The Future of App Development with Vibe Coding and Approov

Description: In this episode of Upwardly Mobile, we delve into the exciting, fast-paced world of "vibe coding" and rapid app development, where concepts can transform into functional Minimum Viable Products (MVPs) in days, not weeks. We discuss how intuitive, AI-powered platforms like Lovable are enabling developers to build full-stack web applications using plain English, focusing on the "vibe" of the application rather than getting bogged down in traditional coding complexities.

However, this speed comes with significant security risks. We explore the critical case of the Tea dating app data breach, a women-only dating advice app that suffered an extensive hack exposing users' direct messages and photos, including an additional 59,000 images and DMs. Experts like Ted Miracco, CEO at mobile security maker Approov, emphasized that Tea lacked adequate security protections and "rushed to market," exposing consumers. The breach highlighted a systemic problem: the real attack surface for mobile apps often lies in their backend APIs, which are not inherently secured by app store vetting processes like Apple's or Google's. Attackers were able to reverse-engineer the mobile client and access sensitive data through an insecure, unauthenticated API.

So, how can you build fast without sacrificing security? We introduce Approov, a security solution designed to ensure that only genuine instances of your app, running on safe devices, can access your APIs. Approov protects against various threats, including malicious bots, tampered apps, credential stuffing, and API abuse. Key defenses Approov offers include App Attestation, Ephemeral API Keys, Dynamic Certificate Pinning, RASP (Runtime Application Self-Protection), and Real-time Monitoring.

For early-stage startups, Approov has launched a "Founder-Friendly Tier," providing core security features at a price point and scale that makes sense for new ventures, helping to bridge the gap between rapid development and robust security. Making security a priority from day one offers a powerful advantage: it boosts investor confidence, builds user trust, and prevents costly, time-consuming security retrofits down the line. As the sources suggest, "secure APIs are the new uptime," and security should be seen as a differentiator, not a tax.

Key Takeaways:

• Vibe coding and platforms like Lovable enable incredibly fast app development, allowing quick market entry and iteration.

• Rapid development can introduce significant security vulnerabilities, especially at the API level, as demonstrated by the Tea app data breach.

• Approov provides essential mobile and API security solutions, including a new Founder-Friendly Tier, to protect apps from launch through scaling.

• Prioritizing security from the start enhances investor confidence and user trust, proving to be an "unfair advantage" in the competitive app market.

Relevant Links:

• CBS News: Tea dating app disab

This content was created in partnership and with the help of Artificial Intelligence AI.

Apple's Enduring Browser Engine Ban: A Global Standoff for the Open Web

Description:

In this episode of Upwardly Mobile, we delve into Apple's persistent ban on third-party browser engines on iOS, a restriction that continues to stifle competition and limit the capabilities of web applications. Despite growing global pressure and explicit legal mandates like the EU's Digital Markets Act (DMA), Apple has maintained technical and contractual barriers that make it commercially unviable for other browser vendors like Google and Mozilla to offer their own engines on iOS

. We explore why this ban matters for consumers, developers, and the future of the open internet.

Key Discussion Points:

• The Unique Ban: Apple is the only "gatekeeper" that imposes a ban on third-party browser engines, forcing all browsers on iOS to use its proprietary WebKit engine

. This prevents genuine browser competition and limits the functionality and performance of web apps, hindering their ability to compete with native apps• Apple's Justifications vs. Reality:

    ◦ Apple claims its restrictions are for security, privacy, and system integrity

. Apple's representatives, like Kyle Andeer and Gary Davis, assert that browser vendors have "everything they need" and have simply "chosen not to" port their engines.    ◦ However, critics argue that Apple uses security and privacy as an "elastic shield" for its financial interests

. Evidence does not suggest material differences in security performance between WebKit and alternative engines. Browser vendors, with their strong security track records, could even improve iOS security by competing• Barriers to Entry: The primary obstacles preventing alternative browser engines on iOS include:

    ◦ Loss of existing EU users: Browser vendors are forced to create entirely new apps, meaning they must abandon current users and start from scratch in the EU

. This single requirement "destroys the business case".

    ◦ No web developer testing outside EU: Developers globally cannot test their web software on third-party engines on iOS for EU users

.

