October 10, 2025 • 11 mins
Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, Approov 3.5, designed to secure brands against evolving threats, including AI-driven attacks and new regulatory pressures.
The Mobile Tipping Point: 64% and Rising
The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone.
• This shift is not just a trend; it is the new normal.
• Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth.
• Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones.
• The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%).
The Security Gap in a Mobile-First World
The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps.
Approov 3.5: Protecting the Critical Connection
Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data.
The latest platform update, Approov 3.5, delivers next-generation attestation:
• Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs.
• Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible.
• Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update.
• Immutable App Signature: This feature creates a unique fingerprint upon installation, continuously verifying the app’s integrity against tampering or repackaging with malware.
• Memory Dump Detection: A new defense actively blocks attackers attempting to scrape sensitive information, such as AI secrets or user credentials, directly from the device’s memory.
Approov has proven that robust security can be achieved without compromising user experience, offering fast and responsive cross-platform security checks for iOS, Android, and HarmonyOS. By verifying API requests, Approov reduces API attacks by over 95%.
--------------------------------------------------------------------------------
Keywords
Mobile traffic, API security, Approov 3.5, mobile app security, Digital Markets Act (DMA), hardware-backed security, 64% web traffic, AI-powered attacks, mobile-first, app cloning, fraud prevention, mobile API.
Sponsor Link
For more information on securing your mobile application and APIs, please visit our sponsor: www.approov.io.
The Mobile Tipping Point: 64% and Rising
The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone.
• This shift is not just a trend; it is the new normal.
• Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth.
• Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones.
• The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%).
The Security Gap in a Mobile-First World
The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps.
Approov 3.5: Protecting the Critical Connection
Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data.
The latest platform update, Approov 3.5, delivers next-generation attestation:
• Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs.
• Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible.
• Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update.
• Immutable App Signature: This feature creates a unique fingerprint upon installation, continuously verifying the app’s integrity against tampering or repackaging with malware.
• Memory Dump Detection: A new defense actively blocks attackers attempting to scrape sensitive information, such as AI secrets or user credentials, directly from the device’s memory.
Approov has proven that robust security can be achieved without compromising user experience, offering fast and responsive cross-platform security checks for iOS, Android, and HarmonyOS. By verifying API requests, Approov reduces API attacks by over 95%.
--------------------------------------------------------------------------------
Keywords
Mobile traffic, API security, Approov 3.5, mobile app security, Digital Markets Act (DMA), hardware-backed security, 64% web traffic, AI-powered attacks, mobile-first, app cloning, fraud prevention, mobile API.
Sponsor Link
For more information on securing your mobile application and APIs, please visit our sponsor: www.approov.io.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to upwardly mobile. Look, if you're relying on mobile
devices to handle well critical customer interactions, and let's face it,
who isn't today, then the security landscape under your app
is fundamentally shifting.
Speaker 2 (00:15):
It really is. Whether you're building for iOS, Android, maybe
even HARMYOS, securing that back end API connection that's probably
the single biggest challenge for developers right now.
Speaker 1 (00:25):
Absolutely so today we're moving beyond just you know, the
perimeter walls. We're focusing right on the source, the mobile
app itself.
Speaker 2 (00:32):
Exactly. We need to unpack this huge shift to mobile
first and really explore the advanced defense is needed. We're
talking about protecting that vital link between the app and
your back.
Speaker 1 (00:42):
End APIs, especially against these newer threats right the ones
using AI and also navigating all these regulatory changes happening Precisely.
Speaker 2 (00:50):
The goal here is to look at the source material
we've gathered and try to map out this This really
high stakes environment.
Speaker 1 (00:55):
And the sheer scale of mobile use really drives home
why this is so. Criticals are kind of mind blowing
over sixty four percent of all Internet traffic coming from mobile.
Speaker 2 (01:04):
Now sixty four percent, and it's not just a blip.
Your sources confirmed that's been climbing for eight straight quarters.
Speaker 1 (01:11):
Eight quarters.
Speaker 2 (01:12):
Wow.
