The App Store Freedom Act

Episode Description: In this episode of Upwardly Mobile, we unpack the App Store Freedom Act, a landmark bipartisan bill aiming to reform the highly concentrated mobile app marketplace dominated by tech giants like Apple and Google. Introduced by Representative Kat Cammack (R-FL) and co-sponsored by Representative Lori Trahan (D-MA), this legislation addresses significant concerns about anti-competitive practices, consumer choice, and developer freedom.
The Coalition for App Fairness (CAF), an independent nonprofit advocating for consumer choice and a level playing field for app developers, applauds the bill's bipartisan support, seeing it as a crucial step to dismantle "mobile walled gardens". We explore the bill's key provisions, which include allowing users to choose third-party app stores, install apps outside of official stores, and delete pre-installed applications. The Act also seeks to remove limitations on communication between developers and users, cap commissions on payments outside default systems, and mandate data sharing for app developers.
However, the App Store Freedom Act isn't without its critics. We delve into the concerns raised by the American Action Forum, particularly regarding potential overlaps with existing antitrust law and recent rulings like Apple v. Epic Games. A major point of contention is the security implications: opening up app stores could lead to a significant influx of fraudulent apps, data theft, and unverified third-party providers, potentially compromising the "walled garden" security benefits that currently protect users. We also discuss how while the bill might expedite FTC enforcement, it could bypass crucial antitrust requirements, potentially overlooking pro-consumer behaviors by app store providers. Join us as we explore the multifaceted debate surrounding this pivotal piece of tech legislation.
Key Discussion Points:
• The Problem: Anti-competitive practices and lack of consumer freedom in mobile app stores controlled by Apple and Google.
• The Bill's Purpose: To foster competition, enhance consumer choice, and create a level playing field for app developers globally.
• Core Provisions of the App Store Freedom Act (H.R.3209):
    ◦ Interoperability: Users can choose default third-party app stores, install apps from outside sources, and hide/delete pre-installed apps.
    ◦ Open App Development: Requires covered companies to provide developers with access to interfaces, hardware, and software features on equivalent terms.
    ◦ Prohibitions: Bans requirements for specific in-app payment systems, prevents punitive actions against developers using alternative pricing or payment methods, and protects legitimate business communications between developers and users.
    ◦ Nonpublic Business Information: Prohibits covered companies from using developer data to compete against those apps.
• Enforcement: Violations are treated as unfair or deceptive acts by the Federal Trade Commission (FTC), with potential civil penalties up to $1,000,000 per violation. State attorneys general can also bring civil actions.
• Overlap with Existing Law & Apple v. Epic Games: Discussion on whether new legislation is fully necessary given previous court rulings that addressed similar anti-steering practices.
• Security Concerns: Analysis of how opening the "walled garden" could impact user safety, potentially leading to fraudulent apps, stolen data, and unverified third-party providers.
• Balancing Act: The trade-offs between promoting competition and maintaining user security and convenience.
Relevant Source Materials for this Summary:
• "CAF Applauds Bipartisan Support for App Store Freedom Act - Coalition for App Fairness"
• "Evaluating the App Store Freedom Act - AAF"
• "Text - H.R.3209 - 119th Congress (2025-2026): App Store Freedom Act | Congress.gov | Library of Congress"

Sponsor: This episode of Upwardly Mobile is brought to you by Approov.io. Secure your APIs and mobile apps against fraud and abuse. Visit approov.io to learn more.

Keywords: App Store Freedom Act, digital markets, app store regulation, Apple, Google, anti-competitive practices, consumer choice, app developers, mobile apps, Open App Markets Act, Apple v. Epic Games, FTC, security concerns, H.R.3209, mobile walled gardens, competition policy, tech legislation, digital monopoly, software development, consumer protection, privacy.  
--------------------------------------------------------------------------------

Episode Title: Anatsa Unleashed: How a Sophisticated Android Banking Trojan Targets Over 830 Financial Apps Globally