    ◦ Hostile legal terms: Apple's contractual conditions are "harsh, one-sided, and incompatible with the DMA"

.

    ◦ Uncertainty on updates for travelers: Apple has not confirmed that browser updates (including security patches) will not be disabled if an EU user travels outside the EU for more than 30 days

.

• Regulatory Pressure and Compliance:

    ◦ EU Digital Markets Act (DMA): Explicitly prohibits gatekeepers from requiring the use of their web browser engine.

The DMA demands "effective compliance" and prohibits undermining obligations through technical or contractual means. Despite 15 months, no browser vendor has successfully ported an engine, indicating Apple's non-compliance.    ◦ Japan's Smartphone Act (MSCA): Passed and will directly prohibit Apple's ban by December 2025

. Guidelines clarify that actions that hinder adoption, not just outright bans, are prohibited. It also mandates fai

This content was created in partnership and with the help of Artificial Intelligence AI.

Beyond the Beta: iOS 26 Features, AI, and Next-Gen App Security

This episode of Upwardly Mobile dives deep into Apple's groundbreaking iOS 26 update, exploring its transformative new features, the much-anticipated AI integrations, and crucial security considerations for developers. From the visually stunning Liquid Glass design to advanced app attestation requirements, we cover everything you need to know about Apple's latest mobile operating system. iOS 26 Key Features & User Experience iOS 26 marks a significant generational leap for Apple's mobile operating system, moving directly from iOS 18 to align naming with other Apple platforms, and is considered the biggest OS update since iOS 7. It introduces a bold new design and more AI-powered features.

- Design & Visuals: Experience Liquid Glass, Apple's new cohesive design language, which visually transforms widgets and the dock for a sleek, immersive interface. You’ll also notice improved animations in the Camera and Photos apps, ensuring smoother transitions. For drivers, customizable CarPlay wallpapers automatically adapt to light and dark modes, providing a visually pleasing transition between day and night.

- AI-Powered Innovations: Benefit from AI-powered notification summaries that streamline your alerts. Two highly anticipated phone features include Call Screening, which picks up unknown numbers, asks the caller's purpose, and shows a live transcript, allowing you to decide whether to answer. Its companion, Hold Assist, listens to hold music for you and alerts you the instant a real person is available.

- Enhanced App Experiences: The Weather app now offers "significant locations" for hyper-localized forecasts based on your frequently visited destinations. The Podcasts app provides custom playback options to fine-tune your listening. Safari now includes haptic feedback for downloads, offering tactile confirmation of completed actions.

- User Security & Privacy: A redesigned passcode screen simplifies access, and updated password settings offer greater control over website permissions. The "Reduce Loud Sounds" feature automatically lowers excessive audio levels to protect your hearing. Additionally, App Store age ratings have been revamped with new categories (13+, 16+, and 18+) and enhanced parental controls, ensuring a safer digital environment for younger users.

Getting Your Hands on iOS 26 Anyone with a compatible iPhone can test iOS 26 features ahead of its official release. Apple opened its developer program to everyone for free in 2023, allowing users to load the developer beta right now.

- Compatibility: iOS 26 supports iPhone 11 and newer models, including the forthcoming iPhone 17 series. This includes any A13 Bionic handset forward, while the iPhone XR/XS generations are not included.

- Apple Intelligence Compatibility: For the headline Apple Intelligence features, you'll specifically need an iPhone 16 model or the iPhone 15 Pro/Pro Max.

- Installation Steps: To i

This content was created in partnership and with the help of Artificial Intelligence AI.

Mobile-First Security: The Urgent Lessons from the Tea App Breach

In this focused segment of Upwardly Mobile, we unpack the recent Tea app breach, a sobering case study that highlights the critical need for a robust mobile-first cybersecurity strategy and proper API security. The Tea app, a women's dating safety application that rapidly climbed to the top of the free iOS App Store listings and reached the No. 1 spot on Apple's US App Store, claiming over 1.6 million users, was designed to allow women to exchange information about men to enhance safety. A key feature involved new users verifying their identity by uploading a selfie. The company confirmed a major security breach, stating they had "identified authorized access to one of our systems". Preliminary findings revealed access to approximately 72,000 user images. This alarming exposure included:

- 13,000 images of selfies and photo identification documents, such as driver's licenses, which users had submitted during the account verification process.

