July 7, 2025 • 13 mins
Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat
In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.
Key Takeaways from the Breach:
Learn more about the incident from the articles that informed this episode:
Keywords: Qantas cyberattack, data breach, Scattered Spider, aviation security, third-party risk, supply chain attack, social
In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.
Key Takeaways from the Breach:
- Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen.
- Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
- Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure.
- The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.
- Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset.
- Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems.
- Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks.
- Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding backend APIs from abuse and enabling the removal of hardcoded API keys and secrets from apps.
- Organizations are urged to gain complete visibility across their infrastructure, identity systems, and critical management services, focusing on securing self-service password reset platforms, help desks, and third-party identity vendors.
Learn more about the incident from the articles that informed this episode:
- "Qantas confirms cyberattack on third-party call center app | SC Media"
- "Qantas discloses cyberattack amid Scattered Spider aviation breaches"
- "Qantas executives nowhere to be seen after data breach affecting up to 6 million customers - ABC News"
Keywords: Qantas cyberattack, data breach, Scattered Spider, aviation security, third-party risk, supply chain attack, social
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome everyone to Upwardly Mobile. We're diving straight into the well,
the really critical and fast moving world of mobile app
development and API security today.
Speaker 2 (00:10):
Absolutely, it feels like the landscape changes almost daily, doesn't it.
Speaker 1 (00:14):
It really does. And our goal here is to unpack
some of these evolving threats, maybe even AI driven ones,
and look at the solutions developers need to be aware of.
We've been looking at recent incidents and analyzes that frankly
shine a pretty harsh light on current vulnerabilities.
Speaker 2 (00:29):
Yeah, and some surprising attack methods are popping up.
Speaker 1 (00:32):
And nothing makes this feel more urgent than that recent
conta cyber attack right happening just before a major travel holiday.
Speaker 2 (00:40):
A definite wake up call. It just hammers home that
advanced security isn't a nice to have anymore, it's absolutely essential, exactly.
Speaker 1 (00:48):
And this conversation about mobile app and API security is
brought to you by Approve Mobile Security, known for their
work in mobile app attestation and API security.
Speaker 2 (00:56):
So the cont Is incident, let's start there.
Speaker 1 (00:58):
Okay, So what are the key to details? What exactly
went down?
Speaker 2 (01:01):
Well, on July second, twenty twenty five, Quantus confirmed the attack.
But the really crucial part, the detail that flags a
major systemic issue is where it happened. It wasn't a
direct hit on Quantus's main systems. Oh no, it was
via a third party customer service platform, one they used
in an outsourced call center.
Speaker 1 (01:21):
Ah. Okay, the supply chain vulnerability precisely.
Speaker 2 (01:24):
It just shows how interconnected everything is. A vulnerability somewhere
else in your chain, even with a partner, can put
your data at risk.
Speaker 1 (01:31):
That ripple effect is always worrying. So what specific data
was compromise? What did the attackers get?
Speaker 2 (01:37):
The initial findings confirmed theft of customer names, email addresses,
phone numbers, birth dates, and importantly, frequent flyer numbers. They
estimate up to six million customers were effected.
Speaker 1 (01:47):
This million wow.
Speaker 2 (01:48):
Yeah, Now it's important to stress what wasn't taken. No
credit card details, financial info, passport details, account passwords, pions,
or log in details for the frequent flyer accounts themselves.
Speaker 1 (01:59):
Okay, so the most immediately damaging financial data, but still names, emails,
birth dates, frequent fire numbers. That sounds like a recipe
for trouble.
Speaker 2 (02:07):
It absolutely is, and this is where things get well
potentially more sophisticated, especially thinking about AI. Even these seemingly
simple details. They're gold for attackers.
Speaker 1 (02:18):
How so what's the big risk there?
Speaker 2 (02:20):
Think about feeding that data into large language models. You
could generate incredibly convincing personalized phishing emails or maybe even
deep fake voice calls.
Speaker 1 (02:30):
Right, not just generic spam anymore.
Speaker 2 (02:33):
Exactly, it's hyperrealistic stuff that looks and sounds like it
came directly from quantus, referencing your frequent flyer number, maybe
your recent travel patterns inferred from that. It uses details
that suggest legitimacy because they came from a breach. That's
the next level of identity theft.