In this episode of "Upwardly Mobile," we dive deep into the alarming evolution of Anatsa, a potent Android banking trojan that has significantly expanded its reach, now setting its sights on over 830 financial applications worldwide
. First identified in 2020, Anatsa (also known as Teabot or Troddler) grants its operators full control over infected devices, enabling them to perform fraudulent transactions and steal critical bank information, cryptocurrencies, and various other data on behalf of victims.
What You'll Learn in This Episode:
• Anatsa's Expanded Targets: Discover how the Anatsa banking trojan has broadened its scope to include more than 150 new banking and cryptocurrency applications, extending its malicious campaigns to mobile users in new countries like Germany and South Korea
.
• Deceptive Distribution Methods: Understand the cunning ways Anatsa spreads, primarily through decoy applications found on the official Google Play Store
. These seemingly harmless apps often masquerade as useful tools like PDF viewers, QR code scanners, or phone cleaners, accumulating over 50,000 downloads in some cases. Once installed, they silently fetch a malicious payload disguised as an update from Anatsa's command-and-control (C&C) server.
• Advanced Evasion Techniques: Learn about Anatsa's sophisticated anti-analysis and anti-detection mechanisms, designed to evade security measures. These include decrypting strings at runtime using dynamically generated Data Encryption Standard (DES) keys, performing emulation and device model checks, and periodically altering package names and installation hashes
. The malware even hides its DEX payload within corrupted archives that bypass standard static analysis tools.
• How Anatsa Compromises Devices: Find out how Anatsa requests and automatically enables critical accessibility permissions upon installation. This allows it to display overlays on top of legitimate applications, tamper with notifications, receive and read SMS messages, and ultimately present fake banking login pages to steal credentials
. The trojan also incorporates keylogging capabilities.
• Industry Response: Hear about the efforts of cybersecurity firms like Zscaler, which identified and reported 77 nefarious applications distributing Anatsa and other malware families, collectively accounting for over 19 million downloads
. While Google has since removed these reported applications and states that Google Play Protect offers automatic protection, the continuous evolution of Anatsa highlights the ongoing threat.
Protect Yourself: Cybersecurity experts advise Android users to always verify the permissions that applications request and ensure they align with the intended functionality of the app
.
--------------------------------------------------------------------------------
Relevant Links to Source Materials:
• Source 1: SecurityWeek Article on Anatsa: "Anatsa Android Banking Trojan Now Targeting 830 Financial Apps"
• Source 2: Zscaler ThreatLabz Report: "Anatsa’s Latest Updates | ThreatLabz"
• Source 3: BSI Report on Anatsa: "BSI - Anatsa / Teabot"
--------------------------------------------------------------------------------
Sponsor: This episode of "Upwardly Mobile" is brought to you by Approov Mobile Security. Learn more about securing your mobile applications at approov.io.
--------------------------------------------------------------------------------
Keywords: Anatsa, Android banking trojan, mobile security, cybersecurity, financial apps, Google Play, malware, credential theft, keylogging, fraudulent transactions, Zscaler, threat intelligence, Android malware, cryptocurrency, mobile banking, data protection, Teabot, Troddler, anti-analysis, C&C server.

Apple's iOS Obfuscation Dilemma: App Store Rejection & Developer Security Challenges

In this vital episode of "Upwardly Mobile," we dive deep into the complexities of mobile app security within the healthcare sector, particularly concerning the HIPAA Security Rule and the challenges of iOS code obfuscation and App Store review. As telemedicine and mobile access to ePHI (Electronic Protected Health Information) become ubiquitous, understanding and implementing robust security measures is no longer optional—it's imperative. What You'll Learn in This Episode:

• The Evolving Threat Landscape for Healthcare Apps: Discover how the rapid adoption of mobile healthcare apps by both patients and practitioners has created new, data-rich attack surfaces for hackers. This includes apps used for consultations, prescription refills, appointment scheduling, accessing test results, and even those associated with medical devices.
• Limitations of Traditional Security: We explore why traditional security approaches and even robust TLS (Transport Layer Security) are often insufficient for protecting mobile healthcare apps and their APIs, particularly due to the unique exposure of mobile app code and device environments. Xcode's native build settings like symbol stripping and dead code stripping are primarily for optimization and offer no meaningful protection against determined reverse-engineering efforts.
• Proposed Improvements to the HIPAA Security Rule: Learn about Approov's specific recommendations to strengthen the updated HIPAA Security Rule (initially proposed in June 2024), focusing on mobile apps accessing ePHI. Key proposed changes include mandating:
  • App Attestation: A proven technique to ensure only genuine, unmodified apps can access APIs.
  • Runtime Device Attestation: Continuous scanning and real-time reporting of device environments to block requests from compromised devices.
  • Dynamic Certificate Pinning: Essential for protecting communication channels from Man-in-the-Middle (MitM) attacks, even when traffic is encrypted.
  • API Secret Protection: Explicit guidelines to ensure API keys are never stored in mobile app code and are delivered only as needed to verified apps.
  • Runtime Zero Trust Protection of Identity Exploits: Additional controls like app and device attestation to provide an extra layer of zero-trust security against credential stuffing and identity abuse.
  • Breach Readiness and Service Continuity: Extending incident response plans to cover third-party breaches and explicitly managing API keys and certificates during a breach.
• The Role of OWASP MASVS: Understand how the OWASP Mobile Application Security Verification Standard (MASVS) serves as the industry standard for mobile app security, offering guidelines for developers and testers. We specifically highlight MASVS-RESILIENCE for hardening apps against reverse engineering and tampering.
• The iOS Obfuscation Dilemma: Unpack the conflict faced by developers in regulated industries like fintech and healthcare: the critical need to protect proprietary algorithms and sensitive logic through code obfuscation versus the risk of rejection by Apple's App Store. Apple's guidelines are ambiguously enforced, often flagging aggressive obfuscation as an attempt to "trick the review process".
• Third-Party Obfuscation Solutions: Since Xcode provides no built-in true obfuscation features, we discuss the imperative for advanced third-party solutions. Learn about techniques like symbol renaming, string encryption, control flow obfuscation, and dummy code insertion. We also touch upon leading commercial tools like Guardsquare's iXGuard, Zimperium's Mobile Application Protection Suite (MAPS), and Appdome, as well as LLVM-based obfuscators.
• Obfuscation as a Compliance Control: Discover why code obfuscation and Runtime Application Self-Protection (RASP) are fundamental technical safeguards for HIPAA compliance and meeting the requirements of PCI DSS, even if not explicitly named in the regulations.
• Strategic Recommendations for Implementation: Get insights on implementing a risk-based tiered approach to app protection, integrating obfuscation into your CI/CD pipeline, and transparently communicating your security posture to the App Store review team to mitigate rejection risks.

Tune in to gain a comprehensive understanding of securing your mobile health applications in today's complex digital environment! Relevant Links & Resources:

• Sponsor: Learn more about app and API security solutions from Approov: approov.io
• Approov Blog: Injecting Mobile App Security into The HIPAA Healthcare Security Rule: approov.io/blog/injecting-mobile-app-security-into-the-hipaa-healthcare-security-rule
• OWASP Mobile Application Security (MAS) Project: owasp.org/www-project-mobile-app-security
• OWASP Mobile Application Security Verification Standard (MASVS): mas.owasp.org/MASVS/03-Using_the_MASVS/

Keywords: Mobile App Security, Healthcare, HIPAA, ePHI, API Security, Code Obfuscation, iOS Security, App Store Review, App Attestation, Runtime Application Self-Protection (RASP), PCI DSS, OWASP MASVS, Man-in-the-Middle (MitM) Attacks, API Keys, Zero Trust, Telemedicine, Virtual Healthcare, Mobile Health, Cybersecurity, Enterprise Security, Data Protection, Compliance, InfoSec, Privacy, Digital Health.

Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI Threats

Episode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include:

- Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways.
- Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards.
- Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents.
- Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts.
- The necessity for sensitive data access, making robust access management and data protection crucial.
The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including:

- Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems.
- Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation.
- Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance.
- Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives.
- Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code.
- Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users.
- Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrate and manipulate distributed AI environments.
Essential Mitigation Strategies for Agentic AI Defending against these advanced threats requires a multi-layered, adaptive security approach. Our sources outline several crucial best practices for both app and API security: 1. Foundational App Security Best Practices:

