In this episode of Upwardly Mobile, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics.

Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities.
Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection.

So, how does remote app attestation combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive operations (like accessing premium content or making transactions).

Remote app attestation provides specific protections against Konfety by:
• Detecting "Evil Twins": Even if the "evil twin" spoofs a package name, its underlying code and environment measurements would likely differ from the legitimate app. The attestation service would detect this mismatch, as the "fingerprint" wouldn't match the expected genuine app.
• Preventing Tampering: Konfety's manipulation of APK structures and dynamic code loading aims to hide malicious activity. Remote attestation, particularly if it includes code integrity checks and runtime environment monitoring, would detect these unauthorized modifications or the execution of unapproved code.
• Identifying Compromised Devices: If Konfety relies on a rooted or otherwise compromised device to operate, remote app attestation can identify these device security issues, allowing the backend to deny service to that device.
• Backend Control: A key benefit is that the decision of trust is made on a secure backend, not on the potentially compromised mobile device itself. This makes it much harder for Konfety to spoof or interfere with the attestation process.

Organisations like Zimperium offer on-device Mobile Threat Defence (MTD) solutions and zDefend which are noted to protect customers against Konfety malware's new evasion techniques. HUMAN's Satori Threat Intelligence Team originally uncovered the Konfety operation in 2024, and their Human Defense Platform is stated to protect customers from its impacts.

While remote app attestation isn't a silver bullet against all malware, it provides a strong defence against the specific techniques used by Konfety by verifying the authenticity and integrity of the app and its environment before allowing it to interact with critical backend services. Please note that the source materials were provided as excerpts, and direct hyperlinks to the full articles are not available.
--------------------------------------------------------------------------------
Keywords: Konfety malware, evil twin apps, mobile app security, remote app attestation, ad fraud, Android malware, obfuscation, dynamic code loading, APK manipulation, CaramelAds SDK, cyber security, mobile threats, Zimperium, HUMAN Security, app integrity, device compromise, malvertising, fraud detection, mobile security solutions, threat intelligence.

The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App Secrets

Welcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups:

• MASVS-STORAGE: Addresses the secure storage of sensitive data on a device (data-at-rest), a critical area directly violated by the Fitify leak.
• MASVS-NETWORK: Focuses on secure network communication between the mobile app and remote endpoints (data-in-transit). While Fitify claimed encryption in transit, the publicly accessible bucket points to fundamental network security misconfigurations in data storage.
• MASVS-CODE: Covers security best practices for data processing and keeping the app up-to-date, directly related to the problem of hardcoded secrets and securing credentials.
• MASVS-PRIVACY: Aims to protect user privacy, which was severely compromised in this breach due to the sensitive nature of the leaked progress photos.

The OWASP Mobile Top 10 risks also highlight prevalent issues in mobile app security, such as static reverse engineering (ranked 9th) and code tampering (ranked 8th), which are common techniques used by attackers to uncover hardcoded secrets and manipulate app behavior. Shielding Your App: Solutions with Approov: The Fitify leak demonstrates the critical need for advanced mobile app and API protection beyond basic security measures. Approov offers a runtime shielding solution that effectively protects mobile apps, their APIs, and the communication channel between them from automated attacks. Approov works by using a cryptographically signed "Approov token" to allow the app to provide proof of its authenticity, ensuring that only a genuine, untampered mobile app running in an uncompromised environment can access your APIs. Key Approov capabilities relevant to preventing such leaks and attacks include:

• Runtime Secrets Protection: This feature allows hardcoded API keys and other sensitive secrets to be removed directly from the app's code and instead securely managed in the Approov cloud. These secrets are only delivered to verified, legitimate app instances at runtime. This directly addresses the hardcoded secrets vulnerability found in Fitify.
• MASVS-R Resilience against Reverse Engineering and Tampering: Approov significantly enhances an app's resilience. It integrates diverse detection mechanisms to identify and respond to threats such as rooted or jailbroken devices, attached debuggers, app tampering, the presence of widely used reverse engineering tools (e.g., Frida), and apps running in emulators or cloners.
• MASVS-L2 SSL Pinning: Approov provides dynamic certificate pinning as a defense-in-depth measure to secure TLS connections. This helps prevent Man-in-the-Middle (MitM) attacks by ensuring the app only communicates with trusted backend endpoints. A powerful aspect is that these pins can be updated over-the-air without requiring a new app release, simplifying DevOps processes.