Speaker 1 (01:12):
So mobile isn't just an option anymore. It's basically the
default way people interact online.
Speaker 2 (01:17):
It is the default, and that ubiquity, that reliance, it
makes the app and particularly the API gateway, it talks
to the number one target for bad actors. Right.
Speaker 1 (01:28):
If someone wants to cause real damage.
Speaker 2 (01:30):
Yeah, like large scale fraud or scraping really sensitive user data,
maybe credential stuffing attacks, hitting the mobile app is off
of the path of least resistance for them. It's the
direct entry point.
Speaker 1 (01:42):
Okay, let's ground this a bit more. When we talk
mobile dominance, it's not just browsing social media isn't.
Speaker 2 (01:47):
No, not at all. We're talking critical infrastructure essentially. Think
about how glued people are to these devices. Yeah, the
data shows something like ninety six point three percent of
Internet users worldwide get online using their phone, almost everyone,
pretty much. Yeah, and they're spending what nearly five hours
a day on them, four point eight hours on average.
That dependency naturally pulls the most sensitive stuff onto the device, and.
Speaker 1 (02:09):
That's where the money is, right, the financial risk becomes
really clear. Your sources mentioned that by twenty twenty five,
something like seventy three percent of all e commerce sales.
Speaker 2 (02:18):
Seventy three percent Yeah, expected to originate from mobile.
Speaker 1 (02:21):
That's huge, and banking too, Nearly half of users.
Speaker 2 (02:25):
Forty seven percent Yeah, accessing their bank via mobile. So yeah,
the mobile channel is basically holding the keys to the
digital kingdom, or at least the digital economy.
Speaker 1 (02:36):
Okay, so high value, high usage, which naturally leads to
high risk.
Speaker 2 (02:40):
And it exposes a fundamental gap in let's call it
the traditional security thinking. You know, developers who think, oh,
it's on the App Store, Google Play, it must be safe.
Speaker 1 (02:50):
Relying on Apple or Google or huaweis built in checks.
Speaker 2 (02:54):
Exactly those initial checks they're important for vetting the app submission,
but they can't continuously guarantee cryptographically that the app making
an API request right now is the real deal and
hasn't been messed with.
Speaker 1 (03:06):
Hang On explain that if Apple approved it, why isn't
that enough? What changes between downloading it and say, making
a purchase later?
Speaker 2 (03:13):
Well, once that app is downloaded, it leaves the relatively
safe walled garden of the official store and lands in frankly,
it potentially hostile environment on the user's device. Okay, it
could be analyzed, decompiled modified. Attackers have tools for this.
They use automated bots that look like real users. They
clone legitimate apps, they repackage them with malware.
Speaker 1 (03:36):
And to the back end system, these fake apps might
look legitimate.
Speaker 2 (03:39):
If you're not checking carefully at the API gateway. Yes,
they can look identical to the real thing, giving them
a free pass to steal data or commit fraud.
Speaker 1 (03:47):
Okay, so the issue isn't the download, it's the runtime
securing every single API call.
Speaker 2 (03:52):
Got it. Yeah, So if that's the baseline risk, what's
turning out the heat? You mentioned AI and regulation?
Speaker 1 (03:58):
Yeah, the sophistication of attacks is just exploded, and AI
is a big driver. These automated bots. They're getting scarily
good at mimicking.
Speaker 2 (04:05):
Human behavior, harder to detect, much harder.
Speaker 1 (04:08):
And AI tools make it almost trivial for attackers to
reverse engineer apps, clone them, and launch attacks at massive scale,
screenping huge amounts of data incredibly fast. And then there's
the regulatory side, things like the EUS Digital Markets Act
the DMA. How does that fit into this picture?
Speaker 2 (04:24):
The DMA is a really crucial piece here. It basically
mandates that the big platform gatekeepers Apple Google have to
support third party app.
Speaker 1 (04:34):
Stores right side loading alternative.
