming from a genuine,
untampered instance of your specific app running on a device
that hasn't been compromised.
Speaker 1 (06:40):
How does that help.
Speaker 2 (06:41):
It blocks automated bots, it stops fake or repackaged apps
from accessing your API, and it makes it much much
harder for attackers who've reversed engineered your app to successfully
impersonate it. Without attestation, your server is basically guessing if
the request is legitimate.
Speaker 1 (06:56):
Got it, so verifying the source of the request is
the real app.
Speaker 2 (06:59):
What else next? Ephemeral API keys. A huge mistake is
hard coding apikeys or other secrets directly into the app's code, like.
Speaker 1 (07:07):
Putting the password in plain sight.
Speaker 2 (07:09):
Pretty much, if someone decompile of your app, they find
the keys and then they can potentially use them forever.
Ifphemeral keys solve this, they aren't stored in the app,
They're delivered securely, just in time when the app needs them.
They expire quickly, maybe after one use or a short
time window.
Speaker 1 (07:25):
So even if an attacker intercepts one, its value is
very limited.
Speaker 2 (07:30):
Exactly. It drastically reduces the window of opportunity and the
potential damage from a leaked key makes sense.
Speaker 1 (07:36):
What's next?
Speaker 2 (07:37):
Dynamic certificate pinning. This is crucial for preventing man in
the middle.
Speaker 1 (07:41):
Attacks, where someone intercepts the communication between the app and server.
Speaker 2 (07:46):
Yes, potentially reading or even changing the data in transit.
Certificate pinning basically tells the app only trust this specific
server certificate or certificate signed by this specific authority. Dynamic
pinning is an improvement because it allows you to up
update the pin certificates without having to release a whole
new version of your app, which avoids deployment delays and
keeps security agile.
Speaker 1 (08:07):
Okay, So attestation verifies the app, ephemeral keys protects secrets.
Pinning secures the connection. What about protecting the app while
it's running.
Speaker 2 (08:16):
That's where RASP comes in. Runtime application self protection. Think
of it as building security into the app itself, giving
it the ability to defend itself while it's executing.
Speaker 1 (08:26):
How does it do that?
Speaker 2 (08:27):
RISP can detect threatening conditions in the environment where the
app is running, like is this a jail broken or
rooted device where the OS security is disabled? Are there
debugging or instrumentation tools attached to the app trying to
analyze or tamper with it?
Speaker 1 (08:42):
Things attackers use?
Speaker 2 (08:43):
Exactly? If RASP detects these things, the app can react,
maybe shut itself down, alert the user, notify the security team,
refuse to perform sensitive operations. It's about self defense in
real time.
Speaker 1 (08:56):
That sounds powerful. Is there one more key piece?
Speaker 2 (08:59):
Yes, time monitoring. You absolutely need visibility into how your
APIs are being used. This isn't just about logging after
the fact. It's about actively monitoring traffic, looking for anomalies,
spotting patterns of abuse as they happen.
Speaker 1 (09:12):
So you can react quickly block malicious actors precisely.
Speaker 2 (09:16):
You need to see at tax forming or underway to
adapt your defenses dynamically. And the good news is you
don't have to build all this from scratch. Modern tools
like those from a proof for instance, provide these capabilities attestation,
dynamic keys, threat detection, often integrating smoothly and ensuring you
stay compliant with privacy laws like GDPR or CCPA.
Speaker 1 (09:38):
That's a really solid technical toolkit. It's clear that proper
security involves multiple layers. Let's shift gear slightly though. We've
talked technical defenses, but what about the business side. Security
often gets seen as a cost center, a tax on development.
How do we frame it as a strategic advantage? How
does doing this right actually benefit a company, whether it's
(09:58):
a startup or a big play.
Speaker 2 (10:00):
Oh, it's hugely strategic YEA far from being just a robust,
security is a massive asset. Think about startup seeking investment.