- 59,000 publicly viewable images from posts, comments, and direct messages within the app.

The exposed images reportedly originated from a "legacy data system" that held information from more than two years prior. Posts on Reddit and 404 Media indicated that these sensitive user images, including faces and IDs, were posted on the anonymous online messageboard 4chan, with one post explicitly stating, "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" and highlighting "No authentication, no nothing. It's a public bucket". Users from 4chan claimed to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, as the source of the vulnerability. According to Ted Miracco, Chief Executive Officer of Approov Limited, the Tea app breach is a stark example of a "systemic failure in API security". He attributes this failure to several critical oversights:

- Broken access controls. (https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola)

- Weak authentication.

- Missing transport protections.

- Absent runtime safeguards.

Miracco emphasizes that such failures are "not inevitable" but are "preventable with disciplined engineering, proper API defenses, and a real commitment to protecting user trust". This incident highlights a common pitfall where companies "rush apps to market, driven by subscriber growth and churn metrics, while privacy and security are sidelined". The broader lesson from the Tea app breach underscores how mobile apps introduce significant risk to an organization's back-end services. Mobile apps serve as a "front door to the back end," and a mobile device effectively holds "the secret key to the front door" – the key to server-side APIs. The increasing reliance on numerous server-side APIs accessed via mobile devices creates growing security exposure, especially since many APIs are often not adequately protected. Shockingly, up to ha

This content was created in partnership and with the help of Artificial Intelligence AI.

Unlocking True Mobile & API Security in the Cloud Age

Welcome to "Upwardly Mobile", the podcast dedicated to navigating the complex world of mobile and cloud security! In this episode, we dive deep into why mobile app security and API security are not just technical concerns, but fundamental business imperatives for organisations of all types, from agricultural giants like John Deere to popular dating apps such as Hinge. We explore how the traditional reliance on static defences like code obfuscation is no longer sufficient against today's sophisticated, AI-powered threats, and what a truly resilient, Zero Trust-based security strategy looks like.

Why Mobile & API Security Matters to Everyone in Your Organisation: The consequences of neglecting mobile app and API security are severe, ranging from massive data breaches to reputational damage and direct impacts on business operations. Here’s why key stakeholders deeply care:

• Operational Leadership & Executives (e.g., C-suite): For companies like John Deere, insecure APIs and mobile apps can lead to attackers accessing, altering, or deleting "sensitive business information related to a farm's operations", resulting in "competitive disadvantage or even sabotage". For dating apps like Hinge, the core business relies on user trust, and API flaws, often exploited via the mobile app, can expose "vast amount of Personally Identifiable Information (PII) for other users", leading to "catastrophic for user acquisition, retention, and the company's survival". The ultimate "consequences of vulnerabilities—such as data breaches affecting billions and leading to hundreds of billions in losses"—fall under their purview.

• Security Teams (e.g., CISO, Security Architects): Their mandate is to implement a "holistic" security approach that "protect[s] the app, its communications, and the API". They understand that "APIs are the true target" for attackers and that "a vulnerable mobile app communicating with a misconfigured cloud backend is a recipe for disaster". They are tasked with implementing "robust AppSec Strategy" and "strong Cloud Security Posture Management (CSPM)" to prevent "service disruption" and "full system compromise".

• Legal & Compliance Teams: Mobile app and API vulnerabilities, as seen in e-hailing apps, can expose "vast amount of Personally Identifiable Information (PII)". This necessitates their involvement due to potential "severe privacy violations, massive user exodus, and significant legal and regulatory repercussions" associated with data breaches and non-compliance with data protection regulations.

• Engineering & Development Teams: These teams are "directly responsible for 'building secure code for both the mobile app and the backend'". They must implement "secure development practices" and are critically concerned with "improper handling of secrets" like API keys, which are often hardcoded and easily extracted.

• Marketing & Brand Management Teams: A breach of

This content was created in partnership and with the help of Artificial Intelligence AI.

