August 1, 2025 • 20 mins
Unlocking True Mobile & API Security in the Cloud Age
Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.
Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:
• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.
• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".
• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.
• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.
• Marketing & Brand Management Teams: A breach of sensitive user data dueating to API or mobile app vulnerabilities would "severely damage the brand's reputation and trust", directly impacting efforts to attract and retain users.
The Flaws in Traditional Mobile Security:
• Obfuscation is Not Enough: While code obfuscation aims to deter reverse engineering and IP theft, it is a "thin veil, not an impenetrable shield". It offers "minimal protection against threats that manifest during runtime" and is "ineffective secret protection" as secrets must eventually be in cleartext memory. It can also create a "false sense of security" and is increasingly vulnerable to "modern tools and AI" which can automate deobfuscation.
• APIs are the True Target: Attackers are increasingly bypassing the mobile app itself and "targeting the backend APIs directly". APIs provide a "direct pathway to backend application logic and sensitive data stores", making them prime targets for "credential stuffing, account takeover (ATO), scraping, and business logic abuse". Recent incidents involving e-hailing and delivery apps, Experian, and John Deere highlight common flaws like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola and insecure access controls that exposed vast amounts of PII and operational data.The Solution: Embracing Dynamic, Zero Trust Runtime Protection:To address modern threats, a decisive shift from static, pre-deployment security to a "dynamic, runtime-centric model rooted in Zero Trust principles" is essential. This approach entails:• Zero Trust Architecture: This model mandates "never trust, always verify", requiring continuous, runtime verification of devices, users, and networks for access to critical resources. It emphasizes that "trust is never implicit" and acknowledges that traditional static chec
Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.
Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:
• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.
• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".
• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.
• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.
• Marketing & Brand Management Teams: A breach of sensitive user data dueating to API or mobile app vulnerabilities would "severely damage the brand's reputation and trust", directly impacting efforts to attract and retain users.
The Flaws in Traditional Mobile Security:
• Obfuscation is Not Enough: While code obfuscation aims to deter reverse engineering and IP theft, it is a "thin veil, not an impenetrable shield". It offers "minimal protection against threats that manifest during runtime" and is "ineffective secret protection" as secrets must eventually be in cleartext memory. It can also create a "false sense of security" and is increasingly vulnerable to "modern tools and AI" which can automate deobfuscation.
• APIs are the True Target: Attackers are increasingly bypassing the mobile app itself and "targeting the backend APIs directly". APIs provide a "direct pathway to backend application logic and sensitive data stores", making them prime targets for "credential stuffing, account takeover (ATO), scraping, and business logic abuse". Recent incidents involving e-hailing and delivery apps, Experian, and John Deere highlight common flaws like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola and insecure access controls that exposed vast amounts of PII and operational data.The Solution: Embracing Dynamic, Zero Trust Runtime Protection:To address modern threats, a decisive shift from static, pre-deployment security to a "dynamic, runtime-centric model rooted in Zero Trust principles" is essential. This approach entails:• Zero Trust Architecture: This model mandates "never trust, always verify", requiring continuous, runtime verification of devices, users, and networks for access to critical resources. It emphasizes that "trust is never implicit" and acknowledges that traditional static chec
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to Upwardly Mobile API and App Security. We're the
show that dives into the latest research, the white papers,
the breach reports. Basically, we sift through it all.
Speaker 2 (00:11):
Yeah, we try to pull out the really critical insights
you need, you know, to stay ahead in mobile security.
Speaker 1 (00:16):
Our mission is simple, arm you with the knowledge that
cuts through the noise, helps you really understand mobile cybersecurity.
Speaker 2 (00:22):
I'm George and I'm Sky and today, Wow, we're navigating
a really high stakes area. It's super dynamic and honestly,
it touches almost everything we.
Speaker 1 (00:31):
Do digitally mobile app development and API security exactly.
Speaker 2 (00:34):
It's this space where you know, convenience and all that
cool innovation bumps right up against some critical vulnerabilities.
Speaker 1 (00:41):
And the stakes they couldn't be higher for your business,
your users, your brand. It's huge.
Speaker 2 (00:45):
Definitely, We've gone through a pretty hefty stack of sources
for today's discussion, detailed white papers, industry analyzes, even some
recent breach post mortems.
Speaker 1 (00:54):
So what's the goal today, Well, we want.
Speaker 2 (00:56):
To unpack these evolving threats, understand why the traditional security
methods often fall short, dangerously short, actually okay.
Speaker 1 (01:04):
And then explore the sort of cutting edge solutions that
are really shaping the future of mobile cybersecurity.
Speaker 2 (01:10):
Right, So think of your mobile app. Yeah, it's that slick,
user friendly storefront everyone sees looks great. But the engine room,
the inventory, the transaction processing, all that happens behind the
scenes in the cloud, access through APIs.
Speaker 1 (01:28):
And that connection. Yeah, that invisible bridge between the app
and the back end.
Speaker 2 (01:34):
That's where the trouble starts.
Speaker 1 (01:35):
That's exactly where so many of the critical security challenges
really live.
Speaker 2 (01:40):
Okay, let's get into it.
Speaker 1 (01:41):
So what are the sources telling us?
Speaker 2 (01:43):
First off, Well, what's immediately clear is just how tightly
mobile apps and their cloud back ends are linked. Now.
I mean, they're basically inseparable, right, And a mobile app
might look secure on the surface, but if it's talking
to a back end that's misconfigured or you know, vulnerable,
well that's just a recipe for disaster.
Speaker 1 (01:59):
It really is like having Fort Knox for a front door. Yeah,
but the backloading dock is.
Speaker 2 (02:03):
Wide open exactly, no locks, no guards, Anyone can just
waltz right in.
Speaker 1 (02:07):
And we see these common cloud misconfigurations all the time.
Speaker 2 (02:10):
Don't We constantly things like super sensitive user data just
sitting in public storage buckets? As three buckets that kind
of thing.
Speaker 1 (02:18):
Or APIs that just lack proper authentication or authorization.