- Continuous Authentication: Move beyond session-based authentication. Implement behavioral baselines, short-lived tokens, session fingerprinting, and re-authentication on state changes to ensure the right user is in control.
- Detecting AI-Generated Traffic: Employ behavioral anomaly detection, device and environment fingerprinting, adaptive challenge-response mechanisms, and input entropy measurement to identify and block sophisticated AI bots.
- Secure APIs as Crown Jewels: Implement strict input validation, rate limiting per user/IP/API key, authentication/authorization at every endpoint, request signing, replay protection, and detailed logging.
- Zero Trust Architecture: Assume no part of your infrastructure is inherently trusted. Enforce identity and access management at every layer, segment networks, use mutual TLS between services, and continuously monitor for unusual access patterns.
- Harden MFA Workflows: Mitigate MFA fatigue attacks by moving away from push notifications as the primary MFA method, preferring hardware tokens or TOTP, and limiting approval attempts with exponential backoff.
- LLM-Aware Security Filters: If your app uses LLMs, implement context-aware input sanitization, prompt filtering layers, output monitoring for hallucinations, and rate limit suspicious query patterns.
- Encrypt and Obfuscate Client-Side Code: Protect intellectual property and reduce attack surface by obfuscating code, encrypting sensitive strings, implementing runtime code splitting, and avoiding embedding secrets in client code.
- Train Detection Systems with Synthetic Attacks: Use AI-generated synthetic attack simulations to train ML classifiers for anomaly detection, turning AI's offensive power into a defensive advantage.
- Adopt Secure-by-Design Principles: Integrate security into every phase of the development lifecycle, validating inputs, enforcing least privilege, using static/dynamic code analysis, and automating dependency management.
- Stay Compliant with Emerging AI Security Standards: Implement transparent logging and audit trails for AI interactions, ensure explainability, follow data minimization principles, and prepare for AI risk management certifications.
2. API-Specific Defenses for Agentic AI:

- Design for API Security by Default: Apply secure-by-design principles, enforce HTTPS/TLS 1.3, use least-privilege permissions, and implement strong authentication/authorization with dynamically-scoped tokens.
- Identify & Monitor AI-Agent Traffic: Include agentic endpoints in API discovery and monitor traffic in real-time using AI-backed analytics to detect anomalous behavior.
- Context-Aware Guardrails & Threat Modeling: Develop tailored agentic AI threat models like MAESTRO or SHIELD/ATFAA and implement LLM-aware guardrails to enforce boundaries.
- Authenticate & Audit AI Agent Identities: Treat each agent as a non-human identity, enforce strong credential hygiene, rotate secrets, and audit identity posture.
- Input/Output Filtering & Prompt Hygiene: Defend against prompt injection through sanitization, prompt separation, and adversarial testing. Enforce data hygiene for agent memory to mitigate poisoning attacks.
- Continuous Authentication & Rate Limiting: Avoid long-lived sessions with continuous authentication and use strict rate limiting to prevent bots from chaining tasks or overwhelming endpoints.
- Use Adaptive Security Tools & AI-Based Defense: Deploy API security platforms with real-time anomaly detection and consider a "good-guy" AI to inspect agent intents.
- Red-Teaming & Continuous Testing: Simulate attacks like memory poisoning, prompt injection, and privilege misuse to uncover vulnerabilities proactively.
- Training & Governance: Educate teams on agent-specific vulnerabilities and establish agent lifecycle governance with approval flows, isolation environments, and human-in-the-loop checkpoints.
3. OWASP's Mitigation Playbooks: The OWASP Agentic Security Initiative provides structured mitigation strategies organized into playbooks, addressing specific threat categories:

- Preventing AI Agent Reasoning Manipulation: Focuses on reducing attack surface, implementing agent behavior profiling, preventing goal manipulation, and strengthening decision traceability.
- Preventing Memory Poisoning & AI Knowledge Corruption: Involves securing AI memory access, detecting/responding to poisoning, and preventing the spread of false knowledge.
- Securing AI Tool Execution & Preventing Unauthorized Actions: Emphasizes restricting AI tool invocation, monitoring/preventing tool misuse, and preventing resource exhaustion.
- Strengthening Authentication, Identity & Privilege Controls: Covers secure AI authentication mechanisms, restricting privilege escalation, and detecting/blocking AI impersonation attempts.
- Protecting Human-in-the-Loop (HITL) & Preventing Decision Fatigue Exploits: Aims to optimize HITL workflows, identify AI-induced human manipulation, and strengthen AI decision traceability.
- Securing Multi-Agent Communication & Trust Mechanisms: Focuses on securing AI-to-AI communication, detecting/blocking rogue agents, and enforcing multi-agent trust and decision security.
Companies like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola offer patented mobile app attestation technology that ensures only genuine, unmodified apps running in trusted environments can access backend services and APIs, providing real-time verification, dynamic API shielding, and secure credential management to mitigate AI-driven credential leaks. By combining traditional API security fundamentals with agent-specific strategies, mobile developers can transform APIs from vulnerabilities into resilient trust boundaries, capable of resisting threats posed by autonomous, goal-oriented AI agents.

