Beyond Google: HarmonyOS, HyperOS, and Securing the Non-GMS Mobile World

Episode Description:
Join us as we dive into the evolving landscape of mobile operating systems beyond the familiar Google Mobile Services (GMS) ecosystem. We explore how Huawei has achieved significant market success with its HarmonyOS, particularly in China, despite the challenges of being added to the U.S. entity list and losing access to GMS. The sources highlight HarmonyOS NEXT, Huawei's self-developed OS that fully decouples from Android, featuring a China-made kernel and aiming for a large native app ecosystem.This shift highlights the rise of non-GMS mobile devices, driven by privacy concerns and a desire for openness or regional market dynamics. However, non-GMS apps face unique security challenges due to the lack of Google's built-in security services, potentially increasing risks of malware and unauthorized access.Adding to this dynamic, rumours suggest Xiaomi may collaborate with Huawei and BBK to create a Google-free version of its HyperOS, aiming for increased software independence and control. Such a move could redefine the global Android ecosystem and introduce both opportunities and complexities for developers and users.In this environment, App Attestation is crucial for verifying the integrity and authenticity of apps and devices. While Google PlayIntegrity and SafetyNet serve GMS apps, Approov emerges as a game-changer, offering a comprehensive app attestation and runtime security solution for non-GMS (and other) devices, independent of Google services. We discuss how Approov helps enhance security, protect APIs, and empower developers in this diverse mobile world.

Discussion Points:

• Huawei's success with HarmonyOS following GMS restrictions.
• The features and goals of HarmonyOS NEXT as a distinct operating system.
• The characteristics and security challenges of non-GMS mobile devices.
• Xiaomi's rumoured plans to potentially launch a Google-free HyperOS, possibly in alliance with Huawei and BBK.
• The importance of App Attestation in safeguarding mobile apps and APIs.
• Approov as a security solution for non-GMS apps, offering benefits like real-time threat detection, independence from GMS, and comprehensive protection.
• Comparing Approov to traditional methods like Google PlayIntegrity.
• The strategic implications of open vs. closed mobile ecosystems and their impact on security and innovation.

Relevant Links:

• This episode draws on information from various sources discussing non-GMS devices, Huawei's HarmonyOS, Xiaomi's HyperOS rumours, and mobile security solutions like Approov.
• Learn more about enhancing mobile app security: approov.io

Keywords: Non-GMS, Google Mobile Services, GMS, HarmonyOS, HarmonyOS NEXT, Huawei, Xiaomi, HyperOS, App Attestation, Mobile Security, Android Security, Non-GMS Security, Approov, Open Ecosystems, Mobile App Security, API Security, Runtime Protection, Device Attestation, Cybersecurity, Non-GMS Apps

Apple Blasted by Judge: Lying Under Oath and App Store Control

Episode Notes: In this episode, we dive into the dramatic developments from the ongoing legal battle between Epic Games and Apple. A recent ruling by Judge Yvonne Gonzalez Rogers has delivered a significant blow to Apple's control over its App Store.The judge has banned Apple from charging a commission on purchases made outside the App Store. This stems from Apple's "ongoing anticompetitive behavior", specifically their response to a previous 2021 ruling that required them to allow developers to direct users to external purchasing options.Instead of allowing commission-free external purchases as anticipated by the court, Apple introduced a policy in 2024 that levied a 27% commission on such transactions. Judge Rogers found that Apple "willfully violated and ignored" her 2021 injunction, stating, "That [Apple] thought this Court would tolerate such insubordination was a gross miscalculation".Furthermore, the ruling revealed serious findings about Apple's conduct during the trial. Judge Rogers found that Apple Vice President of Finance Alex Roman "outright lied" under oath regarding the timing of Apple's decision to impose the 27% fee. The judge stated that Apple "adopted the lies and misrepresentations" by not correcting them. She wrote that Apple presented evidence that seemed "tailor-made for litigation" rather than reflecting actual internal discussions, and that contemporaneous documents showed Apple "knew exactly what it was doing and at every turn chose the most anticompetitive option".Adding to the severity, Judge Rogers referred the matter to U.S. attorneys to investigate potential criminal contempt proceedings against both Alex Roman and Apple Inc.. She also noted that Apple CEO Tim Cook ignored advice from App Store chief Phil Schiller regarding complying with the original injunction.Epic Games CEO Tim Sweeney called the decision a "huge victory for developers" and announced that Fortnite would return to the US App Store following the ruling. He offered a "peace proposal," suggesting Epic would drop litigation if Apple applied the "friction-free, Apple-tax-free framework worldwide".This ruling highlights a significant contrast between Apple's stated values of honesty, compliance, and integrity and the court's findings of willful violation, lying, and anticompetitive behavior. As Judge Rogers stated, "This is an injunction, not a negotiation. There are no do-overs once a party willfully disregards a court order".