Speaker 2 (04:37):
Store exactly, which for a developer instantly evaporates that single
source of trust they might have leaned on. Distribution gets fragmented.
Speaker 1 (04:45):
Which sounds like it massively increases the attack surface, doesn't it.
If apps can come from anywhere, the risk of a
fake one hitting your API must go way.
Speaker 2 (04:53):
Up, way up. It forces businesses really to verify app
integrity completely independently of where the app came.
Speaker 1 (05:00):
So the API has to be the checkpoint.
Speaker 2 (05:02):
It has to be. You need to guarantee that only genuine,
untampered app instances can talk to your back end, no
matter the source. And this is critical because attackers are
getting bolder. We're seeing them actively try to scrap valuable
stuff directly from the device's memory while the app is running,
things like user credentials, session tokens, even proprietary algorithms or
(05:24):
model weights what your source is called AI secrets.
Speaker 1 (05:27):
Wow, Okay, So they're trying to steal the secret sauce right.
Speaker 2 (05:29):
Off the device precisely while it's executing.
Speaker 1 (05:32):
All right, So app store security isn't enough. Regulations are
opening things up. AI is powering smarter attacks. What does
the solution look like? How do you build that digital
gatekeeper for the API?
Speaker 2 (05:46):
You need something that can cryptographically prove for every request
that it's coming from the real app, running securely and
hasn't been tampered with. This whole process is generally called
at testation API at testation Okay, yeah. Essentially, it's a
challenge response to where the app proves its identity and
integrity to the API before it gets access. It's like
the app saying, hey, it's really me, the genuine article,
(06:07):
running safely on a real device.
Speaker 1 (06:09):
And how does that actually work? What are the techniques involved,
especially against these modern threats.
Speaker 2 (06:14):
Well, modern platforms use a whole suite of advanced methods.
It goes way beyond simple checks.
Speaker 1 (06:18):
Okay, let's unpack some of those. Android is obviously huge,
but also known for being easier to root or modify.
How do you stop someone from just stealing the app's
identity credentials?
Speaker 2 (06:29):
Good question. That's where hardware backed security comes in. Most
modern Android phones have these secure isolated hardware areas, sometimes
called a secure enclave or hardware vault, right like a
separate chip sorta yeah, yeah, the key is The cryptographic
keys that represent the app's unique identity are generated and
stored inside this secure hardware, and they never leave it never.
Speaker 1 (06:53):
Leave, even if the main OS is compromised.
Speaker 2 (06:56):
Correct, even with root access, an attacker can't extract that
price key because it's physically isolated and protected by the hardware.
It makes actually cloning the app's core identity virtually impossible.
Speaker 1 (07:07):
Okay, that locks down the identity key. But what if
the attacker doesn't steal the key but just changes the
app's code, adds some malicious logic, repackages it.
Speaker 2 (07:17):
That's handled by what's often called an immutable app signature
or integrity check. When the genuine app is first installed
and run, the security system creates a unique cryptographic fingerprint
of the entire application package, the baseline, a baseline exactly,
and then critically. This fingerprint is checked continuously at run
time against that known good.
Speaker 1 (07:37):
Stake, continuously, not just at startup.
Speaker 2 (07:39):
Continuously or at key moments. If any part of the
app's code has been tampered with, repackaged, or resigned by
someone else, the check fails and the API request is blocked.
Speaker 1 (07:49):
That sounds pretty intensive, does doing all this checking hardware,
verifying signatures constantly slow the app down. Does it create
friction for the user? That's always a concern.
Speaker 2 (07:59):
It's then certain usually, but the advanced platforms have really
cracked this. They're designed to be cross platform, working smoothly
across iOS, Android, Harmony oos, and that initial attestation, the
startup check. It's often in order of magnitude faster than
the basic checks. The platforms themselves provide optimization smarter protocols,
focusing only on the necessary security checks without unnecessary overhead.
(08:23):
The goal is negligible impact on performance. Security shouldn't mean slow.
Speaker 1 (08:28):
That's a huge selling point, especially for apps where speed
is everything. Now, going back to that memory scraping threat
you mentioned, stealing tokens or AI secrets while the app runs.
How do you stop that?
Speaker 2 (08:40):
Right? That needs active runtime protection. This often comes in
the form of memory dump detection or anti tampering, specifically
focused on the runtime environment.
Speaker 1 (08:49):
So it's watching the app as it runs exactly.
Speaker 2 (08:51):
It actively monitors the app's memory space and its interactions.
If it sees suspicious behavior like debugging tools, attaching, or
extra erneral processes trying to read sensitive memory areas where
things like session tokens or proprietary data live. It can
actively block those attempts.
Speaker 1 (09:07):
Prevent the data leak in real time.
Speaker 2 (09:09):
Yes, prevent the compromise before it happens.
Speaker 1 (09:12):
Okay, this all sounds powerful, but threats evolve constantly. If
a security team spots a brand new AI bought attack
starting up, they can't wait weeks for Apple or Google
to approve an app update.
Speaker 2 (09:23):
Right, absolutely not. Speed of response is paramount. That's why
real time threat analytics and over the air OTA updates
are essential.
Speaker 1 (09:31):
OTA updates for security policies.
Speaker 2 (09:34):
Yes, the security platform needs to be cloud connected, giving
the security team a live view of attack patterns hitting
their apps across the.
Speaker 1 (09:42):
Globe so they can see threats emerging and react instantly.
Speaker 2 (09:45):
They can then push out new security rules or policies
over the air directly to the apps running in the
wild to block that specific new threat immediately.
Speaker 1 (09:54):
Without needing a full app store update cycle.
Speaker 2 (09:57):
Exactly. It changes security from being reactive and slow to
being dynamic and adaptive. A shield that can change shape
is the attax change.
Speaker 1 (10:05):
Okay, let's try and synthesize this. Based on the source material,
it seems clear mobile is now the main stage for
digital interaction handling incredibly sensitive stuff, and the old ways
of securing it just relying on the OS or app
store checks.
Speaker 2 (10:17):
They're just not enough anymore, not against today's threats now.
Speaker 1 (10:20):
So specialize API security things like cryptographic attestation, run time
integrity checks. These are now basically table stakes for any
serious mobile development team, regardless of platform.
Speaker 2 (10:32):
It's become a core requirement, yes, non negotiable if you
want to effectively protect your APIs and your user's data
from these AI powered attacks and navigate the changing regulatory scene.
Speaker 1 (10:42):
Which brings us to a final thought, something for you
the listener to consider. We know five G adoption is
booming potentially over a billion connections worldwide by the end
of twenty twenty five.
Speaker 2 (10:53):
Yeah, the speed increase is significant, up to ten times
faster than four G in some cases.
Speaker 1 (10:58):
So think about that. Ten times. The speed enables much
richer real time experiences, high far VR, massive data streams.
How is that going to expand the attack surface even further?
And what kind of speed and dynamic response will API
defenses need them just to keep up.
Speaker 2 (11:13):
It's a fascinating question. The pace of connectivity demands an
equally fast pace and security evolution.
Speaker 1 (11:18):
Indeed a challenge for the future. Thanks for walking us
through that analysis, and we want to let you the listener,
know that this discussion was based on human source material
and was assisted by AI to help synthesize the key
insights we covered today.
Welcome to upwardly mobile. Look, if you're relying on mobile
devices to handle well critical customer interactions, and let's face it,
who isn't today, then the security landscape under your app
is fundamentally shifting.
Speaker 2 (00:15):
It really is. Whether you're building for iOS, Android, maybe
even HARMYOS, securing that back end API connection that's probably
the single biggest challenge for developers right now.
Speaker 1 (00:25):
Absolutely so today we're moving beyond just you know, the
perimeter walls. We're focusing right on the source, the mobile
app itself.
Speaker 2 (00:32):
Exactly. We need to unpack this huge shift to mobile
first and really explore the advanced defense is needed. We're
talking about protecting that vital link between the app and
your back.
Speaker 1 (00:42):
End APIs, especially against these newer threats right the ones
using AI and also navigating all these regulatory changes happening Precisely.
Speaker 2 (00:50):
The goal here is to look at the source material
we've gathered and try to map out this This really
high stakes environment.
Speaker 1 (00:55):
And the sheer scale of mobile use really drives home
why this is so. Criticals are kind of mind blowing
over sixty four percent of all Internet traffic coming from mobile.
Speaker 2 (01:04):
Now sixty four percent, and it's not just a blip.
Your sources confirmed that's been climbing for eight straight quarters.
Speaker 1 (01:11):
Eight quarters.
Speaker 2 (01:12):
Wow.
Speaker 1 (01:12):
So mobile isn't just an option anymore. It's basically the
default way people interact online.
Speaker 2 (01:17):
It is the default, and that ubiquity, that reliance, it
makes the app and particularly the API gateway, it talks
to the number one target for bad actors. Right.
Speaker 1 (01:28):
If someone wants to cause real damage.
Speaker 2 (01:30):
Yeah, like large scale fraud or scraping really sensitive user data,
maybe credential stuffing attacks, hitting the mobile app is off
of the path of least resistance for them. It's the
direct entry point.
Speaker 1 (01:42):
Okay, let's ground this a bit more. When we talk
mobile dominance, it's not just browsing social media isn't.
Speaker 2 (01:47):
No, not at all. We're talking critical infrastructure essentially. Think
about how glued people are to these devices. Yeah, the
data shows something like ninety six point three percent of
Internet users worldwide get online using their phone, almost everyone,
pretty much. Yeah, and they're spending what nearly five hours
a day on them, four point eight hours on average.
That dependency naturally pulls the most sensitive stuff onto the device, and.
Speaker 1 (02:09):
That's where the money is, right, the financial risk becomes
really clear. Your sources mentioned that by twenty twenty five,
something like seventy three percent of all e commerce sales.
Speaker 2 (02:18):
Seventy three percent Yeah, expected to originate from mobile.
Speaker 1 (02:21):
That's huge, and banking too, Nearly half of users.
Speaker 2 (02:25):
Forty seven percent Yeah, accessing their bank via mobile. So yeah,
the mobile channel is basically holding the keys to the
digital kingdom, or at least the digital economy.
Speaker 1 (02:36):
Okay, so high value, high usage, which naturally leads to
high risk.
Speaker 2 (02:40):
And it exposes a fundamental gap in let's call it
the traditional security thinking. You know, developers who think, oh,
it's on the App Store, Google Play, it must be safe.
Speaker 1 (02:50):
Relying on Apple or Google or huaweis built in checks.
Speaker 2 (02:54):
Exactly those initial checks they're important for vetting the app submission,
but they can't continuously guarantee cryptographically that the app making
an API request right now is the real deal and
hasn't been messed with.
Speaker 1 (03:06):
Hang On explain that if Apple approved it, why isn't
that enough? What changes between downloading it and say, making
a purchase later?
Speaker 2 (03:13):
Well, once that app is downloaded, it leaves the relatively
safe walled garden of the official store and lands in frankly,
it potentially hostile environment on the user's device. Okay, it
could be analyzed, decompiled modified. Attackers have tools for this.
They use automated bots that look like real users. They
clone legitimate apps, they repackage them with malware.
Speaker 1 (03:36):
And to the back end system, these fake apps might
look legitimate.
Speaker 2 (03:39):
If you're not checking carefully at the API gateway. Yes,
they can look identical to the real thing, giving them
a free pass to steal data or commit fraud.
Speaker 1 (03:47):
Okay, so the issue isn't the download, it's the runtime
securing every single API call.
Speaker 2 (03:52):
Got it. Yeah, So if that's the baseline risk, what's
turning out the heat? You mentioned AI and regulation?
Speaker 1 (03:58):
Yeah, the sophistication of attacks is just exploded, and AI
is a big driver. These automated bots. They're getting scarily
good at mimicking.