Speaker 2 (02:23):
Yeah, or sometimes it's even more subtle, like overly permissive
IAM roles, you know, identity and access management.
Speaker 1 (02:29):
Ah, right, So if an attacker gets one account.
Speaker 2 (02:32):
They get far more access than they ever should. It's
not just a small technical glitch. It's like a systemic vulnerability.
Speaker 1 (02:38):
In connecting that to the bigger picture. This isn't just
a tech team problem, is it.
Speaker 2 (02:42):
Oh? Absolutely not. You realize pretty quickly this is a
fundamental business issue. It cuts across every single department.
Speaker 1 (02:49):
So everyone from the top down.
Speaker 2 (02:51):
Everyone from the C suite executives right down to the
individual developers writing the code, they all have a really
strong vested interest in locking down this connection.
Speaker 1 (03:00):
Can you maybe expand on that, like, how does this
ripple effect hit different teams?
Speaker 2 (03:04):
Sure? So for the execs, the operational leaders, the impact
of insecure APIs or apps it can be absolutely catastrophic
financially reputationally.
Speaker 1 (03:16):
Any examples bring to mind.
Speaker 2 (03:18):
Well, think about a company like John Deere. They handle
huge amounts of operational data right for farming, precision agriculture.
If their mobile apps or APIs got hit. It could
mean competitive disadvantage, stolen IP, maybe even sabotage of actual
farm operations that hits the core business hard.
Speaker 1 (03:36):
Okay, that's industrial scale. What about consumer.
Speaker 2 (03:38):
Apps or take a dating app like Hinge. Their whole
value prop is built on user privacy and trust absolutely,
so if they have a breach of sensitive PII personally
identifiable information, users will just leave. Mass exodus plus massive
legal finds under GDPR CCPA.
Speaker 1 (03:54):
And the brand is toast completely.
Speaker 2 (03:56):
We could be talking across industries hundreds of billions and
losses era sperable brand damage.
Speaker 1 (04:01):
Wow, that really paints a picture of the scale. So
beyond the boardroom, how does it affect say, the security teams.
Speaker 2 (04:07):
Well, for security teams, their job is like truly holistic.
They've got to protect the app, the communication channels, and
the back end. APIs a constant battle totally against service disruption,
data theft or the absolute nightmare full system compromise and
legal teams they're right on the front lines when PII
gets exposed. Think about ride sharing apps or food delivery. Yeah,
(04:29):
if API flaws leak names, phone numbers, home addresses, trip histories,
that's not theoretical that directly leads to real world harm, fishing, stalking,
identity theft. The legal fallout is just immense.
Speaker 1 (04:43):
Okay, And what about the people actually building this stuff,
the engineers, the devs.
Speaker 2 (04:46):
They have the direct responsibility right building secure code both
for the mobile app and the back end.
Speaker 1 (04:51):
So implementing things like strong authentication, input validation.
Speaker 2 (04:55):
Exactly and managing secrets properly, not hard coding API keys
in to the app code itself, which sounds obvious, but.
Speaker 1 (05:03):
It still happens.
Speaker 2 (05:04):
It still happens. It's a huge task. And then finally
you've got marketing, brand management. A big breach can just
vaporize user trust overnight.
Speaker 1 (05:13):
And once that trust is gone.
Speaker 2 (05:14):
It's incredibly hard, maybe impossible, to get users back, no
matter how good the app is.
Speaker 1 (05:21):
So it really boils down to this, doesn't it. Attackers
are getting smarter, They're not just poking at the app anymore.
The APIs are often the real target, the main price
they are.
Speaker 2 (05:31):
They offer that direct path to the back end logic,
to all that valuable sensitive data we just talked about.
Speaker 1 (05:39):
Okay, so we've laid out the problem. Stakes are super high,
but lots of organizations, let's be honest, are still relying
on well traditional defenses. And this is where our sources
say things get really interesting because those methods increasingly, they're
just not cutting it.
Speaker 2 (05:55):
That's exactly right. The sources highlight this again and again.
Take code obfuscation still why used?
Speaker 1 (06:00):
Yeah, very common, but it's really just.
Speaker 2 (06:02):
A thin veil. It's not an impenetrable shield. Obfuscation tries
to make reverse engineering harder. Scrambling the code makes it
look like spaghetti code kind of yeah, but it's fundamentally
just a deterrent. It doesn't actually prevent determined attackers.
Speaker 1 (06:16):
So skilled adversaries they can get past it.
Speaker 2 (06:19):
Oh yeah, armed with readily available tools decompilers, disassemblers, and
dynamic instrumentation frameworks like FREEDA you heard it, free.
Speaker 1 (06:28):
I have it lets you hook into a running app,
right yeah, mess with it.
Speaker 2 (06:31):
Live precisely, inject your own code, watch what it's doing,
change its behavior in real time. They can systematically unravel
obfuscated code.
Speaker 1 (06:41):
So o WASP Guidance even says something about this.
Speaker 2 (06:43):
It does owas the Open Web Application Security Project they
put it bluntly. Ultimately, the reverse engineer always wins if
you're only relying on static defenses like obfuscation.
Speaker 1 (06:54):
That's pretty stark, just a matter of time. Then where
else do these old methods fall down?
Speaker 2 (06:59):
Well, a big one is fun time threats. Obfuscation does
very little.
Speaker 1 (07:02):
There because the attack is happening while the app is
actually running.
Speaker 2 (07:05):
Exactly, attackers are observing manipulating the app while it executes,
not just looking at the code sitting there. It's like
trying to stop a burglar just by locking the front door.
You need alarms inside too.
Speaker 1 (07:15):
Okay, it makes sense.
Speaker 2 (07:16):
And worse, obfuscation is basically useless for protecting secrets things
like API keys off tokens.
Speaker 1 (07:22):
Even if they're scrambled in the code.
Speaker 2 (07:24):
Yep, because eventually the app has to load them into
memory in clear texts to actually use them, ah right,
and then they can be grabbed, grabbed through memory dumping
network sniffing. This directly hits that o WASPP Mobile top
ten risk M one improper credential usage.
Speaker 1 (07:41):
And the biggest danger might be psychological.