Relevant Links:

- Rocket Farm Studios: 10 App Security Best Practices for AI Threats - Learn more about securing apps against AI-driven threats: https://www.rocketfarmstudios.com/blog/10-app-security-best-practices-for-ai-threats/
- https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/

The Future of App Development with Vibe Coding and Approov

Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.
However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.
So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.
For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.

Key Takeaways:
• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.
• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.
• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.
• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.

Relevant Links:
• CBS News: Tea dating app disables direct messaging as it investigates data breach: https://www.cbsnews.com/news/tea-dating-app-data-breach-cbs-news/
• VIBE Apps | Fast to Market, Risky to Deploy? The Security Debt in Rapid App Development: https://www.linkedin.com/pulse/vibe-apps-fast-market-risky-deploy-security-debt-rapid-approov-mobile-security
• From Vibe to Venture: A Guide to Building and Securing Your App: https://approov.io/blog/from-vibe-to-venture 

Sponsor: This episode is brought to you by Approov Mobile Security. Learn more about securing your mobile app and APIs, including the new Founder-Friendly Tier, at approov.io.

Keywords: vibe coding, app development, mobile security, API security, data breach, Tea app, Lovable, Approov, startup security, founder-friendly tier, fast to market, app launch, investor confidence, user trust, cybersecurity, no-code, low-code, app protection, digital security

Apple's Enduring Browser Engine Ban: A Global Standoff for the Open Web
Description:
In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS
. We explore why this ban matters for consumers, developers, and the future of the open internet.
Key Discussion Points:
• The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine
. This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:
    ◦ Apple claims its restrictions are for security, privacy, and system integrity
. Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests
. Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:
    ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU
. This single requirement "destroys the business case".
    ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users
.
    ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA"
.
    ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days
.
• Regulatory Pressure and Compliance:
    ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine.
The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025
. Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fair API access and prompt choice screens at initial smartphone setup.    ◦ UK Competition and Markets Authority (CMA): Provisionally designated Apple (and Google) with "Strategic Market Status," highlighting Apple's browser engine ban and suppression of web app competition
. The UK sees strong enforcement as crucial for economic growth and innovation, especially for startups.• Why Apple Resists: It's fundamentally about protecting revenue
.
    ◦ Google Search Deal: Safari is Apple's "highest margin product," bringing in $20 billion annually from Google for default search engine status. Losing even 1% browser market share means a $200 million annual revenue loss
.
    ◦ App Store Revenue: By limiting web app capabilities, Apple protects its App Store revenue, estimated at $27.4 billion in 2024
. Web apps could replace most phone apps, and even a 20% shift could mean a $5.5 billion annual loss for Apple.
    ◦ User Lock-in: The ban also contributes to user lock-in, making it harder for consumers to switch devices or operating systems, as seen with iMessage
.
• The Path Forward: Regulators and advocates, like Open Web Advocacy, call for firm intervention to compel Apple to make necessary changes
. Key fixes include allowing browsers to update existing apps with their own engines, enabling global web developer testing, granting full hardware and content filtering API access, and allowing third-party browsers to manage and install web apps.
Conclusion: The fight for browser competition on iOS is a global issue, not just a regional one. With the EU, Japan, and the UK now directly addressing Apple's ban, 2026 is poised to be a decisive year in restoring browser competition and ensuring the web remains an open, interoperable platform
.
Sponsor: This episode is brought to you by Approov, ensuring secure mobile API access for your apps. Learn more at approov.io.
Sources/Further Reading:
• "Apple's Browser Engine Ban Persists, Even Under the DMA" - Open Web Advocacy
• "Japan: Apple Must Lift Browser Engine Ban by December" - Open Web Advocacy
• "UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation" - Open Web Advocacy

Keywords: Apple, iOS, Browser Engine Ban, DMA, Digital Markets Act, WebKit, Safari, Open Web Advocacy, Browser Competition, Web Apps, App Store, Google, Mozilla, UK CMA, Japan Smartphone Act, Antitrust, Market Power, Revenue, Gatekeeper, Tech Regulation, Monopoly, Interoperability, Mobile Software Competition Act, SMS.

Beyond the Beta: iOS 26 Features, AI, and Next-Gen App Security

This episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features.

• Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night.
• AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available.
• Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions.
• User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users.

Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now.

• Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included.
• Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max.
• Installation Steps: To install, visit the Apple Developer site on the device you plan to update, sign in with your Apple ID, agree to the terms, and enable Developer Mode in Settings > Privacy and Security. Then, navigate to Settings > General > Software Update > Beta Updates and choose the "iOS 26 Developer Beta" option. The download size is approximately 15.28GB.
• Important Warning: The iOS 26 developer beta is primarily meant for developers, not for day-to-day use. Early builds often contain bugs that can cause apps to crash, drain your battery, overheat your phone, and generally make your device sluggish. It’s generally smarter to stick with the public beta (expected very soon) for your main iPhone unless you need to test software. Always archive a backup of your device before installing any beta software to prevent data loss.

iOS 26 Security: A Developer's Imperative For apps handling sensitive or high-value data, such as those in fintech, healthcare, or enterprise sectors, iOS 26 strongly signals the need to implement multi-layer security measures beyond Apple's default protections.

• Rising API-Level Threats: Most security incidents today are focused on the backend and API, where attackers exploit app behavior to reverse-engineer API calls and then use bots, scripts, or tampered apps to access sensitive data. Crucially, Apple’s native device security does not inherently protect APIs.
• Beyond Apple’s App Attest: While Apple’s built-in App Attest API is a helpful tool, it does not work reliably on jailbroken devices, rendering it insufficient on its own for robust security, especially for high-value apps.
• The Power of Third-Party App Attestation (Sponsor Highlight): To ensure that API calls originate only from unaltered, legitimate app instances, strong app attestation mechanisms are essential. Third-party attestation solutions, such as Approov, are critical for comprehensive protection. These solutions offer:
  • Detection of rooted/jailbroken devices, preventing tokens from being issued to apps on compromised devices.
  • Resistance against runtime manipulation tools like Frida or Magisk.
  • Dynamic API key delivery and certificate pinning, which avoids embedding static keys in code or resources and enforces strict server identity verification (Mutual TLS).
  • Continuous verification of the app environment's integrity during use.
• Runtime Application Self-Protection (RASP): With the increasing sophistication of attack tools, iOS apps should actively protect themselves at runtime. RASP capabilities detect and respond to various threats, including runtime manipulation, debugging and hooking attempts, and unauthorized code injection. When debuggers are detected, sessions can be terminated. Sensitive logic and API call structures should also be obfuscated.
• Preparing for Sideloading (EU DMA): With legislation like the Digital Markets Act (DMA) forcing Apple to allow more third-party services and sideloading in the EU, app security can no longer rely solely on the App Store's "walled garden". Developers must prepare for multi-channel app distribution by validating app signatures post-distribution and embedding anti-repackaging measures that invalidate modified builds.
• Continuous Monitoring & DevSecOps: It is vital to integrate continuous threat monitoring, supporting dynamic policy updates and telemetry-based threat intelligence ideally with cloud-based control planes. Security should be integrated directly into CI/CD pipelines, scanning every build for secrets and insecure code. Automated tools like the Approov CLI should be utilized for secure app registration and deployment.
• Compliance & Privacy: Ensure GDPR/CCPA compliance by not collecting Personally Identifiable Information (PII) via security SDKs, maintaining access logs for tokens and policy changes, and configuring policy-driven access control based on region, device, or user group rules.

Conclusion: iOS 26 sets a new standard for operating systems, offering a blend of innovative features, enhanced security, and expanded content options. For developers building high-value apps, this update serves as a strong cue to double down on multi-layer security strategies that go beyond Apple’s default offerings. Sponsor: This episode is brought to you by Approov. Learn more about securing your mobile APIs and protecting your apps from advanced threats at approov.io. Keywords: iOS 26, Apple, iPhone, AI features, Liquid Glass, Call Screening, Hold Assist, App Security, API Security, App Attestation, RASP, Runtime Application Self-Protection, Sideloading, Digital Markets Act (DMA), Jailbroken devices, Approov, Mobile Security, Cybersecurity, Fintech apps, Healthcare apps, Enterprise apps, iOS 26 Beta, Developer Tools, Mobile App Development, Threat Detection, Apple Intelligence, OS Update, Tech News.

Mobile-First Security: The Urgent Lessons from the Tea App Breach

In this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included:

• 13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process.
• 59,000 publicly viewable images from posts, comments, and direct messages within the app.

The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights:

• Broken access controls. (BOLA)
• Weak authentication.
• Missing transport protections.
• Absent runtime safeguards.

Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to half of APIs may lack basic usernames and passwords, and their access keys can be easily stolen from various locations, including mobile device files, server-side files, or even decompiled application source code. Hackers, by gaining control over their own devices, can easily reverse engineer apps and steal crucial API keys, which then allow them to build scripts to attack back-end corporate services undetected. Failing to protect API keys is likened to "putting all your money in a safe place in the home but not locking the front door". This breach serves as a powerful reminder that organizations must prioritize mobile security as a central component of their cybersecurity strategy, rather than an afterthought.