• Judge bans Apple commission on external App Store purchases.
• Ruling finds Apple willfully violated previous order.
• Apple VP found to have "outright lied" under oath.
• Apple Inc. deemed to have "adopted the lies".
• Matter referred for potential criminal contempt proceedings.
• Epic Games plans to bring Fortnite back to the App Store.

Relevant source materials for this episode include excerpts from articles by The Verge and CNBC and the WSJ. 

Keywords: Apple, Epic Games, App Store, Judge Yvonne Gonzalez Rogers, Fortnite, antitrust, lawsuit, court ruling, commission, fees, contempt of court, perjury, Alex Roman, Tim Sweeney, Tim Cook, Phil Schiller, anticompetitive, regulation, tech news, mobile apps, iOS.

Protect your mobile apps from fraud and abuse. Learn more at approov.io.

Upwardly Mobile

Episode Title: The Good, The Bad, and The Ugly in Mobile Encryption

In this episode of Upwardly Mobile, hosted by George & Skye and sponsored by Approov, we dive deep into the crucial world of encryption algorithms for mobile app developers. Protecting user data is paramount for trust, compliance, and preventing breaches, but navigating the landscape of encryption can be challenging. We break down algorithms into three categories: The Good, The Bad, and The Ugly, discussing which ones to use, which to avoid, and learning from past failures.Episode Summary:Encryption is non-negotiable in mobile development, affecting data security, privacy, and compliance. Choosing the right algorithm is critical, as not all are created equal.The Good: We highlight modern, reliable encryption algorithms essential for mobile applications.

• AES (Advanced Encryption Standard): The industry standard for symmetric encryption. AES-256 is recommended for its strength, performance, and flexibility. Using AES-GCM mode provides both confidentiality and integrity/authenticity, which is vital. Modern mobile CPUs often have hardware acceleration (AES-NI) making it very fast.
• ECC (Elliptic Curve Cryptography): The modern choice for asymmetric cryptography, particularly valuable in mobile environments with limited resources. ECC offers robust security with significantly smaller key lengths compared to RSA, leading to faster computations, less memory, lower power consumption, and less data transmitted. It's ideal for secure key exchange (like ECDHE in TLS) and digital signatures (like ECDSA).
• ChaCha20-Poly1305: An excellent AEAD symmetric cipher. It offers security comparable to AES-256-GCM and performs exceptionally well in software, often faster than AES on devices without dedicated hardware acceleration. It's widely used in TLS 1.3.
• Hashing Algorithms: For integrity checks and password storage. Use the SHA-2 family (SHA-256, SHA-384, SHA-512) or the newer SHA-3 family. For password hashing, never just hash passwords; use dedicated functions like Argon2 (current best practice) or bcrypt, designed to be slow and memory-intensive to resist brute-force attacks.
• Secure Protocols: Always use TLS 1.3 for securing network communications (HTTPS), as it mandates strong ciphers and removes insecure options.
• Key Management: Leverage platform-provided secure key storage like Android Keystore and iOS Keychain, which often use hardware-backed secure elements.
• The Hybrid Approach: The standard practice involves using asymmetric crypto (like ECDHE) to establish a shared secret key securely, and then using that secret key with a fast symmetric AEAD cipher (like AES-GCM or ChaCha20-Poly1305) to encrypt the actual application data.

The Bad: Certain algorithms are outdated, inefficient, or have known vulnerabilities and should be avoided at all costs.

