Sign up to save your podcasts
Or
Share Is Direct-to-Consumer the Future of Mobile Apps Distribution?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Is Direct-to-Consumer the Future of Mobile Apps Distribution?
Podcast Episode Title: "Upwardly Mobile: The Shift to Direct-to-Consumer (DTC) Distribution
The Mobile Threat Model:
lsDgp0fzUGR7b2cuqPcd
🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast
- Mobile applications and their APIs are vital for accessing data and services, but they are also major targets for security breaches.
- Bad actors exploit vulnerabilities to steal data, disrupt services, and hijack devices.
- The mobile app security landscape is challenging because app code is easily available and can be reverse-engineered.
- A key challenge is determining if an app or its environment has been tampered with.
- Client software attestation is important for verifying the authenticity of a mobile client before granting server access.
- Mobile app developers are exploring direct-to-consumer (DTC) distribution methods due to the limitations imposed by traditional app stores.
- DTC offers advantages such as increased revenue, enhanced user relationships, and greater flexibility and control.
- Legislation such as the EU's Digital Markets Act (DMA) is promoting open app ecosystems.
- Alternative app stores like the Epic Games Store, Amazon Appstore and Samsung Galaxy Store are gaining traction.
The Mobile Threat Model:
- There are five key attack surfaces in the mobile ecosystem:
- User Credentials
- App Integrity
- Device Integrity
- API Channel Integrity
- API and Service Vulnerabilities
- Attackers often explore these surfaces to extract information to set up automated attacks on APIs.
- User credentials can be stolen through phishing, spoofing, and data breaches.
- Attackers may also target the app itself to extract information or transform it into a tool for attacks.
- Device integrity can be compromised via rooting or jailbreaking, allowing attackers to bypass security mechanisms.
- API channels are vulnerable to man-in-the-middle (MitM) attacks, even when using HTTPS.
- APIs can be attacked through credential stuffing, data theft, and denial-of-service (DoS) attacks.
- Approov provides a client software attestation solution that validates the identity and genuineness of the mobile client.
- Approov-enabled servers can determine the integrity of software applications running on client devices.
- The client software creates a special code (cryptographic hash) to prove it hasn’t been tampered with.
- This code is sent to an attestation service, which checks its validity.
- Approov's checks include code signing, detection of jailbroken/rooted devices, and checks on the device's OS and key files.
- A device is denied access to the server if it fails to meet these standards.
- Approov can be integrated into the Software Development Lifecycle (SDLC).
- Approov provides enhanced security, helps ensure regulatory compliance, and offers a cost-effective solution.
- Approov's patented technology strengthens server-client interactions by validating client software.
- It ensures app originality, detects compromised devices, and verifies device integrity.
- Mobile App Registration: The Approov CLI tool is used to register new apps by analyzing them and creating a unique signature.
- App Makes API Calls: When a protected API call is made, the Approov SDK initiates an integrity assessment if no token is available.
- Integrity Assessment: The SDK and the Approov cloud service perform checks on the app's runtime environment and authenticity, and if the security policy is met, a short-lived cryptographically signed Approov token is provided.
- Approov Token Delivery: The token is added to the API request header.
- Approov Token Check: The backend API checks the validity of the token before granting access.
- If the token check fails, the request is likely from a compromised app, environment, or a script and would typically be blocked.
- Approov also provides Runtime Secrets Protection, securing API keys and transmitting them only to valid, untampered app instances.
- Protects against automated attacks on APIs.
- Prevents the exploitation of stolen user credentials.
- Protects against known and zero-day vulnerabilities.
- Guards against malicious manipulation of API business logic.
- Helps to stop Man-in-the-Middle attacks.
- Improves trust and revenue in the mobile app ecosystem.
- Provides extra security for Mobile Device Management (MDM), Mobile Payment Systems, Enterprise Applications and IoT/OT devices.
- Approov blocks access to the API from tampered apps, compromised environments and scripting tools, which can interfere with pentesting.
- To test APIs protected by Approov, pentesters can:
- Force the device to always pass the Approov check.
- Disable Approov's certificate pinning.
- Use Approov example tokens.
- Shift left, but shield right: Address security early in the development process and put controls in place to protect the running service.
- Understand the attack surfaces and how they can be exploited.
- Prioritize threat modeling based on the value of assets exposed and the capabilities of bad actors.
- Balance the effort to find vulnerabilities with ensuring countermeasures are in place and working effectively.
- Mobile app security is crucial for protecting sensitive data and ensuring the integrity of mobile services.
- Adopting solutions like Approov can significantly strengthen an app's security posture and protect against various threats.