Speaker 2 (07:43):
I think. So relying too heavily on obfuscation it often
creates this false sense of security. Teams think they're covered,
so they might neglect more fundamental robust security.
Speaker 1 (07:54):
Practices Okay, so traditional defenses are shaky. Yeah, but now
there's a new curveball, right AI.
Speaker 2 (08:00):
Yes. And this isn't just type. We're talking about the
actual weaponization of artificial intelligence.
Speaker 1 (08:05):
How is AI making these threats worse?
Speaker 2 (08:08):
That's the million dollar question, George. And the real issue
isn't just what AI can do, it's how it fundamentally
changes the economics and speed of attacks.
Speaker 1 (08:17):
Economics.
Speaker 2 (08:18):
Yeah, AI is being used by malicious actors to dramatically
boost the scale, the sophistication, and the stealth of their attacks.
Think about it. A human attacker might take weeks months
for reconnaissance finding vulnerabilities right, painstaking work. AI can potentially
collapse that entire process down to hours. It just shifts
the advantage massively towards the attacker.
Speaker 1 (08:40):
Wow.
Speaker 2 (08:40):
So it automates the grunt work exactly, automates recon data gathering,
accelerates the whole attack life cycle. It also enables malware
that's adaptive evasive. It can learn change its behavior on
the fly to dodge traditional detection.
Speaker 1 (08:55):
In finding bugs, AI.
Speaker 2 (08:57):
Tools can speed up vulnerability discovery even zero days, and
then help write the exploit code much faster.
Speaker 1 (09:03):
Good grief, any other AI threats.
Speaker 2 (09:06):
We're even seeing new types of attacks like prompt injection
against large language models, trying to trick them into leaking
sensitive info. And all this power is sophisticated AI driven.
Speaker 1 (09:16):
Botnets that operate autonomous.
Speaker 2 (09:18):
Yeah, mimicking human behavior much more effectively bypassing detection systems
that look for dumb, repetitive bot patterns.
Speaker 1 (09:26):
So it all comes back to that central point again,
doesn't it. Attackers are getting better and better at just
bypassing the mobile app entirely and hammering the back end
APIs directly using scripts automated tools, and now AI is
just pouring gasoline on that fire.
Speaker 2 (09:41):
Absolutely, given these threats, faster, smarter, more automated static defenses
just can't keep up. They were designed for a different era.
Speaker 1 (09:48):
So what's the answer.
Speaker 2 (09:49):
What's needed urgently is this shift, a decisive shift to dynamic,
run time focused security, and it has to be rooted
in zero trust principles zero truck.
Speaker 1 (10:00):
We hear that a lot. What does it mean here
specifically for mobile?
Speaker 2 (10:03):
Well, the core idea is simple but powerful, never trust,
always verify, But not just at the network edge. It
has to happen at a transactional level. Continuously assessing the
security posture of the app its environment in real time.
Continuously and crucially, this verification needs to rely on external,
(10:23):
cryptographically verifiable measurements, things that come from outside the app itself,
because the app might already be compromised.
Speaker 1 (10:30):
Okay, so static defenses are out, dynamic zero trust is in.
Let's break that down. What's the first pillar of this
dynamic defense look like in practice?
Speaker 2 (10:38):
The first is mobile URASP. That's pronounced RASP our ASP
Runtime Application.
Speaker 1 (10:44):
Self Protection RASP. Okay, what is it?
Speaker 2 (10:46):
Think of RISP as like the app's own internal bodyguard.
It's security tech that's literally built into the.
Speaker 1 (10:54):
App, inside the app itself.
Speaker 2 (10:55):
Exactly, and it's constantly watching like a security camera inside
the build. It monitors its own execution, detects, and then
prevents real time attacks from within.
Speaker 1 (11:06):
Like what kind of attacks?
Speaker 2 (11:07):
Things like detecting debuggers attached to the app, detecting tampering attempts,
noticing if it's running on a compromised device like rooted
or jailbroken FUNE or.
Speaker 1 (11:15):
Those hooking frameworks like.
Speaker 2 (11:17):
FREEDA, precisely detecting frameworks like Freeda trying to interfere and
when RISP spots a threat, it can do more than
just log it. It can terminate the session, block the
malicious actions.
Speaker 1 (11:28):
So provides real time defense, real.
Speaker 2 (11:29):
Time contemptual awareness, and it can even potentially stop zero
day attacks that signatures wouldn't catch.
Speaker 1 (11:35):
Okay, that sounds absolutely vital. Like a foundational layer right
where the action is What's next? What's the second critical piece?
Speaker 2 (11:42):
The second is app attestation and token based API access.
Now this is really interesting, oh because traditional authentication it
verifies who the user is, right, username, password, biometrics, but
it often completely fails to validate the integrity of the thing,
making the request client application itself.
Speaker 1 (12:03):
The what ah, so not just who but what is
asking exactly?
Speaker 2 (12:09):
Attestation verifies that the API request isn't just from a
legit user, but that it's genuinely coming from your official,
unmodified mobile app okay, running on a device that isn't
compromised and isn't currently under active attack or being manipulated.
Speaker 1 (12:24):
And if it passes those checks.
Speaker 2 (12:26):
If the app instance is deemed trustworthy, then a short lived,
cryptographically signed token is issued. This token gets included with
every API request after that, and the effect of that
it's incredibly effective at blocking automated bots, scripts, tampered apps,
stopping them from successfully talking to your APIs. It just
shuts down a huge amount of abuse.
Speaker 1 (12:45):
Because they can't prove they are the real app.
Speaker 2 (12:47):
Precisely, it's not enough to know who is calling. We
need to know what is calling.
Speaker 1 (12:53):
Okay, that shift from who to what feels really significant.
Can you give a concrete example, like an attack that
attestation stops but normal authentication.
Speaker 2 (13:03):
Would miss absolutely, So, imagine an attacker creates a script,
a bot. It just mimics your mobile apps API calls.
They've maybe reverse engineered your app, figured out the endpoints.
Speaker 1 (13:16):
Right to scrape data or commit fraud at scale exactly.