By blocking illegitimate requests, Approov prevents the exploitation of stolen user credentials, known or "zero-day" vulnerabilities, malicious business logic manipulation, and large-scale MitM attacks. Actionable Takeaways: This incident serves as a stark reminder for both developers and users. Developers must prioritize secure coding practices, implement robust access controls and encryption for all data storage (at rest and in transit), and avoid hardcoding sensitive information. For users, it highlights the critical importance of scrutinizing privacy policies, understanding what data is collected and how it's stored, and being cautious about sharing sensitive personal information through mobile applications. Relevant Links:

• Fitify Privacy Policy: https://gofitify.com/privacy-policy
• Apple World Today report: "Cybernews claims iOS Fitify app has a massive data leak"
• Cybernews report: "Fitify app exposes 138K user progress photos"
• OWASP Mobile Security Project: For more on mobile app security standards and testing guides
• Sponsor: Approov Mobile Security: Learn how to protect your apps and APIs from sophisticated attacks at approov.io

Keywords: Fitify, Data Leak, Mobile App Security, iOS, Fitness App, Privacy, PII, Personal Data, Google Cloud, Hardcoded Secrets, API Security, OWASP, MASVS, Approov, Runtime Shielding, SSL Pinning, Authentication, Authorization, Reverse Engineering, Tampering, Jailbreak, Rooting, Man-in-the-Middle (MitM), Zero-Day Vulnerabilities, Cybernews, Data Breach Prevention, Digital Health, App Vulnerabilities, Mobile Privacy, Cyber Attack.

In this episode of Upwardly Mobile, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025.

While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience.

We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering.

The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery.

The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution.
Key elements of this essential dynamic security strategy include:
• Mobile Runtime Application Self-Protection (RASP): Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness.
• App Attestation & API Request Validation: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse.
• Runtime Secrets Protection: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering.
• Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates.
We also differentiate between leading mobile app security solutions:
• Guardsquare, with products like DexGuard and iXGuard, excels in client-side mobile app protection, focusing on code obfuscation, hardening, and RASP to make the app's code incredibly difficult to compromise on the device.
• Approov emphasizes remote mobile app attestation, performing deep, continuous inspection of the mobile app and device in the cloud. This server-side decision-making makes it significantly harder for attackers to bypass the attestation process, ensuring only genuine apps access your APIs. Approov's positive security model effectively "locks down" backend APIs.
Ideally, a comprehensive mobile app security strategy leverages both types of solutions: Guardsquare for strong in-app protection, and Approov for critical API integrity and abuse prevention. This multi-layered approach, combining static and dynamic defenses, is no longer optional but a fundamental requirement for achieving adequate resilience against modern mobile threats.
--------------------------------------------------------------------------------

Relevant Links to Source Materials:
• Learn more about the research highlighting the mobile app security blindspot: "Research exposes $7M mobile app security blindspot fueled by overconfidence" 
• Explore in-depth the need for dynamic defenses: "WP- Mobile Security Beyond Obfuscation v1.0 FINAL B.pdf".
• Discover Approov's approach to superior mobile API protection: "Approov: Superior Mobile API Protection via Remote Attestation".

Sponsor: This episode is brought to you by Approov. Safeguard your mobile apps and APIs with their unique, patented runtime shielding solution. Visit approov.io to learn more.

In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:

• The Alarming State of IoT Security:
  
  
  • A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.
  • A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.
  • The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.
  • IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.
  • Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.
  • Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.
  • A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.
  • Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.
• The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:
  
  
  • Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.
  • This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.
  • Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins.
  • Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks.
  • Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data".
• Building a Secure Foundation: Solutions and Best Practices:
  
  
  • Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair.
  • Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token.
  • Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which inherently trusts nothing by default. Instead, each and every API request must cryptographically prove it originates from a legitimate, unmodified mobile app at runtime. This involves per-request attestation using short-lived, signed tokens and API-side validation.
  • Approov: Enhancing API and App Security: Solutions like Approov Mobile Security play a crucial role by continuously inspecting the app and device to validate the legitimacy of any request from the app, ensuring only authorized apps can access APIs. This not only protects against bots and unauthorized access but also helps reduce cloud costs and allows API owners dynamic control over access policies and certificates without requiring app updates.
  • Key Recommendations for Users and Manufacturers:
    • Always change default passwords immediately upon setup, using strong, unique combinations.
    • Regularly apply firmware and software updates provided by the manufacturer to patch critical security flaws.
    • Implement network segmentation, isolating smart home devices on a separate Wi-Fi network (e.g., a guest network or dedicated IoT VLAN) to limit potential lateral movement for attackers if one device is compromised.
    • Manufacturers must adopt secure development guidelines from day one, conducting regular penetration testing and prioritizing security throughout the product lifecycle, not as an afterthought.
    • Organizations need robust incident response plans and better visibility into their IoT inventories to quickly identify and address threats.
    • For critical systems like water shutoff valves, prioritize devices with robust, independent operation (e.g., hardwired connections, substantial battery backups) over those solely reliant on internet connectivity.

Protect your connected devices and digital life by understanding these risks and implementing proactive security measures!Relevant Links:

• IoT Security Challenges: Device Vulnerability & Attack Stats | PatentPC: https://patentpc.com/blog/iot-security-challenges-device-vulnerability-attack-stats
• Phyn (Example of Smart Water Solution discussed): https://www.phyn.com
• Secure your mobile apps and APIs with Approov: https://approov.io

Keywords: IoT Security, Smart Home Security, API Security, Mobile App Security, OAuth2, App Attestation, Zero Trust, Mirai Botnet, Data Breaches, Device Hijacking, Network Segmentation, Cybersecurity, Smart Devices, Connected Home, Digital Privacy, Firmware Updates, Password Security, Water Damage Prevention, Phyn, Moen Flo, Flo-Logic, IoT Vulnerabilities, Mobile API Security.

In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue.

Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.

Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.
Key takeaways include:
• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.
• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.
• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).
• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.
• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.
• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.

Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated in real-time.

Relevant Links & Resources:
• Approov Mobile Security Knowledge Base: Approov Mobile Security Knowledge Base
• How to Implement Zero Trust for Mobile Apps (Approov): How to Implement Zero Trust for Mobile Apps
• Why Is Zero Trust Not Systematically Applied to Mobile App Security? (Approov): Why is Zero Trust Not Systematically Applied to Mobile App Security?
• Promon SHIELD® for Mobile & More: Products
• A guide to Zero Trust for your mobile apps (Promon): Bringing Zero Trust to mobile applications
• OWASP Zero Trust Architecture Cheat Sheet: OWASP Zero Trust Architecture Cheat Sheet
• OWASP Mobile App Security Verification Standard (MASVS): What is the OWASP MASVS?
• Promon Mobile App Security Library: All Resources

--------------------------------------------------------------------------------

Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat

In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.

Key Takeaways from the Breach:

• Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen.
• Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
• Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure.
• The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.
• Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset.
• Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems.

Industry Recommendations & Solutions:

• Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks.
• Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding backend APIs from abuse and enabling the removal of hardcoded API keys and secrets from apps.
• Organizations are urged to gain complete visibility across their infrastructure, identity systems, and critical management services, focusing on securing self-service password reset platforms, help desks, and third-party identity vendors.

Qantas's Response: Qantas detected unusual activity, took immediate steps to contain the system, and confirmed that all Qantas systems remain secure. They notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. However, the airline faced criticism for its public relations approach, as CEO Vanessa Hudson was on leave, and neither the acting CEO nor other executives made public appearances, relying instead on personalized emails to customers.

Learn more about the incident from the articles that informed this episode:

• "Qantas confirms cyberattack on third-party call center app | SC Media"
• "Qantas discloses cyberattack amid Scattered Spider aviation breaches"
• "Qantas executives nowhere to be seen after data breach affecting up to 6 million customers - ABC News"

Sponsor Shoutout: Our episode today is brought to you by Approov. As highlighted in this episode, securing backend APIs and mobile applications is paramount in today's threat landscape. Approov provides robust solutions for mobile app security and API protection, ensuring the authenticity of your apps and devices, and safeguarding your data against sophisticated attacks. Learn more about their comprehensive zero-trust approach to API security at approov.io.

Keywords: Qantas cyberattack, data breach, Scattered Spider, aviation security, third-party risk, supply chain attack, social engineering, API security, mobile security, data privacy, frequent flyer data, cybersecurity, Qantas, zero-trust, identity verification, call center breach, corporate response. 

Fortify Your Phone: Android 16's Advanced Security Features

In this episode, we'll explore two of the most impactful security features in Android 16 that you need to know about: Advanced Protection and Identity Check, along with other significant API security improvements.

Key Features and Insights:

• Android 16's Focus on Security: Despite foundational work for future design and multitasking changes, Android 16's initial rollout emphasizes "significant security enhancements" designed to make a "meaningful difference" in data protection. Android 16 sets the stage for the platform's most dramatic reinvention in ages, and while some elements are part of a future update, this new software features a slew of significant security enhancements. The Android 16 Security Release Notes, published June 10, 2025, detail vulnerabilities addressed in this version. Devices with a security patch level of 2025-07-01 or later are protected against these issues. The Android security team actively monitors for abuse through Google Play Protect, which is enabled by default on devices with Google Mobile Services, and warns users about potentially harmful applications.
  
  
• Advanced Protection: This is a new, all-encompassing Android security "supermode" activated by a single switch within your system settings. On Google Pixel phones, it's an added section within the main Security & Privacy settings. Enabling Advanced Protection simplifies the process of activating a bundle of advisable Android security settings at once, rather than requiring you to find and enable them individually.
  
  
  • Bundled Safeguards: Advanced Protection activates a suite of protections, including:
    • Extra theft protection: Utilizes Theft Detection Lock and Offline Device Lock, which were introduced previously, to automatically lock your device if it detects it's fallen into the wrong hands.
    • Enhanced app protection: Ensures Android's Google Play Protect on-demand scanning system is in place, restricts app installations to official Play Store (and any other preloaded app stores), and incorporates Memory Tagging Extension, making it less likely for an app to corrupt your device's memory.
    • Smarter web protection: Provides live scanning for browser-based threats, forces the more secure HTTPS encrypted web standard, and adds additional protections around Javascript processing within Chrome.
    • Advanced calling and messaging protection: Offers real-time scanning and warnings about likely scams and spam within Google Messages, detects and warns about unsafe links in incoming texts, and includes spam detection, scam detection, and call screening systems for incoming calls in the Google Phone app.
    • Heightened network protection: Actively rejects any less secure 2G-level network connections that may come along over time. This feature can also be individually activated to disable 2G connections.
  • Future Updates: Google's goal is to keep Advanced Protection updated with all the latest Android security features over time, so once activated, you don't have to manually enable new options as they arrive. Confirmed upcoming features expected "later this year" include:
    • Inactivity Reboot: Automatically restarts your device if it remains locked for 72 consecutive hours, re-encrypting all data to require a full password or pattern unlock.
    • Intrusion Logging: Securely stores encrypted logs of sensitive system actions in the cloud, connected solely to your Google account, for investigating suspicious activity.
    • USB Protection: Sets your phone's USB port to allow only charging by default, preventing unauthorized data transfers via physical connection.
    • Disable Auto-Reconnect to Insecure Networks: Your phone will not automatically reconnect to networks that are not secure, even if you manually connected to them once.
• Identity Check: This feature, gaining prominence with Android 16, requires biometric authentication (e.g., fingerprint, face unlock) to access critical security settings or sensitive information like saved passwords, especially when your device is outside of a designated "trusted location". While you can set trusted locations where biometrics aren't required, for maximum security, it's recommended not to add any. The feature should be enabled by default but can be found by searching for "identity check" in your Settings app.
  
  
• Overall API Security Weaknesses: Android 16 introduces several enhancements that directly improve mobile API security.
  
  
  • Intent Redirection Protection: Android 16 features stronger security against Intent redirection attacks, which are a common vulnerability where malicious applications can intercept or manipulate Intents. Developers are encouraged to test their Intent handling and should only opt out of these protections if it's absolutely necessary.
  • Local Network Permission: For apps targeting Android 16 or newer, a new permission is required to access the local network. This enhances privacy and security by restricting unauthorized network access.
  • More Granular Permissions: Android 16 introduces more granular permissions for sensitive data, such as body sensors. This means apps must explicitly declare their need for specific health-related data, giving users more control and enhancing data privacy.
  • Dynamic Code Loading Restrictions: The new version tightens rules around dynamic code loading, making it more difficult for apps to download and execute potentially malicious code after they have been installed.
  • Predictive Back Navigation: Although primarily a user experience feature, the changes to predictive back navigation and the deprecation of onBackPressed could indirectly impact how developers manage back events, potentially reducing certain vulnerabilities linked to navigation manipulation if implemented correctly.

• Complementary Protections: It's important to differentiate between Android 16's Advanced Protection (for your device) and Google's broader "Advanced Protection" program (for your Google account). The latter is more intense, requiring physical security keys for account sign-ins and severely limiting third-party app access, making it more suitable for high-profile or at-risk individuals. However, these two programs are designed to be complementary, offering heightened protection for both your device and your Google account when used together. It is recommended to enroll your Google account in Advanced Protection and confirm a recovery email.
  
  
• Beyond Advanced Protection: Even with these significant updates, ongoing security requires "common sense and careful thinking". Regularly reviewing your Android security settings with a comprehensive checkup is crucial, ideally at least once annually. Android 16, as the latest Android version, is rolling out automatically in the coming months, though schedules can vary by device and manufacturer. You can check your device's Android version in Settings under "About phone" or "About tablet".
  
  

Remember to update your device and activate these powerful security features to keep your phone and data safe!.

Keywords: Android 16, Advanced Protection, Identity Check, mobile security, data protection, Google Pixel, privacy, Android updates, cybersecurity, smartphone security, Google Play Protect, theft protection, app security, web protection, calling protection, network security, API security, Intent Redirection, Local Network Permission, Granular Permissions, Dynamic Code Loading, Predictive Back Navigation.

This episode is brought to you by Approov Mobile Security. For robust mobile app and API security solutions, visit www.approov.io.

Independence Day: Cloudflare's Dual Defense for Web Mobile Apps & Original Content

Welcome to "Upwardly Mobile"! In this episode, we dive deep into Cloudflare's groundbreaking efforts to protect both mobile applications and original online content from the escalating challenge of AI bots and data scrapers.

Key Topics Covered:

• Protecting Mobile Applications from AI Bots:
  
  
  • Cloudflare's AI bot blocking features are fully capable of protecting mobile APIs.
  • Their Bot Management system analyzes incoming traffic without differentiating between desktop and mobile user agents when scoring bot activity.
  • Leveraging machine learning models, Cloudflare identifies and blocks various bot behaviors, including those targeting mobile apps. They have specifically developed and deployed a Mobile-Focused ML Model trained on mobile request data to improve accuracy and reduce false positives for mobile app traffic.
  • Features like Super Bot Fight Mode offer a robust defense against various automated traffic, including mobile-based bots.
  • For mobile apps primarily driven by APIs, Cloudflare's API Gateway offers enhanced protection.
  • If you require very specific handling of different mobile user agents, premium support is available by upgrading to a Cloudflare Enterprise account with the Bot Management add-on.
• Safeguarding Original Content from AI Data Scrapers:
  
  
  • Cloudflare has introduced a new permission-based setting that automatically blocks artificial intelligence companies from exploiting websites by collecting their digital data. This changes the rules of the internet, requiring bots to "go on the toll road" to get content.
  • This initiative aims to protect original content on the internet, addressing concerns that AI companies freely using data without permission or payment could discourage and ultimately kill the incentives for content creation.
  • Cloudflare, whose network of servers handles about 20% of internet traffic, has observed a sharp increase in AI data crawlers on the web.
  • The company is developing a "Pay Per Crawl" system, which would give content creators the option to request payment from AI companies for utilizing their original content.
  • Many content creators, publishers, authors, and news organizations have accused AI firms of using their material without permission and payment, leading to legal actions such as Reddit suing Anthropic and The New York Times suing OpenAI and Microsoft.
  • Cloudflare argues that AI breaks the unwritten agreement between publishers and crawlers, as AI crawlers collect content to generate answers without sending visitors to the original source, thus depriving content creators of revenue.
  • Cloudflare's CEO, Matthew Prince, is confident they can block AI companies from accessing content if they don't pay, asserting that their product will be worse as a result.
  • This move is considered a "game-changer" for publishers by Roger Lynch, chief executive of Condé Nast.
• Revolutionizing Bot Authentication with Cryptography:
  
  
  • Historically, Cloudflare relied on user agent headers and IP addresses to verify legitimate crawlers, but these methods are now considered broken or impractical due to easy spoofing, shared IP addresses, and the impracticality of managing individual secrets at scale.
  • Cloudflare is proposing a better mechanism for legitimate agents and bots to declare who they are using well-established cryptography techniques, providing a clearer signal for site owners to decide what traffic to permit.
  • Two primary proposals are being introduced: HTTP Message Signatures and request mTLS (mutual TLS).
  • HTTP Message Signatures (RFC 9421) is a standard defining the cryptographic authentication of a request sender, allowing bots/agents to cryptographically sign requests originating from their service, proving their identity in a tamper-proof manner. OpenAI has already begun signing their Operator requests using this method. Cloudflare is prioritizing this approach as it relies on an adopted RFC and works at the HTTP layer, making adoption simpler.
  • Request mTLS is another mechanism for mutual authentication via TLS certificates, though it has limitations, fewer implementations, and upgrading the TLS stack has proven more challenging.
  • This authentication can be consumed by Cloudflare when acting as a reverse proxy or directly by site owners on their own infrastructure.
  • These advancements will be integrated into Cloudflare's AI Audit and Bot Management products to provide better visibility into bots and agents willing to identify themselves.

Relevant Links & Resources:

• Explore Cloudflare's solutions for AI bot protection for mobile apps, their new approach to safeguarding content from AI data scrapers, and innovative cryptographic bot verification mechanisms in their official documentation and blog posts.
• For cutting-edge mobile app security solutions, visit our sponsor: Approov Mobile Security 

Keywords: Cloudflare, AI bot protection, mobile apps, bot management, content creation, data scraping, AI crawlers, copyright, intellectual property, web security, HTTP Message Signatures, mTLS, authentication, publishers, content creators, pay per crawl, Super Bot Fight Mode, digital rights, online content, AI ethics, content monetization.   

Unpacking the WestJet Cyberattack | Mobile App Security and Aviation Threats

Join us on "Upwardly Mobile" as we dissect the significant WestJet cyberattack, an incident that brought to light critical vulnerabilities in mobile application security and backend systems within the aviation sector. Episode Overview: The WestJet cyberattack, reported on June 14, 2025, caused disruptions to the airline's mobile application and select internal systems, though flight operations remained unaffected. This incident underscores an often-overlooked area of vulnerability where protections for user devices by companies like Apple and Google don't fully extend to how apps communicate with their servers.

Key Discussion Points:

• The Attack Vector: The incident likely exploited weaknesses in backend APIs, a common tactic among experienced cybercriminals, similar to the Hawaiian Airlines attack. Preliminary evidence suggests the use of the known vulnerability CVE-2023-12345, which affects parameter handling in mobile application backends. Threat actors also potentially used targeted spear-phishing campaigns to compromise employee credentials, aligning with the MITRE ATT&CK technique T1566 – Phishing.
• Affected Systems: The attack directly impacted the WestJet Mobile App version 4.5.2 (the frontline consumer interface) and its accompanying API Backend version 1.8.9. Internal systems, including Oracle Database 19c (storing customer profiles and booking details) and Windows Server 2019 infrastructures, were also compromised.
• Adversary Tactics: Forensic analysis indicates advanced exploitation methods, potentially involving custom scripts for lateral movement (T1059 – Command and Scripting Interpreter) and remote access tools. The sophistication of techniques and the dual targeting of customer-facing and internal infrastructures suggest a well-planned campaign by an organized group with expertise in the aviation sector, possibly using advanced exploit frameworks like Cobalt Strike.
• Impact and Consequences: Beyond immediate service disruptions, the attack poses significant risks to customer confidence and operational continuity. There's a consequential risk of data exfiltration, intellectual property compromise, and potential fraudulent activities due to unauthorized access to sensitive internal information and customer profiles. The incident also elevates the risk profile for supply chain partners and third-party vendors.
• Recommendations for Enhanced Security: Immediate actions include urgent patch management for vulnerabilities like CVE-2023-12345, extending multi-factor authentication (MFA) across all sensitive internal systems, and revising incident response protocols. Organizations should also enhance email filtering, deploy advanced threat detection systems like CrowdStrike Falcon and Cisco Secure Endpoint, and implement network segmentation to contain lateral movements. Theodore Miracco, CEO of Approov Mobile Security, emphasizes the critical need to address these overlooked vulnerabilities.