• DES (Data Encryption Standard): Long obsolete with a small 56-bit key size, easily cracked with modern hardware. Completely insecure.
• 3DES (Triple DES): While an improvement over DES, it's considered weak against current cryptanalysis and is significantly slower than modern standards like AES.
• RC4: A stream cipher vulnerable to multiple types of attacks, deprecated in TLS 1.3.
• MD5 & SHA-1: Hashing algorithms considered broken for security purposes like digital signatures or password hashing due to practical collision attacks. Use SHA-2 or SHA-3 instead.
• CBC Mode without MAC: Using modes like AES-CBC without combining them correctly with a strong Message Authentication Code (MAC) can lead to vulnerabilities like padding oracle attacks (POODLE) and bit-flipping attacks. AEAD modes like GCM handle this automatically.
• ECB Mode (Electronic Codebook): Never use for more than one block of data, as it leaks patterns visibly.
• Older Protocols: SSLv2, SSLv3, TLS 1.0, and TLS 1.1 have known vulnerabilities (POODLE, BEAST). Use TLS 1.2 minimum, strongly prefer TLS 1.3.

The Ugly: Some cryptographic failures stem from inherent flaws, flawed implementations, or real-world exploits.

• MD5 & SHA-1: Suffered severe cryptographic failures with discovered collisions.
• WEP (Wired Equivalent Privacy): A notorious failure in wireless network security, riddled with vulnerabilities exploitable in minutes.
• Implementation Errors: This is where most failures occur. Examples include hardcoded keys, weak random number generation, insecure key storage (plaintext in preferences/files), missing certificate validation (allowing MitM attacks), and protocol downgrade attacks.
• Rolling Your Own Crypto: Unless you are an expert cryptographer, do not invent your own algorithms or protocols; stick to well-vetted standards and libraries.
• Library Vulnerabilities: Bugs in crypto libraries can be devastating, as seen with Heartbleed in OpenSSL. Keep libraries updated.
• Side-Channel Attacks: Exploit information leaked from the physical implementation (timing, power consumption).

The Future: Post-Quantum Cryptography (PQC): With the potential advent of large-scale quantum computers, current public-key algorithms like RSA and ECC may become vulnerable.

• NIST Standardization: Proactive research is ongoing to develop PQC algorithms resistant to quantum attacks. NIST has finalised initial standards as of August 2024: ML-KEM (CRYSTALS-Kyber) for encryption/key establishment (FIPS 203), ML-DSA (CRYSTALS-Dilithium) for digital signatures (FIPS 204), and SLH-DSA (SPHINCS+) (FIPS 205). HQC was selected as an additional KEM standard in March 2025.
• What This Means for Developers: Awareness is key. There's no immediate panic, as mature library support will take time. Start planning for crypto-agility to allow easier algorithm updates in the future. Be aware of potential performance differences (e.g., larger key/signature sizes). Stay informed.

Key Takeaways: Prioritise strong, efficient, and widely-supported standards like AES-256 and ECC. Phase out vulnerable algorithms like DES, 3DES, and RC4. Avoid disastrous failures like MD5 and WEP. Use secure protocols like TLS 1.3. Manage keys securely using platform features. Learn from the 'Ugly' examples and avoid implementation pitfalls. Stay informed about post-quantum encryption to prepare for the future.

Keywords: mobile app security, encryption algorithms, AES, ECC, ChaCha20-Poly1305, TLS 1.3, SHA-2, SHA-3, Argon2, bcrypt, DES, 3DES, RC4, MD5, SHA-1, WEP, PQC, Post-Quantum Cryptography, CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, HQC, app attestation, API protection, mobile development, cybersecurity, data security, cryptography.