Speaker 2 (04:05):
Human behavior, harder to detect, much harder.
Speaker 1 (04:08):
And AI tools make it almost trivial for attackers to
reverse engineer apps, clone them, and launch attacks at massive scale,
screenping huge amounts of data incredibly fast. And then there's
the regulatory side, things like the EUS Digital Markets Act
the DMA. How does that fit into this picture?
Speaker 2 (04:24):
The DMA is a really crucial piece here. It basically
mandates that the big platform gatekeepers Apple Google have to
support third party app.
Speaker 1 (04:34):
Stores right side loading alternative.
Speaker 2 (04:37):
Store exactly, which for a developer instantly evaporates that single
source of trust they might have leaned on. Distribution gets fragmented.
Speaker 1 (04:45):
Which sounds like it massively increases the attack surface, doesn't it.
If apps can come from anywhere, the risk of a
fake one hitting your API must go way.
Speaker 2 (04:53):
Up, way up. It forces businesses really to verify app
integrity completely independently of where the app came.
Speaker 1 (05:00):
So the API has to be the checkpoint.
Speaker 2 (05:02):
It has to be. You need to guarantee that only genuine,
untampered app instances can talk to your back end, no
matter the source. And this is critical because attackers are
getting bolder. We're seeing them actively try to scrap valuable
stuff directly from the device's memory while the app is running,
things like user credentials, session tokens, even proprietary algorithms or
(05:24):
model weights what your source is called AI secrets.
Speaker 1 (05:27):
Wow, Okay, So they're trying to steal the secret sauce right.
Speaker 2 (05:29):
Off the device precisely while it's executing.
Speaker 1 (05:32):
All right, So app store security isn't enough. Regulations are
opening things up. AI is powering smarter attacks. What does
the solution look like? How do you build that digital
gatekeeper for the API?
Speaker 2 (05:46):
You need something that can cryptographically prove for every request
that it's coming from the real app, running securely and
hasn't been tampered with. This whole process is generally called
at testation API at testation Okay, yeah. Essentially, it's a
challenge response to where the app proves its identity and
integrity to the API before it gets access. It's like
the app saying, hey, it's really me, the genuine article,
(06:07):
running safely on a real device.
Speaker 1 (06:09):
And how does that actually work? What are the techniques involved,
especially against these modern threats.
Speaker 2 (06:14):
Well, modern platforms use a whole suite of advanced methods.
It goes way beyond simple checks.
Speaker 1 (06:18):
Okay, let's unpack some of those. Android is obviously huge,
but also known for being easier to root or modify.
How do you stop someone from just stealing the app's
identity credentials?
Speaker 2 (06:29):
Good question. That's where hardware backed security comes in. Most
modern Android phones have these secure isolated hardware areas, sometimes
called a secure enclave or hardware vault, right like a
separate chip sorta yeah, yeah, the key is The cryptographic
keys that represent the app's unique identity are generated and
stored inside this secure hardware, and they never leave it never.
Speaker 1 (06:53):
Leave, even if the main OS is compromised.
Speaker 2 (06:56):
Correct, even with root access, an attacker can't extract that
price key because it's physically isolated and protected by the hardware.
It makes actually cloning the app's core identity virtually impossible.
Speaker 1 (07:07):
Okay, that locks down the identity key. But what if
the attacker doesn't steal the key but just changes the
app's code, adds some malicious logic, repackages it.
Speaker 2 (07:17):
That's handled by what's often called an immutable app signature
or integrity check. When the genuine app is first installed
and run, the security system creates a unique cryptographic fingerprint
of the entire application package, the baseline, a baseline exactly,
and then critically. This fingerprint is checked continuously at run
time against that known good.
Speaker 1 (07:37):
Stake, continuously, not just at startup.
Speaker 2 (07:39):
Continuously or at key moments. If any part of the
app's code has been tampered with, repackaged, or resigned by
someone else, the check fails and the API request is blocked.