Speaker 1 (02:48):
We're facing scary stuff. It really changes how you evaluate
potential threats. So do we know who is behind this
specific attack? Is there a signature the.
Speaker 2 (02:57):
Methods used, the focus on identity theft, It all points
very strongly to a group known as Scattered Spider.
Speaker 1 (03:03):
Cattered Spider. I've heard other names for them.
Speaker 2 (03:05):
Too, you have. They're tracked under several names like zero
K to pus, UNC three nine four four, muddled libra.
It gets confusing, but the tactics are consistent, and.
Speaker 1 (03:16):
Their playbook is usually social engineering. Right, identity based attacks,
that's their specialty.
Speaker 2 (03:21):
They focus on stealing legitimate login credentials. Often they operate
from Western countries, which helps them blend in, you know,
bypass basic geographic or IP address filters.
Speaker 1 (03:31):
Sole's about brute force hacking and more about manipulation, things
like phishing, simswamping.
Speaker 2 (03:38):
Mm hmmm and MFA bombing. Just flooding users with authentication
requests hoping they'll slip up and approve one.
Speaker 1 (03:44):
Or even just calling the help desk pretending to be
an employee.
Speaker 2 (03:47):
Yes, surprisingly effective. Sometimes they're exploiting trust, exploiting that human element.
It's not always about complex code. Sometimes it's about a
convincing phone call.
Speaker 1 (03:56):
And they've hit some major companies doing this.
Speaker 2 (03:58):
Oh yeah, the list is long and varied. MGM Resorts,
Hawaiian Airlines, WestJet, big tech names like Twilio, financial services
like Coinbase, DoorDash, Caesar's Mailchimp, even gaming companies like Riot Games.
Speaker 1 (04:11):
And Reddit Wow.
Speaker 2 (04:13):
So cross the board, they consistently find weaknesses and places
like self service password resets, it help desks, and even
third party identity providers that companies rely on.
Speaker 1 (04:22):
It sounds like that FBI warning to airlines recently was
spot on then about criminals impersonating employees to trick help
desks and get around MFA.
Speaker 2 (04:32):
Exactly they warned about criminals convincing help desk staff to
add unauthorized MFA devices to employee accounts. It just shows
that the human factor is often the weakest link in
the chain, which brings.
Speaker 1 (04:45):
Us right back to the Quanta situation and why build
in protection say from Apple, Google, Samsung, Huawei, aren't always enough.
The breach happened via an employee at an outsourced call center.
What does that tell us?
Speaker 2 (04:57):
It highlights this major trend offshore and outsourcing, while often
cost effective, create new vectors for attack, You're essentially relying
on your partner security posture.
Speaker 1 (05:07):
So your security is only as strong as your weakest
partner security.
Speaker 2 (05:10):
Pretty much. It means those third parties absolutely must meet
the same data protection standards you have Internally, It's not
just about securing the device OS anymore, it's the whole
operational ecosystem.
Speaker 1 (05:20):
And it underlines again how human error, maybe just a
moment of bad judgment, often opens the door, especially with
sophisticated social engineering.
Speaker 2 (05:28):
Right, so, while the big platform providers give you a
solid baseline for the device and the OS security, they
can't really stop these human centric attacks. They can't fully
guarantee the integrity of every environment the app runs in
or attest every single API.
Speaker 1 (05:42):
Call made from it, And the contest example shows even
MFA can be bypassed if the surrounding processes like helpdesk
protocols aren't lockdown.
Speaker 2 (05:52):
Type, which really poses the question for developers and security teams.
If traditional MFA isn't the silver bullet, what's next? How
do we build defenses that go deeper?
Speaker 1 (06:02):
That is the million dollar question? So what is next?
How do we actually fortify our apps more effectively?
Speaker 2 (06:07):
The direction we need to move in really the only
way forward is towards a comprehensive zero trust approach, specifically
for API security.
Speaker 1 (06:15):
Zero trust. Okay, it's not just.
Speaker 2 (06:16):
A buzzword, it's fundamental. It means you don't automatically trust
any request, user or device, even if it's inside your
network perimeter. You verify everything.
Speaker 1 (06:24):
Always, never trust, always verify. Yeah, so that's the mindset.