Learn more about the sponsor, Approov: https://approov.io/

Episode Title: The 92% Problem: Moving Beyond Obfuscation to Secure Mobile Apps

Episode Summary: Welcome to another episode of Upwardly Mobile, the podcast that dives deep into the world of mobile app development and security, sponsored by Approov! In this episode, hosts Skye Macintyre and George McGregor tackle a concerning statistic: a new analysis reveals that a staggering 92% of mobile apps use insecure cryptographic methods. We explore the findings of the Zimperium report, "Your Apps are Leaking: The Hidden Data Risks on your Phone," which analyzed over 17,000 enterprise mobile applications and uncovered widespread vulnerabilities, including misconfigured cloud storage, hardcoded credentials, and alarmingly outdated cryptographic practices.We delve into why traditional static defenses like code obfuscation are no longer sufficient to protect against modern threats. While obfuscation aims to deter reverse engineering, it ultimately fails to prevent determined attackers with advanced tools and dynamic analysis techniques from compromising applications at runtime. As OWASP guidance acknowledges, "Ultimately, the reverse engineer always wins" against purely static defenses.The episode highlights the evolving threat landscape, emphasizing the weaponization of Artificial Intelligence (AI) and the relentless targeting of Application Programming Interfaces (APIs). AI is being used to automate attacks, create adaptive malware, hyper-personalize social engineering, and accelerate vulnerability discovery. APIs, the backbone of modern mobile apps, are prime targets for credential stuffing, account takeover, and business logic abuse. Static defenses on the client-side offer little protection against these server-side vulnerabilities and sophisticated attack methods.We then shift our focus to the critical need for dynamic security measures that protect applications during runtime.

We discuss several key techniques:

• Runtime Application Self-Protection (RASP): This technology is built into the app or its runtime environment, enabling it to detect and prevent real-time attacks by monitoring inputs, outputs, function calls, and interactions with the operating system. RASP can detect reverse engineering attempts, code tampering, and execution on compromised devices.
• Runtime Secrets Protection: This approach eliminates hardcoded secrets by delivering them securely, just-in-time, to validated app instances via a backend service. App attestation checks ensure that secrets are only provided to legitimate, untampered applications.
• Dynamic Certificate Pinning: This method secures communication channels against Man-in-the-Middle (MitM) attacks by dynamically retrieving and verifying server certificates from a trusted management service. This offers greater flexibility and reduces the risk of outages compared to static pinning.
• App Attestation & Token-Based API Access: This process verifies the authenticity and integrity of the mobile application instance before granting access to sensitive APIs. Successful attestation results in a short-lived token that the API backend can verify, ensuring requests originate from genuine, unmodified apps.

These dynamic techniques work synergistically to create a layered defense strategy aligned with Zero Trust principles – "never trust, always verify". By continuously assessing the security posture of the application and its environment in real-time, these methods offer significantly stronger protection against modern threats than static defenses alone.Stay informed, stay secure, and stay ahead in the world of mobile cybersecurity with Upwardly Mobile!Relevant Web Links:

• 92% of Mobile Apps Found to Use Insecure Cryptographic Methods - Infosecurity Magazine: https://www.infosecurity-magazine.com/news/92-mobile-apps-insecure/
• Mobile Security Beyond Obfuscation_.pdf (Local File)
• Approov Website: https://approov.io/

Keywords: Mobile App Security, API Security, Code Obfuscation, Cryptography, Data Breaches, Vulnerabilities, Dynamic Security, Runtime Application Self-Protection (RASP), Runtime Secrets Protection, Dynamic Certificate Pinning, App Attestation, AI-Powered Attacks, API Abuse, OWASP Mobile Top 10, Podcast, Upwardly Mobile


This episode was brought to you by Approov, the leaders in mobile app attestation and API security. Learn how Approov can help you secure your mobile apps and APIs at https://approov.io/.