If you can walk into a VC pitch and demonstrate
that you've built security in from day one, that your
APIs are protected, that you're using advanced techniques like attestation,
that sends a powerful message. What message is that it
iss You're serious, you're thinking long term. You're building a sustainable,
(10:22):
trustworthy business, not just a flashy feature that could collapse
under attack. Being able to say our app uses enterprise
grade security like appruits protection that really resonates with investors.
It signals maturity and reduces perceived risk.
Speaker 1 (10:37):
So investor confidence is one big benefit. What else?
Speaker 2 (10:40):
User trust? This is becoming paramount. We live in an
age where data breaches are constantly in the news. Users
are more aware, more concerned about their privacy and data
security than ever before. Definitely, protecting their data isn't just
a compliance checkbox. It's fundamental to building and keeping their loyalty.
If users try trust your app, they're more likely to
(11:01):
use it, recommend it, and stick with it. Lose that
trust and it's incredibly hard to win back.
Speaker 1 (11:06):
True and practically speaking, for the development teams fewer.
Speaker 2 (11:09):
Fires to fight. Integating security early, making it part of
the process devschops is far less costly and disruptive than
trying to bolt it on later after a breacher of
vulnerability scan forces your hand. Retrofitting security is painful and expensive.
Building it in allows teams to focus on innovation, on growth,
on delivering value instead of constantly reacting to security crises.
(11:33):
It actually enables that speed we talked about, but makes
it sustainable and safe.
Speaker 1 (11:37):
So it's not really speed versus security anymore. It's about
finding ways to have both. You can use rapid development tools,
embrace that vibe coding energy, but pairrot with strong integrated
security from.
Speaker 2 (11:49):
The start exactly. That's the modern paradigm. Speed and security.
They enable each other when done right, and.
Speaker 1 (11:55):
We're seeing solutions tailored for this. You mentioned producing. I
know they recently introduced something like a founder friendly tier right,
aimed at helping startups get that enterprise level security early
on without breaking the bank.
Speaker 2 (12:07):
Yeah. Initiatives like that show the industry is recognizing the
need to make strong security accessible from day one, not
just an expensive add on for large enterprises. It allows
startups to scale securely.
Speaker 1 (12:18):
It feels like the whole mindset is shifting.
Speaker 2 (12:21):
I think it has to, which brings me to a
final thought, maybe something to leave our listeners with. There's
a phrase catching on secure APIs are the new uptime.
Speaker 1 (12:29):
Secure APIs are the new uptime. What does that mean exactly?
Speaker 2 (12:33):
It means that just having your service available, just being
up isn't enough anymore. If your APIs are insecure, if
they're leaking data or allowing unauthorized actions, your service is
effectively broken. It might be technically running, but it's compromised.
Speaker 1 (12:48):
So API security is as fundamental as basic availability.
Speaker 2 (12:51):
Absolutely for any modern digital business, Securing those APIs is
non negotiable. It's foundational to trust, reputation, and viability.
Speaker 1 (13:00):
That really drives the point home. The old choice between
moving fast and being secure, it's a false dichotomy. Now,
with the right approach, the right tools, and viewing security
as an enabler not a blocker, you really can achieve both.
It's something for everyone in this space to think about.
How can you embed proactive security into your workflow to
protect your apps, your business, and ultimately your users. Well said,
(13:22):
that brings us to the end of this discussion on
upwardly mobile. Thanks for joining us. Just a note, this
exploration was put together using expert human insights and sources,
with assistance from AI to ensure we covered the key
aspects thoroughly.
Speaker 2 (13:34):
Thanks for listening. Stay secure out there,
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
What Are We Even Doing? with Kyle MacLachlan
Join award-winning actor and social media madman Kyle MacLachlan on “What Are We Even Doing,” where he sits down with Millennial and Gen Z actors, musicians, artists, and content creators to share stories about the entertainment industry past, present, and future. Kyle and his guests will talk shop, compare notes on life, and generally be weird together. In a good way. Their conversations will resonate with listeners of any age whose interests lie in television & film, music, art, or pop culture.