What are the practical tools and techniques that make this work?
Where do we start?
Speaker 2 (06:32):
The absolute foundation is positive app and device attestation. You
have to be sure that the request is coming from
your genuine app running on a safe untampered device.
Speaker 1 (06:42):
How does that work? Technically?
Speaker 2 (06:44):
It often involves cryptographic checks of the app's integrity, analyzing
the device's environment for signs of compromise, rooting, jail breaking, debuggers,
things like that. By validating both the app and the device,
you essentially block unauthorized or malicious clients right at the
front door before they can even talk to.
Speaker 1 (07:02):
Your APIs okay, so you've verified the sources legitimate. What's
the next layer protecting the actual communication exactly?
Speaker 2 (07:09):
That leads us to dynamic API security. This isn't just
about static rules, It's about analyzing the behavior of the
traffic in real time. Look you for patterns, looking for anomalies.
Is this pattern of requests indicative of credential stuffing? Is
this a botnet trying to register fake accounts? Is this
shaping up to be a DIDOS attack? It monitors the
(07:30):
interactions to make sure only legitimate app instances are communicating,
and it can shut down automated abuse quickly.
Speaker 1 (07:36):
Got it now? Something that I know causes developers a
lot of anxiety. Run time secrets protection, Getting those hard
coded API keys and secrets out of the app binary itself.
That seems huge.
Speaker 2 (07:48):
It is a game changer. Hard coded secrets are like
ticking time bombs. Removing them means you can manage those
secrets dynamically. You can update apikeys or other credentials instantly
over the air across all your installed.
Speaker 1 (08:01):
Apps without needing an app Store update.
Speaker 2 (08:03):
Exactly, and this isn't just for your APIs, but also
for any third party APIs your app uses. It keeps
those secrets secure throughout the app's life.
Speaker 1 (08:11):
Okay, staying on the communication path, Man in the middle
attacks are still a classic threat. How do advanced solutions
handle MID.
Speaker 2 (08:19):
And M Dynamic certificate penning is the key here. It
ensures the app only talks to your legitimate server, blocking eavesdroppers.
But crucially, the dynamic part means you can update these
PIN certificates over the air instantly without breaking the app
or disrupting service, so your security stays current without user friction.
Speaker 1 (08:37):
Right makes sense now, shifting back to the client device itself,
tampered detection and jail breakroup detection. What sorts of unsafe
environments are we trying to block?
Speaker 2 (08:47):
Basically, anything that indicates the device's security has been compromised.
Rooted Android devices, jailbroken iOS devices the presence of debuggers
or emulators often used by attackers or frameworks known to
be malicious, like Freedom or Magisk.
Speaker 1 (09:02):
And this checking happens constantly.
Speaker 2 (09:04):
Yes, frequent run time checks are vital. They don't just
block obviously tampered apps. They can also catch attempts to
mask fraudulent transactions happening after the app has started. This
ties into run time application self protection or RSP. That's
pronounced rasp.
Speaker 1 (09:19):
Our asp okay sounds active. What's its specific role?
Speaker 2 (09:23):
It is active. RSP provides continuous monitoring and threat detection
from within the running application itself. It watches for hooking, tampering,
debugging attempts in real time, allowing the app to essentially
defend itself or at least report the threat, even in
a hostile environment.
Speaker 1 (09:36):
And given the sheer volume of attacks or automated these days,
blocking bots and automation effectively must be critical. But without
blocking legitimate users.
Speaker 2 (09:45):
Right, that's the balance. Good solutions are adept at identifying
and blocking malicious bots, credential stuffers, scrapers, fake account creators
without generating false positives that annoy real users. Getting this
right directly reduces fraud costs and protects the user experience.
Speaker 1 (10:02):
So putting all these pieces together, how do you keep
these defenses up to date against new threats? Waiting for
app store review cycles seems too slow.
Speaker 2 (10:10):
That's where over the air security updates become so important.
The ability to push updates to the security logic, the
detection rules, the pin certificates directly to the apps already installed,
without going through the app store. It allows for rapid
adaptation to new threats.
Speaker 1 (10:24):
And for developers listening, maybe working across different platforms the iOS, Android,
maybe HarmonyOS, or using cross platform frameworks like Flutter or
React Native. Do these solutions work everywhere? Yes?