Crypto Under Siege: Billions Lost in H1 2025 and the Battle for Web3 Security

**Episode Description:**The first half of 2025 has witnessed an unprecedented surge in cyberattacks against cryptocurrency exchanges, leading to billions of dollars in stolen digital assets [1-3].

In this episode of "https://www.iheart.com/podcast/53-upwardly-mobile-api-app-sec-248101864/," we delve into the alarming statistics from CertiK's latest report and dissect the most significant incidents, including the Coinbase data breach and the Bybit hack [1, 2, 4]. Discover the evolving tactics employed by sophisticated attackers—from insider threats and social engineering to supply chain attacks and wallet compromises—and explore the critical security measures and technologies platforms are implementing to safeguard user funds and rebuild trust in the volatile Web3 landscape [5-11].

Key Takeaways:

• Record-Breaking Losses in H1 2025: Approximately $2.47 billion in cryptocurrency was stolen through hacks, scams, and exploits in the first half of 2025, already surpassing the total amount lost in all of 2024 [1-3]. According to CertiK, when accounting for confirmed, unrecovered losses, the net figure stands at $2.29 billion, exceeding last year's adjusted total of $1.98 billion [3].

• Major Incidents Driving Losses: Two significant events accounted for nearly $1.78 billion of the total losses in H1 2025 [3]:

    ◦ Bybit Breach (February 2025): Hackers stole an estimated $1.4 billion from the Dubai-based exchange in an attack linked to Lazarus, a state-sponsored North Korean APT group [1]. This incident largely contributed to wallet compromise being the costliest attack vector [6].

    ◦ Cetus Protocol Incident: This decentralized exchange (DEX) on Sui lost $225 million due to hackers using spoofed tokens and price manipulation [6].

• Coinbase Under Attack:

    ◦ May 2025 Data Breach (Insider Threat/Social Engineering): Hackers bribed and coerced a small group of overseas customer support agents to steal sensitive customer data, including names, dates of birth, partial Social Security numbers, masked bank account numbers, addresses, phone numbers, and emails [4]. While no login credentials or private keys were obtained, this data was used for social engineering attacks [4]. Coinbase refused a $20 million extortion attempt and instead established a $20 million reward fund for information leading to the attackers' arrest [12]. The estimated financial impact for Coinbase is between $180 million and $400 million, including voluntary customer reimbursements for funds lost to social engineering [12]. This incident highlighted the critical risk of insider threats and the need for enhanced real-time endpoint security and data loss prevention (DLP) [5, 7].

    ◦ March 2025 GitHub Action Supply Chain Attack: Coinbase was an initial target of a supply chain attack on GitHub Action, exploiting a public continuous integration/continuous delivery flow [5]. Coinbase successfully detected

This content was created in partnership and with the help of Artificial Intelligence AI.

In this episode of https://approov.io/info/podcast, we delve deep into the sophisticated world of Konfety malware and explore how remote app attestation provides a crucial defence against its cunning tactics.

Konfety employs an "evil twin" method, creating malicious versions of legitimate apps that share the same package name and publisher IDs as benign "decoy twin" apps found on official app stores. This allows the malware to spoof legitimate traffic for ad fraud and other malicious activities.

Konfety's "evil twins" are distributed through third-party sources, malvertising, and malicious downloads, effectively bypassing official app store security checks. To evade detection, Konfety employs sophisticated obfuscation and evasion techniques. These include dynamic code loading, where malicious code is decrypted and executed at runtime from an encrypted asset bundled within the APK. It also manipulates APK structures through tactics like enabling the General Purpose Flag bit 00 (which can cause some tools to incorrectly identify the ZIP as encrypted and request a password) and declaring unsupported compression methods (such as BZIP) in the AndroidManifest.xml (which can result in partial decompression or cause analysis tools like APKTool or JADX to crash). Other stealth techniques involve suppressing app icons, mimicking legitimate app metadata, and applying geofencing to adjust its behaviour by region. The malware leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. Users may experience redirects to malicious websites, unwanted app installs, and persistent spam-like browser notifications. The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection.