- Embracing an open app ecosystem and exploring DTC distribution can also empower developers and promote innovation.
lsDgp0fzUGR7b2cuqPcd
🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast
View all episodes
By Approov Mobile SecurityPodcast Episode Title: "Upwardly Mobile: The Shift to Direct-to-Consumer (DTC) Distribution
The Mobile Threat Model:
lsDgp0fzUGR7b2cuqPcd
🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast
- Mobile applications and their APIs are vital for accessing data and services, but they are also major targets for security breaches.
- Bad actors exploit vulnerabilities to steal data, disrupt services, and hijack devices.
- The mobile app security landscape is challenging because app code is easily available and can be reverse-engineered.
- A key challenge is determining if an app or its environment has been tampered with.
- Client software attestation is important for verifying the authenticity of a mobile client before granting server access.
- Mobile app developers are exploring direct-to-consumer (DTC) distribution methods due to the limitations imposed by traditional app stores.
- DTC offers advantages such as increased revenue, enhanced user relationships, and greater flexibility and control.
- Legislation such as the EU's Digital Markets Act (DMA) is promoting open app ecosystems.
- Alternative app stores like the Epic Games Store, Amazon Appstore and Samsung Galaxy Store are gaining traction.
The Mobile Threat Model:
- There are five key attack surfaces in the mobile ecosystem:
- User Credentials
- App Integrity
- Device Integrity
- API Channel Integrity
- API and Service Vulnerabilities
- Attackers often explore these surfaces to extract information to set up automated attacks on APIs.
- User credentials can be stolen through phishing, spoofing, and data breaches.
- Attackers may also target the app itself to extract information or transform it into a tool for attacks.
- Device integrity can be compromised via rooting or jailbreaking, allowing attackers to bypass security mechanisms.
- API channels are vulnerable to man-in-the-middle (MitM) attacks, even when using HTTPS.
- APIs can be attacked through credential stuffing, data theft, and denial-of-service (DoS) attacks.
- Approov provides a client software attestation solution that validates the identity and genuineness of the mobile client.
- Approov-enabled servers can determine the integrity of software applications running on client devices.
- The client software creates a special code (cryptographic hash) to prove it hasn’t been tampered with.
- This code is sent to an attestation service, which checks its validity.
- Approov's checks include code signing, detection of jailbroken/rooted devices, and checks on the device's OS and key files.
- A device is denied access to the server if it fails to meet these standards.
- Approov can be integrated into the Software Development Lifecycle (SDLC).
- Approov provides enhanced security, helps ensure regulatory compliance, and offers a cost-effective solution.
- Approov's patented technology strengthens server-client interactions by validating client software.
- It ensures app originality, detects compromised devices, and verifies device integrity.
- Mobile App Registration: The Approov CLI tool is used to register new apps by analyzing them and creating a unique signature.
- App Makes API Calls: When a protected API call is made, the Approov SDK initiates an integrity assessment if no token is available.
- Integrity Assessment: The SDK and the Approov cloud service perform checks on the app's runtime environment and authenticity, and if the security policy is met, a short-lived cryptographically signed Approov token is provided.
- Approov Token Delivery: The token is added to the API request header.
- Approov Token Check: The backend API checks the validity of the token before granting access.
- If the token check fails, the request is likely from a compromised app, environment, or a script and would typically be blocked.
- Approov also provides Runtime Secrets Protection, securing API keys and transmitting them only to valid, untampered app instances.
- Protects against automated attacks on APIs.
- Prevents the exploitation of stolen user credentials.
- Protects against known and zero-day vulnerabilities.
- Guards against malicious manipulation of API business logic.
- Helps to stop Man-in-the-Middle attacks.
- Improves trust and revenue in the mobile app ecosystem.
- Provides extra security for Mobile Device Management (MDM), Mobile Payment Systems, Enterprise Applications and IoT/OT devices.
- Approov blocks access to the API from tampered apps, compromised environments and scripting tools, which can interfere with pentesting.
- To test APIs protected by Approov, pentesters can:
- Force the device to always pass the Approov check.
- Disable Approov's certificate pinning.
- Use Approov example tokens.
- Shift left, but shield right: Address security early in the development process and put controls in place to protect the running service.
- Understand the attack surfaces and how they can be exploited.
- Prioritize threat modeling based on the value of assets exposed and the capabilities of bad actors.
- Balance the effort to find vulnerabilities with ensuring countermeasures are in place and working effectively.
- Mobile app security is crucial for protecting sensitive data and ensuring the integrity of mobile services.
- Adopting solutions like Approov can significantly strengthen an app's security posture and protect against various threats.
- Embracing an open app ecosystem and exploring DTC distribution can also empower developers and promote innovation.
lsDgp0fzUGR7b2cuqPcd
🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast