Upwardly Mobile - API & App Security News

Is Direct-to-Consumer the Future of Mobile Apps Distribution?


Listen Later

Podcast Episode Title: "Upwardly Mobile: The Shift to Direct-to-Consumer (DTC) Distribution
- Mobile applications and their APIs are vital for accessing data and services, but they are also major targets for security breaches.
- Bad actors exploit vulnerabilities to steal data, disrupt services, and hijack devices.
- The mobile app security landscape is challenging because app code is easily available and can be reverse-engineered.
- A key challenge is determining if an app or its environment has been tampered with.
- Client software attestation is important for verifying the authenticity of a mobile client before granting server access.
The Shift to Direct-to-Consumer (DTC) Distribution
- Mobile app developers are exploring direct-to-consumer (DTC) distribution methods due to the limitations imposed by traditional app stores.
- DTC offers advantages such as increased revenue, enhanced user relationships, and greater flexibility and control.
- Legislation such as the EU's Digital Markets Act (DMA) is promoting open app ecosystems.
- Alternative app stores like the Epic Games Store, Amazon Appstore and Samsung Galaxy Store are gaining traction.
The Mobile Threat Model:
- There are five key attack surfaces in the mobile ecosystem:
- User Credentials
- App Integrity
- Device Integrity
- API Channel Integrity
- API and Service Vulnerabilities
- Attackers often explore these surfaces to extract information to set up automated attacks on APIs.
- User credentials can be stolen through phishing, spoofing, and data breaches.
- Attackers may also target the app itself to extract information or transform it into a tool for attacks.
- Device integrity can be compromised via rooting or jailbreaking, allowing attackers to bypass security mechanisms.
- API channels are vulnerable to man-in-the-middle (MitM) attacks, even when using HTTPS.
- APIs can be attacked through credential stuffing, data theft, and denial-of-service (DoS) attacks.
Approov's Solution:
- Approov provides a client software attestation solution that validates the identity and genuineness of the mobile client.
- Approov-enabled servers can determine the integrity of software applications running on client devices.
- The client software creates a special code (cryptographic hash) to prove it hasn’t been tampered with.
- This code is sent to an attestation service, which checks its validity.
- Approov's checks include code signing, detection of jailbroken/rooted devices, and checks on the device's OS and key files.
- A device is denied access to the server if it fails to meet these standards.
- Approov can be integrated into the Software Development Lifecycle (SDLC).
- Approov provides enhanced security, helps ensure regulatory compliance, and offers a cost-effective solution.
- Approov's patented technology strengthens server-client interactions by validating client software.
- It ensures app originality, detects compromised devices, and verifies device integrity.
How
This content was created in partnership and with the help of Artificial Intelligence AI.
...more
View all episodesView all episodes
Download on the App Store

Upwardly Mobile - API & App Security NewsBy Skye MacIntyre