So, how does https://approov.io/info/role-of-attestation-in-mobile-app-security combat such a resilient threat? Remote app attestation is a security mechanism where a mobile app proves its identity and integrity to a trusted remote server. This process typically involves the mobile app generating a unique "fingerprint" or "evidence" of its current state, often using hardware-backed security features like Trusted Execution Environments or Secure Enclaves. This evidence includes measurements of the app's code, data, and the device's security posture (e.g., whether the bootloader is locked, if the device is rooted, or if it's running an official OS). This evidence is then sent to a trusted remote server, often an attestation service, for verification. The attestation service compares the received evidence against a known good baseline or policy, checking if the app is genuine and unmodified, if the code running is the expected untampered version, and if the device it's running on is secure and hasn't been compromised. Based on this verification, the server provides a "verdict," which determines whether the app is allowed to proceed with sensitive o

This content was created in partnership and with the help of Artificial Intelligence AI.

The Fitify Fiasco: Unpacking 138K Private Progress Photos, 206K Profile Photos & Hardcoded App Secrets

Welcome to Upwardly Mobile! In today's episode, we dive deep into the recent massive data leak involving the popular iOS fitness app, Fitify, affecting over 25 million users globally. We'll explore the critical security vulnerabilities exposed and discuss how adherence to standards like OWASP MASVS and advanced solutions like Approov can protect your mobile apps and user data. The Fitify Fiasco: The Cybernews research team recently uncovered a significant data breach with Fitify, a widely used iOS fitness app. Their investigation revealed that 373,000 sensitive user files, including a staggering 138,000 progress photos, were stored in a publicly accessible Google Cloud bucket. Critically, these files lacked password protection or encryption at rest, meaning anyone could access them. Many of these exposed "progress pictures" and "body scans" were taken with minimal clothing to better showcase body changes, making the exposure highly sensitive for users tracking weight loss or muscle growth. Other leaked data included 206,000 user profile photos, 13,000 AI coach message attachments (which may include images or text), and 6,000 body scan files, including photos and AI-generated metadata (e.g., lean mass, body fat, posture). The leak was discovered on May 7th, 2025, and after Cybernews contacted the company, Fitify Workouts s.r.o. closed the unprotected instance on June 9th, 2025. Security Gaps Highlighted: Despite Fitify's Google App Store description clearly stating that "data is encrypted in transit", Cybernews found a severe lack of basic access controls, which poses serious privacy risks. The fact that user data could be accessed without any passwords or keys demonstrated that it was not encrypted at rest. Furthermore, researchers discovered hardcoded secrets embedded directly within the app's code. These included Google API and Client IDs, Firebase database URLs, Facebook tokens (such as Facebook App ID and Client Token), and even an Algolia API key, which was notably not disclosed in Fitify's privacy policy. These exposed credentials could potentially enable attackers to access backend infrastructure, impersonate users, or inject malicious content. This issue is not isolated; Cybernews's broader research found that 71% of 156,000 iOS apps analyzed leak at least one secret, with an average of 5.2 secrets per app. Understanding Mobile App Security with OWASP MASVS: This incident underscores the importance of adhering to robust mobile application security standards like the OWASP Mobile Application Security Verification Standard (MASVS). MASVS serves as an industry standard and a comprehensive framework for mobile software architects, developers, and security testers to ensure the development of secure mobile applications. It categorizes security controls into various groups:

- MASVS-STORAGE: Addresses the secure storage of sensitive data o

This content was created in partnership and with the help of Artificial Intelligence AI.

In this episode of https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025.

While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience.

We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering.

The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery.

The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution.

Key elements of this essential dynamic security strategy include:

• https://approov.io/mobile-app-security/rasp/: Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness.

• https://approov.io/mobile-app-security/rasp/app-attestation/: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse.

• https://approov.io/mobile-app-security/rasp/runtime-secrets/: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering.

• Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates.

We also dif

This content was created in partnership and with the help of Artificial Intelligence AI.

In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points:

- The Alarming State of IoT Security:

- A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall.

- A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips.

- The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits.

- IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies.

- Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets.

- Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments.

- A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable.

- Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption.

- The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs:

- Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras.

- This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood.

- Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API

This content was created in partnership and with the help of Artificial Intelligence AI.