Speaker 2 (13:19):
Now, traditional authentication might just check if the script provides
valid user log in details, which maybe they stole. But
app attestation it would immediately see this request isn't coming
from a genuine, unmodified instance of your actual mobile app.
Speaker 1 (13:32):
It knows it's a script.
Speaker 2 (13:34):
It knows it's a script or a tampered version, and
blocks it right there before it even touches your back
end systems. It just stops that automated attack dead.
Speaker 1 (13:41):
That's a massive defense against bots and scraping. Then, yeah,
that's huge. What's number three in this dynamic approach?
Speaker 2 (13:47):
Number three is runtime secrets protection, and this one is
really about removing the treasure chests from the app itself.
Speaker 1 (13:54):
Removing the treasure chess.
Speaker 2 (13:56):
Yeah, hardcutting secrets, API keys, off tokens, and option keys
directly into the app source code. It's still depressingly common.
Speaker 1 (14:04):
And incredibly dangerous.
Speaker 2 (14:06):
Incredibly dangerous because even with obfuscation, like we said, those
secrets can and will be extracted by runtime analysis, memory dumping, freeda,
et cetera.
Speaker 1 (14:16):
So how does runtime secrets protection fix that?
Speaker 2 (14:19):
It changes the game completely by never embedding those secrets
in the app in the first place.
Speaker 1 (14:23):
Okay, so where are they.
Speaker 2 (14:24):
They're stored securely in a dedicated back end service, managed.
Speaker 1 (14:28):
Safely, and the app gets them out.
Speaker 2 (14:30):
They're delivered securely over the air, just in time, but
only if that specific mobile app instance can first prove
its authenticity and integrity.
Speaker 1 (14:40):
Through those attestation checks we just talked about exactly.
Speaker 2 (14:42):
Attestation acts as the gatekeeper. If the app proves it's
legit and hasn't been tampered with, then it gets the
temporary secret it needs.
Speaker 1 (14:50):
Wow, So no hard coded secrets at all.
Speaker 2 (14:52):
None, which also gives you amazing operational flexibility. You can
rotate secrets, revoke them instantly if needed, without force users
to update the app without any app update, huge benefit
in a crisis.
Speaker 1 (15:05):
Incredible agility. Okay, that's our asp AT station run time secrets.
What's the final piece of this dynamic defense puzzle.
Speaker 2 (15:14):
The final piece is dynamic cloud verified channel protection. It's
about securing the communication channel itself.
Speaker 1 (15:21):
Like TLS encryption exactly.
Speaker 2 (15:23):
TLS encrypts data in transit, which is standard. But there's
a technique called certificate pinning where.
Speaker 1 (15:29):
You hard code the server certificates fingerprint into the app.
Speaker 2 (15:32):
Right static penning. The problem is it's brittle. Server certificates
have to change, they expire, they get renewed, maybe there's
an emergency replacement.
Speaker 1 (15:40):
And if the certificate changes and the app has the
old fingerprint hard coded, the.
Speaker 2 (15:44):
App breaks, It stops trusting, the server connection fails, outage.
Speaker 1 (15:49):
Okay, not ideal. So how does dynamic pinning help.
Speaker 2 (15:52):
Dynamic penning means the app doesn't have the pins hard coded. Instead,
it securely fetches the current valid set of pins over
the air from a trust management service.
Speaker 1 (16:01):
Ah, so it always has the latest valid fingerprints correct.
Speaker 2 (16:04):
It maintains that strong man in the middle or MIDMM
protection ensuring the app only talks to the genuine server,
but it adds flexibility. It massively reduces the risk of
outages caused by certificate changes.
Speaker 1 (16:18):
Especially when you combine it with attestation.
Speaker 2 (16:20):
Absolutely, attestation ensures the request for the pins is coming
from a legitimate app instance in the first place.
Speaker 1 (16:25):
Okay, so if we zoom that again, RISP, Attestation, Runtime Secrets,
dynamic pinning. These are just separate tools, are they not?
Speaker 2 (16:34):
At all? They're deeply interconnected. They work together synergistically well.
RISP often provides the foundational signals, the raw data about
the app's health and environment that feeds into the attestation
checks right, and then attestation acts as that crucial gatekeeper,
verifying trust before sensitive secrets get delivered or before critical
API calls are allowed to go through. It's a cohesive,
(16:57):
layered defense system.
Speaker 1 (16:58):
The sources really pointing towards layered approach.
Speaker 2 (17:00):
Then consistently. An optimal mobile security strategy needs that defense
in depth, using both static and dynamic techniques, yes, but
with a very clear understanding of what each can and
more importantly cannot do.
Speaker 1 (17:14):
So static defenses like obfuscation might deter casual hackers.
Speaker 2 (17:19):
Maybe the casual ones, yeah, but they offer pretty low
effectiveness against the sophisticated AI powered run time threats we've
been talking about.
Speaker 1 (17:27):
Whereas the dynamic approaches RASP attestation.
Speaker 2 (17:31):
Those are the ones that deliver high effectiveness against these
advanced attacks, real time detection, powerful response. That's where the
real protection comes from now.
Speaker 1 (17:39):
So it's less about choosing one or the other and.
Speaker 2 (17:41):
More about understanding their roles and recognizing that for any
app handling sensitive data or performing critical functions, these dynamic
measures RASP, run time secrets, dynamic pinning, app attestation, they're
not just nice to haves anymore.
Speaker 1 (17:56):
They're essential.
Speaker 2 (17:57):
There are fundamental requirements period if you want adequate resilience
against modern threats, and.
Speaker 1 (18:03):
There are solutions out there that package these together.
Speaker 2 (18:05):
Yes, absolutely, solutions exist like a proof who sponsor the show,
that provide unique runtime shielding solutions. They unify many of
these defenses. So APPROVE offers things like things like app
attestation across different platforms, checking the client environment integrity using
RASP techniques, strong mid M protection via dynamic pinning, and
(18:28):
that crucial secrets management where secrets are only delivered after
successful attestation. It ties it all together.
Speaker 1 (18:34):
Okay, So the landscape is definitely shifted, irrevocably, and just
clinging to those older static defenses, especially relying too much
on obfuscation.
Speaker 2 (18:44):
It's a recipe for failure, especially against these increasingly sophisticated,
automated AI boosted attacks that are laser focused on your APIs.
Speaker 1 (18:52):
So to build apps that are genuinely resilient today.
Speaker 2 (18:54):
You have to make that decisive pivot to dynamic run
time security. It's not really an option anymore, or it's
just essential.
Speaker 1 (19:01):
Continuously assessing the security posture in.
Speaker 2 (19:03):
Real time, in real time, truly embracing that never trust,
always verify mantra, not just as a slogan, but in
practice at every interaction.
Speaker 1 (19:12):
Okay, and maybe a final thought for our listeners to
chew on.
Speaker 2 (19:15):
Yeah, I think in this really complex digital world, securing
your mobile apps, securing those cloud back ends, it's a
huge challenge right with many facets for sure. Remember that
storefront analogy we used, Noah, don't just lock the front door,
make sure you haven't left the back door wide open.
Speaker 1 (19:32):
And crucially ensure only genuinely trusted visitors, not just ones
who look legitimate, can even get near your front door exactly. Well,
thank you for joining us for this episode of Upwardly Mobile.
Speaker 2 (19:44):
We really hope this discussion has given you a clearer
picture of the threats out there and the critical need
for dynamic run time security for your mobile apps and APIs.
Speaker 1 (19:53):
Keep learning and stay secure. This episode was created using
insights from human sources and was assisted by to help
bring you the most concise and impactful analysis
Welcome to Upwardly Mobile API and App Security. We're the
show that dives into the latest research, the white papers,
the breach reports. Basically, we sift through it all.
Speaker 2 (00:11):
Yeah, we try to pull out the really critical insights
you need, you know, to stay ahead in mobile security.
Speaker 1 (00:16):
Our mission is simple, arm you with the knowledge that
cuts through the noise, helps you really understand mobile cybersecurity.
Speaker 2 (00:22):
I'm George and I'm Sky and today, Wow, we're navigating
a really high stakes area. It's super dynamic and honestly,
it touches almost everything we.
Speaker 1 (00:31):
Do digitally mobile app development and API security exactly.
Speaker 2 (00:34):
It's this space where you know, convenience and all that
cool innovation bumps right up against some critical vulnerabilities.
Speaker 1 (00:41):
And the stakes they couldn't be higher for your business,
your users, your brand. It's huge.
Speaker 2 (00:45):
Definitely, We've gone through a pretty hefty stack of sources
for today's discussion, detailed white papers, industry analyzes, even some
recent breach post mortems.
Speaker 1 (00:54):
So what's the goal today, Well, we want.
Speaker 2 (00:56):
To unpack these evolving threats, understand why the traditional security
methods often fall short, dangerously short, actually okay.
Speaker 1 (01:04):
And then explore the sort of cutting edge solutions that
are really shaping the future of mobile cybersecurity.
Speaker 2 (01:10):
Right, So think of your mobile app. Yeah, it's that slick,
user friendly storefront everyone sees looks great. But the engine room,
the inventory, the transaction processing, all that happens behind the
scenes in the cloud, access through APIs.
Speaker 1 (01:28):
And that connection. Yeah, that invisible bridge between the app
and the back end.
Speaker 2 (01:34):
That's where the trouble starts.
Speaker 1 (01:35):
That's exactly where so many of the critical security challenges
really live.
Speaker 2 (01:40):
Okay, let's get into it.
Speaker 1 (01:41):
So what are the sources telling us?
Speaker 2 (01:43):
First off, Well, what's immediately clear is just how tightly
mobile apps and their cloud back ends are linked. Now.
I mean, they're basically inseparable, right, And a mobile app
might look secure on the surface, but if it's talking
to a back end that's misconfigured or you know, vulnerable,
well that's just a recipe for disaster.
Speaker 1 (01:59):
It really is like having Fort Knox for a front door. Yeah,
but the backloading dock is.
Speaker 2 (02:03):
Wide open exactly, no locks, no guards, Anyone can just
waltz right in.
Speaker 1 (02:07):
And we see these common cloud misconfigurations all the time.
Speaker 2 (02:10):
Don't We constantly things like super sensitive user data just
sitting in public storage buckets? As three buckets that kind
of thing.
Speaker 1 (02:18):
Or APIs that just lack proper authentication or authorization.
Speaker 2 (02:23):
Yeah, or sometimes it's even more subtle, like overly permissive
IAM roles, you know, identity and access management.
Speaker 1 (02:29):
Ah, right, So if an attacker gets one account.
Speaker 2 (02:32):
They get far more access than they ever should. It's
not just a small technical glitch. It's like a systemic vulnerability.
Speaker 1 (02:38):
In connecting that to the bigger picture. This isn't just
a tech team problem, is it.
Speaker 2 (02:42):
Oh? Absolutely not. You realize pretty quickly this is a
fundamental business issue. It cuts across every single department.
Speaker 1 (02:49):
So everyone from the top down.
Speaker 2 (02:51):
Everyone from the C suite executives right down to the
individual developers writing the code, they all have a really
strong vested interest in locking down this connection.
Speaker 1 (03:00):
Can you maybe expand on that, like, how does this
ripple effect hit different teams?
Speaker 2 (03:04):
Sure? So for the execs, the operational leaders, the impact
of insecure APIs or apps it can be absolutely catastrophic
financially reputationally.
Speaker 1 (03:16):
Any examples bring to mind.
Speaker 2 (03:18):
Well, think about a company like John Deere. They handle
huge amounts of operational data right for farming, precision agriculture.
If their mobile apps or APIs got hit. It could
mean competitive disadvantage, stolen IP, maybe even sabotage of actual
farm operations that hits the core business hard.
Speaker 1 (03:36):
Okay, that's industrial scale. What about consumer.
Speaker 2 (03:38):
Apps or take a dating app like Hinge. Their whole
value prop is built on user privacy and trust absolutely,
so if they have a breach of sensitive PII personally
identifiable information, users will just leave. Mass exodus plus massive
legal finds under GDPR CCPA.
Speaker 1 (03:54):
And the brand is toast completely.
Speaker 2 (03:56):
We could be talking across industries hundreds of billions and
losses era sperable brand damage.
Speaker 1 (04:01):
Wow, that really paints a picture of the scale. So
beyond the boardroom, how does it affect say, the security teams.
Speaker 2 (04:07):
Well, for security teams, their job is like truly holistic.
They've got to protect the app, the communication channels, and
the back end. APIs a constant battle totally against service disruption,
data theft or the absolute nightmare full system compromise and
legal teams they're right on the front lines when PII
gets exposed. Think about ride sharing apps or food delivery. Yeah,
(04:29):
if API flaws leak names, phone numbers, home addresses, trip histories,
that's not theoretical that directly leads to real world harm, fishing, stalking,
identity theft. The legal fallout is just immense.
Speaker 1 (04:43):
Okay, And what about the people actually building this stuff,
the engineers, the devs.
Speaker 2 (04:46):
They have the direct responsibility right building secure code both
for the mobile app and the back end.
Speaker 1 (04:51):
So implementing things like strong authentication, input validation.
Speaker 2 (04:55):
Exactly and managing secrets properly, not hard coding API keys
in to the app code itself, which sounds obvious, but.
Speaker 1 (05:03):
It still happens.
Speaker 2 (05:04):
It still happens. It's a huge task. And then finally
you've got marketing, brand management. A big breach can just
vaporize user trust overnight.
Speaker 1 (05:13):
And once that trust is gone.
Speaker 2 (05:14):
It's incredibly hard, maybe impossible, to get users back, no
matter how good the app is.
Speaker 1 (05:21):
So it really boils down to this, doesn't it. Attackers
are getting smarter, They're not just poking at the app anymore.
The APIs are often the real target, the main price
they are.
Speaker 2 (05:31):
They offer that direct path to the back end logic,
to all that valuable sensitive data we just talked about.
Speaker 1 (05:39):
Okay, so we've laid out the problem. Stakes are super high,
but lots of organizations, let's be honest, are still relying
on well traditional defenses. And this is where our sources
say things get really interesting because those methods increasingly, they're
just not cutting it.
Speaker 2 (05:55):
That's exactly right. The sources highlight this again and again.
Take code obfuscation still why used?
Speaker 1 (06:00):
Yeah, very common, but it's really just.
Speaker 2 (06:02):
A thin veil. It's not an impenetrable shield. Obfuscation tries
to make reverse engineering harder. Scrambling the code makes it
look like spaghetti code kind of yeah, but it's fundamentally
just a deterrent. It doesn't actually prevent determined attackers.
Speaker 1 (06:16):
So skilled adversaries they can get past it.
Speaker 2 (06:19):
Oh yeah, armed with readily available tools decompilers, disassemblers, and
dynamic instrumentation frameworks like FREEDA you heard it, free.
Speaker 1 (06:28):
I have it lets you hook into a running app,
right yeah, mess with it.
Speaker 2 (06:31):
Live precisely, inject your own code, watch what it's doing,
change its behavior in real time. They can systematically unravel
obfuscated code.
Speaker 1 (06:41):
So o WASP Guidance even says something about this.
Speaker 2 (06:43):
It does owas the Open Web Application Security Project they
put it bluntly. Ultimately, the reverse engineer always wins if
you're only relying on static defenses like obfuscation.
Speaker 1 (06:54):
That's pretty stark, just a matter of time. Then where
else do these old methods fall down?
Speaker 2 (06:59):
Well, a big one is fun time threats. Obfuscation does
very little.
Speaker 1 (07:02):
There because the attack is happening while the app is
actually running.
Speaker 2 (07:05):
Exactly, attackers are observing manipulating the app while it executes,
not just looking at the code sitting there. It's like
trying to stop a burglar just by locking the front door.
You need alarms inside too.
Speaker 1 (07:15):
Okay, it makes sense.
Speaker 2 (07:16):
And worse, obfuscation is basically useless for protecting secrets things
like API keys off tokens.
Speaker 1 (07:22):
Even if they're scrambled in the code.
Speaker 2 (07:24):
Yep, because eventually the app has to load them into
memory in clear texts to actually use them, ah right,
and then they can be grabbed, grabbed through memory dumping
network sniffing. This directly hits that o WASPP Mobile top
ten risk M one improper credential usage.
Speaker 1 (07:41):
And the biggest danger might be psychological.
Speaker 2 (07:43):
I think. So relying too heavily on obfuscation it often
creates this false sense of security. Teams think they're covered,
so they might neglect more fundamental robust security.
Speaker 1 (07:54):
Practices Okay, so traditional defenses are shaky. Yeah, but now
there's a new curveball, right AI.
Speaker 2 (08:00):
Yes. And this isn't just type. We're talking about the
actual weaponization of artificial intelligence.
Speaker 1 (08:05):
How is AI making these threats worse?
Speaker 2 (08:08):
That's the million dollar question, George. And the real issue
isn't just what AI can do, it's how it fundamentally
changes the economics and speed of attacks.
Speaker 1 (08:17):
Economics.
Speaker 2 (08:18):
Yeah, AI is being used by malicious actors to dramatically
boost the scale, the sophistication, and the stealth of their attacks.
Think about it. A human attacker might take weeks months
for reconnaissance finding vulnerabilities right, painstaking work. AI can potentially
collapse that entire process down to hours. It just shifts
the advantage massively towards the attacker.
Speaker 1 (08:40):
Wow.
Speaker 2 (08:40):
So it automates the grunt work exactly, automates recon data gathering,
accelerates the whole attack life cycle. It also enables malware
that's adaptive evasive. It can learn change its behavior on
the fly to dodge traditional detection.
Speaker 1 (08:55):
In finding bugs, AI.
Speaker 2 (08:57):
Tools can speed up vulnerability discovery even zero days, and
then help write the exploit code much faster.
Speaker 1 (09:03):
Good grief, any other AI threats.
Speaker 2 (09:06):
We're even seeing new types of attacks like prompt injection
against large language models, trying to trick them into leaking
sensitive info. And all this power is sophisticated AI driven.
Speaker 1 (09:16):
Botnets that operate autonomous.
Speaker 2 (09:18):
Yeah, mimicking human behavior much more effectively bypassing detection systems
that look for dumb, repetitive bot patterns.
Speaker 1 (09:26):
So it all comes back to that central point again,
doesn't it. Attackers are getting better and better at just
bypassing the mobile app entirely and hammering the back end
APIs directly using scripts automated tools, and now AI is
just pouring gasoline on that fire.
Speaker 2 (09:41):
Absolutely, given these threats, faster, smarter, more automated static defenses
just can't keep up. They were designed for a different era.
Speaker 1 (09:48):
So what's the answer.
Speaker 2 (09:49):
What's needed urgently is this shift, a decisive shift to dynamic,
run time focused security, and it has to be rooted
in zero trust principles zero truck.
Speaker 1 (10:00):
We hear that a lot. What does it mean here
specifically for mobile?
Speaker 2 (10:03):
Well, the core idea is simple but powerful, never trust,
always verify, But not just at the network edge. It
has to happen at a transactional level. Continuously assessing the
security posture of the app its environment in real time.
Continuously and crucially, this verification needs to rely on external,
(10:23):
cryptographically verifiable measurements, things that come from outside the app itself,
because the app might already be compromised.
Speaker 1 (10:30):
Okay, so static defenses are out, dynamic zero trust is in.
Let's break that down. What's the first pillar of this
dynamic defense look like in practice?
Speaker 2 (10:38):
The first is mobile URASP. That's pronounced RASP our ASP
Runtime Application.
Speaker 1 (10:44):
Self Protection RASP. Okay, what is it?
Speaker 2 (10:46):
Think of RISP as like the app's own internal bodyguard.
It's security tech that's literally built into the.
Speaker 1 (10:54):
App, inside the app itself.
Speaker 2 (10:55):
Exactly, and it's constantly watching like a security camera inside
the build. It monitors its own execution, detects, and then
prevents real time attacks from within.
Speaker 1 (11:06):
Like what kind of attacks?
Speaker 2 (11:07):
Things like detecting debuggers attached to the app, detecting tampering attempts,
noticing if it's running on a compromised device like rooted
or jailbroken FUNE or.
Speaker 1 (11:15):
Those hooking frameworks like.
Speaker 2 (11:17):
FREEDA, precisely detecting frameworks like Freeda trying to interfere and
when RISP spots a threat, it can do more than
just log it. It can terminate the session, block the
malicious actions.
Speaker 1 (11:28):
So provides real time defense, real.
Speaker 2 (11:29):
Time contemptual awareness, and it can even potentially stop zero
day attacks that signatures wouldn't catch.
Speaker 1 (11:35):
Okay, that sounds absolutely vital. Like a foundational layer right
where the action is What's next? What's the second critical piece?
Speaker 2 (11:42):
The second is app attestation and token based API access.
Now this is really interesting, oh because traditional authentication it
verifies who the user is, right, username, password, biometrics, but
it often completely fails to validate the integrity of the thing,
making the request client application itself.
Speaker 1 (12:03):
The what ah, so not just who but what is
asking exactly?
Speaker 2 (12:09):
Attestation verifies that the API request isn't just from a
legit user, but that it's genuinely coming from your official,
unmodified mobile app okay, running on a device that isn't
compromised and isn't currently under active attack or being manipulated.
Speaker 1 (12:24):
And if it passes those checks.
Speaker 2 (12:26):
If the app instance is deemed trustworthy, then a short lived,
cryptographically signed token is issued. This token gets included with
every API request after that, and the effect of that
it's incredibly effective at blocking automated bots, scripts, tampered apps,
stopping them from successfully talking to your APIs. It just
shuts down a huge amount of abuse.
Speaker 1 (12:45):
Because they can't prove they are the real app.
Speaker 2 (12:47):
Precisely, it's not enough to know who is calling. We
need to know what is calling.
Speaker 1 (12:53):
Okay, that shift from who to what feels really significant.
Can you give a concrete example, like an attack that
attestation stops but normal authentication.
Speaker 2 (13:03):
Would miss absolutely, So, imagine an attacker creates a script,
a bot. It just mimics your mobile apps API calls.
They've maybe reverse engineered your app, figured out the endpoints.
Speaker 1 (13:16):
Right to scrape data or commit fraud at scale exactly.
Speaker 2 (13:19):
Now, traditional authentication might just check if the script provides
valid user log in details, which maybe they stole. But
app attestation it would immediately see this request isn't coming
from a genuine, unmodified instance of your actual mobile app.
Speaker 1 (13:32):
It knows it's a script.
Speaker 2 (13:34):
It knows it's a script or a tampered version, and
blocks it right there before it even touches your back
end systems. It just stops that automated attack dead.
Speaker 1 (13:41):
That's a massive defense against bots and scraping. Then, yeah,
that's huge. What's number three in this dynamic approach?
Speaker 2 (13:47):
Number three is runtime secrets protection, and this one is
really about removing the treasure chests from the app itself.
Speaker 1 (13:54):
Removing the treasure chess.
Speaker 2 (13:56):
Yeah, hardcutting secrets, API keys, off tokens, and option keys
directly into the app source code. It's still depressingly common.
Speaker 1 (14:04):
And incredibly dangerous.
Speaker 2 (14:06):
Incredibly dangerous because even with obfuscation, like we said, those
secrets can and will be extracted by runtime analysis, memory dumping, freeda,
et cetera.
Speaker 1 (14:16):
So how does runtime secrets protection fix that?
Speaker 2 (14:19):
It changes the game completely by never embedding those secrets
in the app in the first place.
Speaker 1 (14:23):
Okay, so where are they.
Speaker 2 (14:24):
They're stored securely in a dedicated back end service, managed.
Speaker 1 (14:28):
Safely, and the app gets them out.
