Episode Title: The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust DefencesEpisode Notes:In this episode of Upwardly Mobile, we delve into the escalating challenges surrounding API security for both web and mobile applications. We explore recent alarming trends, including the leakage of 39 million secret API keys and credentials from GitHub in 2024, highlighting the persistent threat of exposed authentication data such as API keys, credentials, and tokens. This situation has prompted GitHub to launch new security tools to combat this issue. According to GitHub, numerous secrets are blocked every minute with push protection, yet accidental exposure remains a significant cause of security incidents. Experts like Erin Havens from GitHub emphasize that developers handle numerous secrets daily, which can be unintentionally exposed. Even seemingly low-risk secrets can provide attackers with a foothold for lateral movement.We also examine a real-world security lapse involving API testing firm APIsec, which exposed customer data due to a misconfigured internal database connected to the internet without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about the security posture of APIsec's corporate customers. Security research firm UpGuard discovered the leak. Initially downplayed by APIsec founder Faizel Lakhani, the exposed data was later confirmed to include sensitive customer information and even private keys for AWS and credentials for Slack and GitHub accounts. This incident underscores the severity of even unintentional security lapses in the API ecosystem.The episode further explores why mobile APIs are particularly vulnerable compared to web APIs. Client-side validation in mobile apps can be bypassed, reverse engineering is easier, granular API endpoints increase the attack surface, and mobile apps may lack advanced security measures. Device-specific risks, such as rooted or jailbroken devices, also compromise app integrity. To counter these threats, the integration of a Mobile SDK with attestation is crucial. Such SDKs provide runtime integrity checks, authenticate API calls, detect tampering, and enable dynamic token binding.We discuss how traditional backend app security solutions, like Web Application Firewalls (WAFs), may not be sufficient for mobile app protection as they lack contextual information from the client environment. A Mobile SDK can provide continuous verification of contextual information from the app and the client environment, which is essential for reliably countering mobile threats. Two main types of Mobile SDKs for bot detection exist: those analysing user behaviour signals and those focusing on software-identity signals.Approov emerges as a leading solution for mobile app and API security, providing visibility and protection through a positive authentication model that validates legitimate app and device actions while blocking bots and other threats. The Approov SDK seamlessly integrates with mobile apps and continuously validates the app and device at runtime, allowing the app to present an authorised identity to the server. Approov also offers a unique way to protect API keys used by mobile apps, delivering them just-in-time only to validated apps and environments. Approov can easily integrate with any backend API gateway, WAF, or WAAP solution by using standard JWT tokens in requests.The Q1 2025 State of API Security Report from Salt Security reveals critical insights into the broader API security landscape. Key findings include that 99% of organisations have encountered API security issues in the past year and 55% have slowed the rollout of new applications due to API security concerns. The report highlights that 95% of attack attempts originate from authenticated users and 98% target external-facing APIs. The most frequently exploited vulnerability is API8 (Security Misconfiguration), accounting for 54% of attacks, follow