Speaker 1 (07:49):
That sounds pretty intensive, does doing all this checking hardware,
verifying signatures constantly slow the app down. Does it create
friction for the user? That's always a concern.
Speaker 2 (07:59):
It's then certain usually, but the advanced platforms have really
cracked this. They're designed to be cross platform, working smoothly
across iOS, Android, Harmony oos, and that initial attestation, the
startup check. It's often in order of magnitude faster than
the basic checks. The platforms themselves provide optimization smarter protocols,
focusing only on the necessary security checks without unnecessary overhead.
(08:23):
The goal is negligible impact on performance. Security shouldn't mean slow.
Speaker 1 (08:28):
That's a huge selling point, especially for apps where speed
is everything. Now, going back to that memory scraping threat
you mentioned, stealing tokens or AI secrets while the app runs.
How do you stop that?
Speaker 2 (08:40):
Right? That needs active runtime protection. This often comes in
the form of memory dump detection or anti tampering, specifically
focused on the runtime environment.
Speaker 1 (08:49):
So it's watching the app as it runs exactly.
Speaker 2 (08:51):
It actively monitors the app's memory space and its interactions.
If it sees suspicious behavior like debugging tools, attaching, or
extra erneral processes trying to read sensitive memory areas where
things like session tokens or proprietary data live. It can
actively block those attempts.
Speaker 1 (09:07):
Prevent the data leak in real time.
Speaker 2 (09:09):
Yes, prevent the compromise before it happens.
Speaker 1 (09:12):
Okay, this all sounds powerful, but threats evolve constantly. If
a security team spots a brand new AI bought attack
starting up, they can't wait weeks for Apple or Google
to approve an app update.
Speaker 2 (09:23):
Right, absolutely not. Speed of response is paramount. That's why
real time threat analytics and over the air OTA updates
are essential.
Speaker 1 (09:31):
OTA updates for security policies.
Speaker 2 (09:34):
Yes, the security platform needs to be cloud connected, giving
the security team a live view of attack patterns hitting
their apps across the.
Speaker 1 (09:42):
Globe so they can see threats emerging and react instantly.
Speaker 2 (09:45):
They can then push out new security rules or policies
over the air directly to the apps running in the
wild to block that specific new threat immediately.
Speaker 1 (09:54):
Without needing a full app store update cycle.
Speaker 2 (09:57):
Exactly. It changes security from being reactive and slow to
being dynamic and adaptive. A shield that can change shape
is the attax change.
Speaker 1 (10:05):
Okay, let's try and synthesize this. Based on the source material,
it seems clear mobile is now the main stage for
digital interaction handling incredibly sensitive stuff, and the old ways
of securing it just relying on the OS or app
store checks.
Speaker 2 (10:17):
They're just not enough anymore, not against today's threats now.
Speaker 1 (10:20):
So specialize API security things like cryptographic attestation, run time
integrity checks. These are now basically table stakes for any
serious mobile development team, regardless of platform.
Speaker 2 (10:32):
It's become a core requirement, yes, non negotiable if you
want to effectively protect your APIs and your user's data
from these AI powered attacks and navigate the changing regulatory scene.
Speaker 1 (10:42):
Which brings us to a final thought, something for you
the listener to consider. We know five G adoption is
booming potentially over a billion connections worldwide by the end
of twenty twenty five.
Speaker 2 (10:53):
Yeah, the speed increase is significant, up to ten times
faster than four G in some cases.
Speaker 1 (10:58):
So think about that. Ten times. The speed enables much
richer real time experiences, high far VR, massive data streams.
How is that going to expand the attack surface even further?
And what kind of speed and dynamic response will API
defenses need them just to keep up.
Speaker 2 (11:13):
It's a fascinating question. The pace of connectivity demands an
equally fast pace and security evolution.
Speaker 1 (11:18):
Indeed a challenge for the future. Thanks for walking us
through that analysis, and we want to let you the listener,
know that this discussion was based on human source material
and was assisted by AI to help synthesize the key
insights we covered today.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com