Speaker 2 (14:30):
They're delivered securely over the air, just in time, but
only if that specific mobile app instance can first prove
its authenticity and integrity.
Speaker 1 (14:40):
Through those attestation checks we just talked about exactly.
Speaker 2 (14:42):
Attestation acts as the gatekeeper. If the app proves it's
legit and hasn't been tampered with, then it gets the
temporary secret it needs.
Speaker 1 (14:50):
Wow, So no hard coded secrets at all.
Speaker 2 (14:52):
None, which also gives you amazing operational flexibility. You can
rotate secrets, revoke them instantly if needed, without force users
to update the app without any app update, huge benefit
in a crisis.
Speaker 1 (15:05):
Incredible agility. Okay, that's our asp AT station run time secrets.
What's the final piece of this dynamic defense puzzle.
Speaker 2 (15:14):
The final piece is dynamic cloud verified channel protection. It's
about securing the communication channel itself.
Speaker 1 (15:21):
Like TLS encryption exactly.
Speaker 2 (15:23):
TLS encrypts data in transit, which is standard. But there's
a technique called certificate pinning where.
Speaker 1 (15:29):
You hard code the server certificates fingerprint into the app.
Speaker 2 (15:32):
Right static penning. The problem is it's brittle. Server certificates
have to change, they expire, they get renewed, maybe there's
an emergency replacement.
Speaker 1 (15:40):
And if the certificate changes and the app has the
old fingerprint hard coded, the.
Speaker 2 (15:44):
App breaks, It stops trusting, the server connection fails, outage.
Speaker 1 (15:49):
Okay, not ideal. So how does dynamic pinning help.
Speaker 2 (15:52):
Dynamic penning means the app doesn't have the pins hard coded. Instead,
it securely fetches the current valid set of pins over
the air from a trust management service.
Speaker 1 (16:01):
Ah, so it always has the latest valid fingerprints correct.
Speaker 2 (16:04):
It maintains that strong man in the middle or MIDMM
protection ensuring the app only talks to the genuine server,
but it adds flexibility. It massively reduces the risk of
outages caused by certificate changes.
Speaker 1 (16:18):
Especially when you combine it with attestation.
Speaker 2 (16:20):
Absolutely, attestation ensures the request for the pins is coming
from a legitimate app instance in the first place.
Speaker 1 (16:25):
Okay, so if we zoom that again, RISP, Attestation, Runtime Secrets,
dynamic pinning. These are just separate tools, are they not?
Speaker 2 (16:34):
At all? They're deeply interconnected. They work together synergistically well.
RISP often provides the foundational signals, the raw data about
the app's health and environment that feeds into the attestation
checks right, and then attestation acts as that crucial gatekeeper,
verifying trust before sensitive secrets get delivered or before critical
API calls are allowed to go through. It's a cohesive,
(16:57):
layered defense system.
Speaker 1 (16:58):
The sources really pointing towards layered approach.
Speaker 2 (17:00):
Then consistently. An optimal mobile security strategy needs that defense
in depth, using both static and dynamic techniques, yes, but
with a very clear understanding of what each can and
more importantly cannot do.
Speaker 1 (17:14):
So static defenses like obfuscation might deter casual hackers.
Speaker 2 (17:19):
Maybe the casual ones, yeah, but they offer pretty low
effectiveness against the sophisticated AI powered run time threats we've
been talking about.
Speaker 1 (17:27):
Whereas the dynamic approaches RASP attestation.
Speaker 2 (17:31):
Those are the ones that deliver high effectiveness against these
advanced attacks, real time detection, powerful response. That's where the
real protection comes from now.
Speaker 1 (17:39):
So it's less about choosing one or the other and.
Speaker 2 (17:41):
More about understanding their roles and recognizing that for any
app handling sensitive data or performing critical functions, these dynamic
measures RASP, run time secrets, dynamic pinning, app attestation, they're
not just nice to haves anymore.
Speaker 1 (17:56):
They're essential.
Speaker 2 (17:57):
There are fundamental requirements period if you want adequate resilience
against modern threats, and.
Speaker 1 (18:03):
There are solutions out there that package these together.
Speaker 2 (18:05):
Yes, absolutely, solutions exist like a proof who sponsor the show,
that provide unique runtime shielding solutions. They unify many of
these defenses. So APPROVE offers things like things like app
attestation across different platforms, checking the client environment integrity using
RASP techniques, strong mid M protection via dynamic pinning, and
(18:28):
that crucial secrets management where secrets are only delivered after
successful attestation. It ties it all together.
Speaker 1 (18:34):
Okay, So the landscape is definitely shifted, irrevocably, and just
clinging to those older static defenses, especially relying too much
on obfuscation.
Speaker 2 (18:44):
It's a recipe for failure, especially against these increasingly sophisticated,
automated AI boosted attacks that are laser focused on your APIs.
Speaker 1 (18:52):
So to build apps that are genuinely resilient today.
Speaker 2 (18:54):
You have to make that decisive pivot to dynamic run
time security. It's not really an option anymore, or it's
just essential.
Speaker 1 (19:01):
Continuously assessing the security posture in.
Speaker 2 (19:03):
Real time, in real time, truly embracing that never trust,
always verify mantra, not just as a slogan, but in
practice at every interaction.
Speaker 1 (19:12):
Okay, and maybe a final thought for our listeners to
chew on.
Speaker 2 (19:15):
Yeah, I think in this really complex digital world, securing
your mobile apps, securing those cloud back ends, it's a
huge challenge right with many facets for sure. Remember that
storefront analogy we used, Noah, don't just lock the front door,
make sure you haven't left the back door wide open.
Speaker 1 (19:32):
And crucially ensure only genuinely trusted visitors, not just ones
who look legitimate, can even get near your front door exactly. Well,
thank you for joining us for this episode of Upwardly Mobile.
Speaker 2 (19:44):
We really hope this discussion has given you a clearer
picture of the threats out there and the critical need
for dynamic run time security for your mobile apps and APIs.
Speaker 1 (19:53):
Keep learning and stay secure. This episode was created using
insights from human sources and was assisted by to help
bring you the most concise and impactful analysis
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.