The Critical Imperative of Mobile App Security in 2025

Welcome back to Upwardly Mobile, the podcast tackling the high-stakes world of mobile app development and API security, sponsored by Approov—the leaders in cross-platform app attestation technology1. In this episode, we delve into the essential reasons why mobile app security is not just important, but a critical imperative in today's digital landscape.
Episode Highlights:
•
The Flourishing Mobile App Market and Growing Threats: We kick off by highlighting the massive growth of the mobile app market, with billions of smartphone users worldwide2. This widespread adoption, while offering great opportunities, also presents a larger attack surface for malicious actors3. Today over 85% of the world’s population own smartphones. The Apple App Store and Google Play Store boast millions of apps, and a significant portion of mobile device time is spent using these apps2. This popularity translates to a market predicted to generate almost a trillion dollars in revenue by 2023, making mobile apps indispensable3. However, this also means increased opportunities for hackers to exploit security vulnerabilities3.
•
Understanding Mobile Application Security: We define mobile application security as a technique for ensuring the software security posture of high-value mobile applications across various operating systems like iOS and Android3. It's about protecting digital identities from fraud and preventing attacks on users and organisations3. Attackers target mobile apps to access accounts, commit fraud, steal data, conduct espionage, or spread malware4.
•
The Costs of Security Breaches: Ignoring mobile app security can lead to severe consequences, including the loss of sensitive personal data, financial losses, and damage to an organisation's reputation5. Furthermore, organisations can face financial penalties due to regulations like GDPR, HIPAA, and CCPA if compromised data is not protected5.
•
Key Security Risks in Mobile Apps: We discuss some of the most prevalent security risks affecting mobile apps, as outlined by the OWASP Mobile Top 10. These include inadequate cryptography, reverse engineering, obtrusive functionality, code tampering, poor client code quality, insecure data storage, authentication, communication, and authorization6. The unique technologies used in mobile necessitate custom tooling for effective security testing6.
•
The Importance of Mobile Application Security Testing (MAST): We explore why Mobile Application Security Testing (MAST) is crucial for identifying and addressing weaknesses in mobile applications3.... Implementing MAST early in the Software Development Life Cycle (SDLC) can help developers lower application security risks before release4.... A thorough MAST strategy combines static analysis (SAST) to identify vulnerabilities in source code, dynamic analysis (DAST) to test running applications, and behavioural testing to track app actions and data flows7....
•
Shielding Mobile Apps and APIs: We touch upon the importance of end-to-end security for businesses relying on mobile apps10. Protecting against API vulnerabilities alone is insufficient; defence against API abuse is also necessary10. Ensuring only genuine app instances can use your API is key to isolating your mobile business from attacks10. A recommended approach includes implementing a shield for your mobile app and its APIs to protect data at rest and in transit, implementing security basics like code obfuscation and certificate pinning, and establishing a regular pentesting program11.
•
The Persistent Threat of Stolen Credentials and the Role of MFA: We address the fact that many mobile breaches originate from compromised or stolen credentials, often through phishing or password reuse12. Multi-Factor Authentication (MFA) is a vital defence mechanism, requiring multiple forms of verification to reduce the risk of account compromise significantly13. However, the implementation quality of MFA varies, and attackers are developing bypass techniques. Therefore, enforcing modern MFA and considering passwordless approaches based on FIDO2 specifications is crucial14. Progressive testing, tailored to the risk level of the app, is recommended to ensure adequate MFA security15. This can range from automated testing to expert-led penetration testing16. Key steps in testing MFA security include reviewing implementation design, examining user experience flows, testing authentication channels, evaluating data storage, conducting penetration testing, checking for replay attacks, and assessing usability and resilience17.... Regularly updating and monitoring MFA mechanisms is also essential21.
Relevant Web Links:
•
OWASP Mobile Top 10: [You can search for "OWASP Mobile Top 10" on the OWASP website: owasp.org]
•
GDPR: [You can search for the "General Data Protection Regulation" on official EU websites]
•
HIPAA: [You can search for the "Health Insurance Portability and Accountability Act" on the HHS website: hhs.gov]
•
CCPA: [You can search for the "California Consumer Privacy Act" on the California Attorney General's website: oag.ca.gov]
Keywords: Mobile App Security, Mobile Security Testing, MAST, SAST, DAST, OWASP Mobile Top 10, API Security, Stolen Credentials, Multi-Factor Authentication (MFA), Mobile Threats, Security Breaches, Data Protection, App Development Security, Cybersecurity.
       
Sponsored by Approov:
Learn how Approov's cross-platform app attestation technology can safeguard your mobile apps and APIs from malicious attacks. Visit approov.io to explore their solutions and protect your digital assets.
Tune in next time as we explore [Insert topic for next episode related to mobile security or API security].
Listen and subscribe to Upwardly Mobile on all major podcast platforms!