Unlocking True Mobile & API Security in the Cloud Age
Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.

Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:

• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.
• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".
• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.
• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.
• Marketing & Brand Management Teams: A breach of sensitive user data dueating to API or mobile app vulnerabilities would "severely damage the brand's reputation and trust", directly impacting efforts to attract and retain users.

The Flaws in Traditional Mobile Security:
• Obfuscation is Not Enough: While code obfuscation aims to deter reverse engineering and IP theft, it is a "thin veil, not an impenetrable shield". It offers "minimal protection against threats that manifest during runtime" and is "ineffective secret protection" as secrets must eventually be in cleartext memory. It can also create a "false sense of security" and is increasingly vulnerable to "modern tools and AI" which can automate deobfuscation.
• APIs are the True Target: Attackers are increasingly bypassing the mobile app itself and "targeting the backend APIs directly". APIs provide a "direct pathway to backend application logic and sensitive data stores", making them prime targets for "credential stuffing, account takeover (ATO), scraping, and business logic abuse". Recent incidents involving e-hailing and delivery apps, Experian, and John Deere highlight common flaws like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola and insecure access controls that exposed vast amounts of PII and operational data.The Solution: Embracing Dynamic, Zero Trust Runtime Protection:To address modern threats, a decisive shift from static, pre-deployment security to a "dynamic, runtime-centric model rooted in Zero Trust principles" is essential. This approach entails:• Zero Trust Architecture: This model mandates "never trust, always verify", requiring continuous, runtime verification of devices, users, and networks for access to critical resources. It emphasizes that "trust is never implicit" and acknowledges that traditional static checks and one-time authentication are insufficient. Zero Trust requires "external, cryptographically verifiable measurements that originate outside the app and cannot be forged or intercepted" to avoid a "circular trust problem".
• Key Dynamic Defenses:    
◦ https://approov.io/mobile-app-security/rasp/: Acts as the app's "internal bodyguard", detecting and preventing real-time attacks from within the application. It identifies threats like reverse engineering attempts, code tampering, execution on compromised environments (root/jailbreak), and the presence of hooking frameworks. RASP provides "real-time protection" and "zero-day potential" by detecting anomalous behaviour.    
◦ https://approov.io/mobile-app-security/rasp/app-attestation/: This crucial process verifies the "authenticity and integrity of the mobile application instance and its runtime environment" before granting API access. It ensures that only "genuine, untampered app instances" running in a safe environment can interact with APIs, effectively solving the "‘What’ vs. ‘Who’ Problem" (validating the client app in addition to the user). This blocks automated bots, scripts, and tampered apps.    
◦ https://approov.io/mobile-app-security/rasp/runtime-secrets/: This robust solution eliminates the need to hardcode sensitive credentials like API keys directly into the app. Instead, secrets are stored securely in a backend service and delivered "just-in-time" to the validated app instance only after passing rigorous app attestation checks. This protects against both static and dynamic extraction of secrets.    ◦ Dynamic Channel Protection (Dynamic Pinning): Overcomes the brittleness of traditional static certificate pinning. This approach securely retrieves the current, valid set of pins dynamically over the air from a trusted management service (after attestation). This ensures "robust MitM Protection" against Man-in-the-Middle attacks while offering "flexibility and maintainability" for certificate rotations without requiring app updates.• Defense in Depth: An "optimal mobile security strategy employs a defense-in-depth approach, leveraging both static and dynamic techniques". While static analysis and obfuscation can still identify coding errors early, they must be "complemented by robust dynamic and runtime defenses". For applications handling sensitive data or critical functions, dynamic security measures are "fundamental requirements for achieving adequate resilience against modern threats".
Empowering Your Mobile-to-Cloud Connection with Approov: Solutions like Approov Mobile Security play a vital role in securing the communication channel between your genuine mobile app and the cloud backend. Approov provides a "unique, patented runtime shielding solution" that focuses on:• Mobile App Attestation: Verifying the integrity of the running mobile app to ensure it's genuine and untampered, preventing bots and modified apps from accessing APIs.
• API Request Verification: Cryptographically binding API requests to an attested app instance, ensuring only legitimate requests are processed.• Runtime Secrets Protection: Eliminating hardcoded API keys by securely delivering short-lived tokens to attested apps on demand.• Dynamic Pinning: Providing secure, over-the-air updates for certificate pins, ensuring tamper-proof communication between the app and API. Approov enables "https://approov.io/knowledge/ota-updates-are-essential-for-securing-mobile-apps" for security policies, pin configurations, and attestation logic, allowing instant responses to new threats without requiring app releases. It offers analytics and reporting for monitoring, auditing, and compliance.By adopting a comprehensive AppSec strategy that includes strong cloud security practices and innovative solutions, organisations can significantly reduce their attack surface and protect their users and valuable data.Don't leave your back door open – and ensure only trusted visitors can reach your front door!
--------------------------------------------------------------------------------
Sponsored by: Approov Visithttps://approov.io to learn how Approov can safeguard your mobile apps and APIs with advanced runtime protection, app attestation, and secure secrets management.
--------------------------------------------------------------------------------
Keywords: Mobile App Security, API Security, Cloud Security, AppSec, Zero Trust, RASP, App Attestation, Runtime Secrets Protection, Dynamic Pinning, Code Obfuscation, Data Breach, PII, Cyber Security, Digital Transformation, Enter

Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security
**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].

In this episode of "Upwardly Mobile," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].

Key Takeaways:
• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].
• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:
    ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].
    ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].
• Coinbase Under Attack:
    ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].
    ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected and mitigated this issue [5].
• Evolving Attack Vectors:
    ◦ Social Engineering and Phishing: These tactics remain highly lucrative, with scammers evolving methods to trick victims into revealing sensitive information or transferring funds [6, 13]. Phishing was the most costly attack vector in Q2 2025, with over $395 million lost, surpassing previous periods [14].
    ◦ Wallet Compromise: This has been the costliest attack vector overall in H1 2025 due to major incidents like the Bybit hack [6].
    ◦ Infrastructure-Level Breaches: More than 80% of stolen funds in 2025 have resulted from breaches where hackers gain significant access to core infrastructure [7].
    ◦ Targeting Employees/Contractors: The Coinbase incident specifically illustrates a growing trend of cybercriminals bribing or coercing individuals with legitimate system access [7].
    ◦ Supply Chain Attacks: Exploiting vulnerabilities in third-party tools or service providers, often through weak APIs or compromised software updates [10].
    ◦ Malware Attacks: Including Advanced Persistent Threats (APTs) and keylogging for credential theft [15].
• Strengthening Defenses: Crypto exchanges are implementing comprehensive security frameworks and multi-layered approaches to build resilience [11]:
    ◦ Advanced Wallet Technologies: Utilizing Multi-Party Computation (MPC) Wallets to eliminate single points of failure by never reconstructing private keys in full [9, 16], alongside robust hot-warm-cold storage architectures [16].
    ◦ Enhanced Security Protocols: Implementing Multi-Factor Authentication (MFA), biometric verification, and real-time transaction notifications [8].
    ◦ Strong Governance Policies: Multi-approval policies for high-risk actions [8].
    ◦ Insider Threat Detection: Robust detection and prevention systems are crucial [7].
    ◦ Continuous Monitoring: Real-time monitoring of API activity and system updates [10].
    ◦ Compliance: Adherence to international security standards like SOC 2 and ISO 27001 provides built-in compliance assurance [17].

Relevant Links to Source Materials:
• Excerpts from "Crypto Losses Surpass $2.47 Billion in H1 2025, CertiK Report Reveals Alarming Rise in Phishing Attacks" 
• Excerpts from "How Crypto Exchanges Get Hacked: Understanding the Growing Threat Landscape" 

**Sponsor Message:**This episode of Upwardly Mobile is brought to you by Approov. In a world where mobile apps are crucial for engaging customers and employees, Approov provides advanced mobile app protection against reverse engineering, tampering, and automation. Secure your APIs and protect your critical data with Approov. (Note: The information regarding Approov.io is not from the provided sources and should be independently verified.) Learn more at approov.io.

**Keywords:**Cryptocurrency, Crypto exchange hacks, Cyberattacks 2025, Web3 security, Coinbase hack, Bybit breach, CertiK report, Social engineering, Insider threat, Supply chain attack, Crypto losses H1 2025, Digital asset security, Blockchain security, Phishing attacks, Wallet compromise, MPC wallets, Data breach, Cybersecurity for crypto, Decentralized finance, DeFi.