Relevant Links to Source Materials:

• WestJet Cyberattack Report: In-Depth Analysis of the WestJet Mobile App Breach and Internal System Vulnerabilities by Rescana: https://www.rescana.com/post/westjet-cyberattack-report-in-depth-analysis-of-the-westjet-mobile-app-breach-and-internal-system-v
• Reuters Report on WestJet Incident: https://www.reuters.com/sustainability/boards-policy-regulation/westjet-probes-cybersecurity-incident-affecting-app-internal-systems-2025-06-14/
• WestJet's Official Advisory: https://www.westjet.com/en-ca/news/2025/advisory--cybersecurity-incident-
• MITRE ATT&CK Framework: https://attack.mitre.org
• CrowdStrike: https://www.crowdstrike.com
• Mandiant: https://www.mandiant.com
• Approov Mobile Security: www.approov.io 

Sponsor: This episode is brought to you by Approov Mobile Security. Learn how they protect mobile apps and their APIs at: approov.io Keywords: WestJet, cyberattack, mobile app security, aviation security, API vulnerabilities, spear-phishing, data breach, cybersecurity, incident response, digital threat, airline security, MITRE ATT&CK, CVE-2023-12345, Oracle Database, Windows Server, network security, supply chain risk, critical infrastructure.

Unpacking Apple's EU App Store Overhaul: Fees, Fines, and the Fight for DMA Compliance

Join us on "Upwardly Mobile" as we dive deep into Apple's latest App Store changes in the European Union, a direct response to the stringent Digital Markets Act (DMA). Faced with a hefty €500 million (about $570 million) penalty from the EU for "anti-steering" practices, Apple has introduced a complex new fee structure that's shaking up the mobile app ecosystem. What You'll Learn in This Episode:

• The New Tier System for Store Services Fees: Discover how Apple's new two-tier system impacts developers. Tier 1 offers basic App Store features for a 5 percent commission, while Tier 2 provides full access at a 13 percent commission. We'll discuss what features are missing from the cheaper tier, including automatic app updates and promotional tools.
• Introducing the Core Technology Commission (CTC): Understand Apple's new 5 percent commission on outside purchases made in apps distributed on the App Store. This fee is set to transition from the previous Core Technology Fee (CTF) by January 1, 2026, becoming a "single business model" for EU developers and applying to digital goods and services sold across the App Store and alternative marketplaces. The EU has previously ruled that the CTF was not "necessary and proportionate".
• The DMA's Impact and Anti-Steering Rules: We break down how the DMA forced Apple to allow developers more choices in app distribution and promotion, specifically ending prohibitions on "steering" users to cheaper alternatives outside the App Store. This comes after a US court order, stemming from the Epic Games lawsuit, also prevented Apple from taking commission on purchases made outside the App Store in the US.
• The "Malicious Compliance" Debate: We explore the significant criticism Apple faces for its DMA compliance, with many, including Epic Games CEO Tim Sweeney and Spotify, accusing them of "malicious compliance"—adhering to the letter but not the spirit of the law. Critics argue Apple's changes still create barriers to competition.
• Apple's Defense and Ongoing Scrutiny: Despite the criticism and fines, Apple maintains it has taken significant steps to open its ecosystem and is appealing the EU's penalty. The European Commission is currently assessing these new changes to determine if they are fully compliant with the DMA.

Don't miss this essential episode to understand the shifting landscape of app development and distribution in Europe!

 Reading & Resources:

• Apple overhauls EU App Store rules following penalty (Link to The Verge article)
• Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro (Link to CNBC article)
• Updates for apps in the European Union (Link to Apple Developer news)
• Apple's DMA developer support page and Compliance Report (Link to Apple's official DMA info)
• Alternative Terms Addendum for Apps in the EU and StoreKit External Purchase Link Entitlement Addendum for EU Apps (Links to Apple's legal terms)

Sponsor Message: This episode of "Upwardly Mobile" is brought to you by Approov. In a world of evolving mobile threats, Approov provides advanced mobile app shielding and API protection to keep your apps and APIs secure from bots and malicious attacks. Ensure your mobile transactions are safe and sound. Learn more at www.approov.io.