Speaker 2 (10:36):
Typically, these advanced security SDKs are designed for cross platform compatibility.
You can implement a consistent, high level of security across
your entire mobile portfolio, regardless of the underlying OS or framework.
That's a huge advantage.
Speaker 1 (10:50):
The consistency is key, and beyond just blocking attacks is
their value in the visibility these systems provide.
Speaker 2 (10:58):
Absolutely, you get real time threat intelligence, immediate insights into
what kinds of threats are targeting your X, where they're
coming from, which security measures are blocking them. This visibility
is crucial, not just for security teams, but also helps
demonstrate compliance with various regulations.
Speaker 1 (11:13):
And the million dollar question for the dev teams is
integrating this kind of SDK a huge complex project?
Speaker 2 (11:20):
Actually? No, not. Usually, modern security SDKs are typically designed
for relatively easy integration. Often it involves adding the SDK
and making minimal code changes to initialize it. The goal
is to allow developers to significantly boost security without derailing
their development timelines.
Speaker 1 (11:35):
Okay, so let's recap quickly. We look at the condest
breach as a case study, saw how groups like Scattered
Spider use social engineering and why platform level security isn't
always enough, especially with third party risks.
Speaker 2 (11:47):
Right, and then we explored the key components of a
stronger defense, positive app and device attestation, dynamic API security,
run time secrets protection, midim defense, tamper detection, rasp botlow
looking and OTA updates.
Speaker 1 (12:02):
It really underscores how vital it is for everyone in
the mobile space developers on iOS, Android, Harmonios, flutter React,
native security pros, even tech enthusiasts to grasp and more importantly,
implement these advanced strategies.
Speaker 2 (12:16):
The threats, especially with AI potentially amplifying them, are evolving
so fast our defenses have to keep pace or even better,
stay ahead.
Speaker 1 (12:24):
Sustain informs, stay proactive, and really think about securing your
apps and APIs against what's coming next. We should mention
this conversation drew on insights from human experts and we
also use AI tools to help structure and refine our
discussion today.
Speaker 2 (12:36):
Definitely, and if you want to keep elevating your security knowledge,
be sure to subscribe to the upwardly Mobile API and
App security podcasts. You can find us on Spotify and
Apple podcasts.
Speaker 1 (12:47):
Until next time, focus on building securely and maybe leave.
Speaker 2 (12:49):
You with this thought. If attackers can exploit a simple
human interaction at a remote partner, potentially amplified by AI
driven deception, what's seemingly trusted but perhaps verified pathways exist
within your own systems that might be vulnerable
Welcome everyone to Upwardly Mobile. We're diving straight into the well,
the really critical and fast moving world of mobile app
development and API security today.
Speaker 2 (00:10):
Absolutely, it feels like the landscape changes almost daily, doesn't it.
Speaker 1 (00:14):
It really does. And our goal here is to unpack
some of these evolving threats, maybe even AI driven ones,
and look at the solutions developers need to be aware of.
We've been looking at recent incidents and analyzes that frankly
shine a pretty harsh light on current vulnerabilities.
Speaker 2 (00:29):
Yeah, and some surprising attack methods are popping up.
Speaker 1 (00:32):
And nothing makes this feel more urgent than that recent
conta cyber attack right happening just before a major travel holiday.
Speaker 2 (00:40):
A definite wake up call. It just hammers home that
advanced security isn't a nice to have anymore, it's absolutely essential, exactly.
Speaker 1 (00:48):
And this conversation about mobile app and API security is
brought to you by Approve Mobile Security, known for their
work in mobile app attestation and API security.
Speaker 2 (00:56):
So the cont Is incident, let's start there.
Speaker 1 (00:58):
Okay, So what are the key to details? What exactly
went down?
Speaker 2 (01:01):
Well, on July second, twenty twenty five, Quantus confirmed the attack.
But the really crucial part, the detail that flags a
major systemic issue is where it happened. It wasn't a
direct hit on Quantus's main systems. Oh no, it was
via a third party customer service platform, one they used
in an outsourced call center.
Speaker 1 (01:21):
Ah. Okay, the supply chain vulnerability precisely.
Speaker 2 (01:24):
It just shows how interconnected everything is. A vulnerability somewhere
else in your chain, even with a partner, can put
your data at risk.
Speaker 1 (01:31):
That ripple effect is always worrying. So what specific data
was compromise? What did the attackers get?
Speaker 2 (01:37):
The initial findings confirmed theft of customer names, email addresses,
phone numbers, birth dates, and importantly, frequent flyer numbers. They
estimate up to six million customers were effected.
Speaker 1 (01:47):
This million wow.
Speaker 2 (01:48):
Yeah, Now it's important to stress what wasn't taken. No
credit card details, financial info, passport details, account passwords, pions,
or log in details for the frequent flyer accounts themselves.
Speaker 1 (01:59):
Okay, so the most immediately damaging financial data, but still names, emails,
birth dates, frequent fire numbers. That sounds like a recipe
for trouble.
Speaker 2 (02:07):
It absolutely is, and this is where things get well
potentially more sophisticated, especially thinking about AI. Even these seemingly
simple details. They're gold for attackers.
Speaker 1 (02:18):
How so what's the big risk there?
Speaker 2 (02:20):
Think about feeding that data into large language models. You
could generate incredibly convincing personalized phishing emails or maybe even
deep fake voice calls.
Speaker 1 (02:30):
Right, not just generic spam anymore.
Speaker 2 (02:33):
Exactly, it's hyperrealistic stuff that looks and sounds like it
came directly from quantus, referencing your frequent flyer number, maybe
your recent travel patterns inferred from that. It uses details
that suggest legitimacy because they came from a breach. That's
the next level of identity theft.
Speaker 1 (02:48):
We're facing scary stuff. It really changes how you evaluate
potential threats. So do we know who is behind this
specific attack? Is there a signature the.
Speaker 2 (02:57):
Methods used, the focus on identity theft, It all points
very strongly to a group known as Scattered Spider.
Speaker 1 (03:03):
Cattered Spider. I've heard other names for them.
Speaker 2 (03:05):
Too, you have. They're tracked under several names like zero
K to pus, UNC three nine four four, muddled libra.
It gets confusing, but the tactics are consistent, and.
Speaker 1 (03:16):
Their playbook is usually social engineering. Right, identity based attacks,
that's their specialty.
Speaker 2 (03:21):
They focus on stealing legitimate login credentials. Often they operate
from Western countries, which helps them blend in, you know,
bypass basic geographic or IP address filters.
Speaker 1 (03:31):
Sole's about brute force hacking and more about manipulation, things
like phishing, simswamping.
Speaker 2 (03:38):
Mm hmmm and MFA bombing. Just flooding users with authentication
requests hoping they'll slip up and approve one.
Speaker 1 (03:44):
Or even just calling the help desk pretending to be
an employee.
Speaker 2 (03:47):
Yes, surprisingly effective. Sometimes they're exploiting trust, exploiting that human element.
It's not always about complex code. Sometimes it's about a
convincing phone call.
Speaker 1 (03:56):
And they've hit some major companies doing this.
Speaker 2 (03:58):
Oh yeah, the list is long and varied. MGM Resorts,
Hawaiian Airlines, WestJet, big tech names like Twilio, financial services
like Coinbase, DoorDash, Caesar's Mailchimp, even gaming companies like Riot Games.
Speaker 1 (04:11):
And Reddit Wow.
Speaker 2 (04:13):
So cross the board, they consistently find weaknesses and places
like self service password resets, it help desks, and even
third party identity providers that companies rely on.
Speaker 1 (04:22):
It sounds like that FBI warning to airlines recently was
spot on then about criminals impersonating employees to trick help
desks and get around MFA.
Speaker 2 (04:32):
Exactly they warned about criminals convincing help desk staff to
add unauthorized MFA devices to employee accounts. It just shows
that the human factor is often the weakest link in
the chain, which brings.
Speaker 1 (04:45):
Us right back to the Quanta situation and why build
in protection say from Apple, Google, Samsung, Huawei, aren't always enough.
The breach happened via an employee at an outsourced call center.
What does that tell us?
Speaker 2 (04:57):
It highlights this major trend offshore and outsourcing, while often
cost effective, create new vectors for attack, You're essentially relying
on your partner security posture.
Speaker 1 (05:07):
So your security is only as strong as your weakest
partner security.
Speaker 2 (05:10):
Pretty much. It means those third parties absolutely must meet
the same data protection standards you have Internally, It's not
just about securing the device OS anymore, it's the whole
operational ecosystem.
Speaker 1 (05:20):
And it underlines again how human error, maybe just a
moment of bad judgment, often opens the door, especially with
sophisticated social engineering.
Speaker 2 (05:28):
Right, so, while the big platform providers give you a
solid baseline for the device and the OS security, they
can't really stop these human centric attacks. They can't fully
guarantee the integrity of every environment the app runs in
or attest every single API.
Speaker 1 (05:42):
Call made from it, And the contest example shows even
MFA can be bypassed if the surrounding processes like helpdesk
protocols aren't lockdown.
Speaker 2 (05:52):
Type, which really poses the question for developers and security teams.
If traditional MFA isn't the silver bullet, what's next? How
do we build defenses that go deeper?
Speaker 1 (06:02):
That is the million dollar question? So what is next?
How do we actually fortify our apps more effectively?
Speaker 2 (06:07):
The direction we need to move in really the only
way forward is towards a comprehensive zero trust approach, specifically
for API security.
Speaker 1 (06:15):
Zero trust. Okay, it's not just.
Speaker 2 (06:16):
A buzzword, it's fundamental. It means you don't automatically trust
any request, user or device, even if it's inside your
network perimeter. You verify everything.
Speaker 1 (06:24):
Always, never trust, always verify. Yeah, so that's the mindset.
What are the practical tools and techniques that make this work?
Where do we start?
Speaker 2 (06:32):
The absolute foundation is positive app and device attestation. You
have to be sure that the request is coming from
your genuine app running on a safe untampered device.
Speaker 1 (06:42):
How does that work? Technically?
Speaker 2 (06:44):
It often involves cryptographic checks of the app's integrity, analyzing
the device's environment for signs of compromise, rooting, jail breaking, debuggers,
things like that. By validating both the app and the device,
you essentially block unauthorized or malicious clients right at the
front door before they can even talk to.
Speaker 1 (07:02):
Your APIs okay, so you've verified the sources legitimate. What's
the next layer protecting the actual communication exactly?
Speaker 2 (07:09):
That leads us to dynamic API security. This isn't just
about static rules, It's about analyzing the behavior of the
traffic in real time. Look you for patterns, looking for anomalies.
Is this pattern of requests indicative of credential stuffing? Is
this a botnet trying to register fake accounts? Is this
shaping up to be a DIDOS attack? It monitors the
(07:30):
interactions to make sure only legitimate app instances are communicating,
and it can shut down automated abuse quickly.
Speaker 1 (07:36):
Got it now? Something that I know causes developers a
lot of anxiety. Run time secrets protection, Getting those hard
coded API keys and secrets out of the app binary itself.
That seems huge.
Speaker 2 (07:48):
It is a game changer. Hard coded secrets are like
ticking time bombs. Removing them means you can manage those
secrets dynamically. You can update apikeys or other credentials instantly
over the air across all your installed.
Speaker 1 (08:01):
Apps without needing an app Store update.
Speaker 2 (08:03):
Exactly, and this isn't just for your APIs, but also
for any third party APIs your app uses. It keeps
those secrets secure throughout the app's life.
Speaker 1 (08:11):
Okay, staying on the communication path, Man in the middle
attacks are still a classic threat. How do advanced solutions
handle MID.
Speaker 2 (08:19):
And M Dynamic certificate penning is the key here. It
ensures the app only talks to your legitimate server, blocking eavesdroppers.
But crucially, the dynamic part means you can update these
PIN certificates over the air instantly without breaking the app
or disrupting service, so your security stays current without user friction.
Speaker 1 (08:37):
Right makes sense now, shifting back to the client device itself,
tampered detection and jail breakroup detection. What sorts of unsafe
environments are we trying to block?
Speaker 2 (08:47):
Basically, anything that indicates the device's security has been compromised.
Rooted Android devices, jailbroken iOS devices the presence of debuggers
or emulators often used by attackers or frameworks known to
be malicious, like Freedom or Magisk.
Speaker 1 (09:02):
And this checking happens constantly.
Speaker 2 (09:04):
Yes, frequent run time checks are vital. They don't just
block obviously tampered apps. They can also catch attempts to
mask fraudulent transactions happening after the app has started. This
ties into run time application self protection or RSP. That's
pronounced rasp.
Speaker 1 (09:19):
Our asp okay sounds active. What's its specific role?
Speaker 2 (09:23):
It is active. RSP provides continuous monitoring and threat detection
from within the running application itself. It watches for hooking, tampering,
debugging attempts in real time, allowing the app to essentially
defend itself or at least report the threat, even in
a hostile environment.
Speaker 1 (09:36):
And given the sheer volume of attacks or automated these days,
blocking bots and automation effectively must be critical. But without
blocking legitimate users.
Speaker 2 (09:45):
Right, that's the balance. Good solutions are adept at identifying
and blocking malicious bots, credential stuffers, scrapers, fake account creators
without generating false positives that annoy real users. Getting this
right directly reduces fraud costs and protects the user experience.
Speaker 1 (10:02):
So putting all these pieces together, how do you keep
these defenses up to date against new threats? Waiting for
app store review cycles seems too slow.
Speaker 2 (10:10):
That's where over the air security updates become so important.
The ability to push updates to the security logic, the
detection rules, the pin certificates directly to the apps already installed,
without going through the app store. It allows for rapid
adaptation to new threats.
Speaker 1 (10:24):
And for developers listening, maybe working across different platforms the iOS, Android,
maybe HarmonyOS, or using cross platform frameworks like Flutter or
React Native. Do these solutions work everywhere? Yes?
Speaker 2 (10:36):
Typically, these advanced security SDKs are designed for cross platform compatibility.
You can implement a consistent, high level of security across
your entire mobile portfolio, regardless of the underlying OS or framework.
That's a huge advantage.
Speaker 1 (10:50):
The consistency is key, and beyond just blocking attacks is
their value in the visibility these systems provide.
Speaker 2 (10:58):
Absolutely, you get real time threat intelligence, immediate insights into
what kinds of threats are targeting your X, where they're
coming from, which security measures are blocking them. This visibility
is crucial, not just for security teams, but also helps
demonstrate compliance with various regulations.
Speaker 1 (11:13):
And the million dollar question for the dev teams is
integrating this kind of SDK a huge complex project?
Speaker 2 (11:20):
Actually? No, not. Usually, modern security SDKs are typically designed
for relatively easy integration. Often it involves adding the SDK
and making minimal code changes to initialize it. The goal
is to allow developers to significantly boost security without derailing
their development timelines.
Speaker 1 (11:35):
Okay, so let's recap quickly. We look at the condest
breach as a case study, saw how groups like Scattered
Spider use social engineering and why platform level security isn't
always enough, especially with third party risks.
Speaker 2 (11:47):
Right, and then we explored the key components of a
stronger defense, positive app and device attestation, dynamic API security,
run time secrets protection, midim defense, tamper detection, rasp botlow
looking and OTA updates.
Speaker 1 (12:02):
It really underscores how vital it is for everyone in
the mobile space developers on iOS, Android, Harmonios, flutter React,
native security pros, even tech enthusiasts to grasp and more importantly,
implement these advanced strategies.
Speaker 2 (12:16):
The threats, especially with AI potentially amplifying them, are evolving
so fast our defenses have to keep pace or even better,
stay ahead.
Speaker 1 (12:24):
Sustain informs, stay proactive, and really think about securing your
apps and APIs against what's coming next. We should mention
this conversation drew on insights from human experts and we
also use AI tools to help structure and refine our
discussion today.
Speaker 2 (12:36):
Definitely, and if you want to keep elevating your security knowledge,
be sure to subscribe to the upwardly Mobile API and
App security podcasts. You can find us on Spotify and
Apple podcasts.
Speaker 1 (12:47):
Until next time, focus on building securely and maybe leave.
Speaker 2 (12:49):
You with this thought. If attackers can exploit a simple
human interaction at a remote partner, potentially amplified by AI
driven deception, what's seemingly trusted but perhaps verified pathways exist
within your own systems that might be vulnerable
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.