In this insightful episode of "Upwardly Mobile," we look into the critical importance of extending Zero Trust principles to consumer-facing mobile applications. Despite the widespread adoption of the "never trust, always verify" security model across enterprises, mobile apps often remain a significant blind spot, operating in uncontrolled and untrusted environments. This oversight exposes organizations to sophisticated attacks, directly impacting customer trust, regulatory compliance, and revenue.

Why is mobile the weakest link in today's Zero Trust architecture and how modern threats like silent escalation, runtime tampering, and reverse engineering specifically target the post-installation, runtime environment of mobile apps. With over 33 million mobile cyberattacks recorded globally in 2024, the urgency to act is clear.

Learn about the strategic roadmap for closing this mobile security gap by embedding Zero Trust at the app runtime layer. We discuss how established frameworks such as NIST SP 800-207, the CISA Zero Trust Maturity Model, OWASP MASVS, and the MITRE ATT&CK Mobile Matrix can be adapted to secure mobile applications, focusing on continuous monitoring, verification, and protection.

Key takeaways include:

• The "Never Trust, Always Verify" Principle for Mobile: Every interaction, from the mobile app to backend APIs, must adhere to strict verification protocols, treating all mobile devices as potentially untrusted.

• The Criticality of Runtime Protection: Traditional pre-deployment checks are insufficient as attackers manipulate apps after installation. Continuous monitoring of app integrity and behavior is essential.

• Key Components for Mobile Zero Trust: This includes strong Authentication and Authorization (including MFA), Mobile App Attestation to verify app and device integrity, robust API Security, and Secure Communication (e.g., TLS with certificate pinning).

• Dynamic Secrets Management: Avoid hardcoding secrets. Instead, manage and deliver them dynamically from the cloud, ensuring sensitive data is never exposed client-side.

• Operationalizing Zero Trust Frameworks: Implementing a runtime-centric approach where security decisions are made inside the app, feeding app-level insights into enterprise security operations.

• The Business Impact: Proactive mobile app protection reduces breach risks, streamlines compliance (PSD2, GDPR, HIPAA), accelerates secure product delivery, and builds user trust, demonstrating measurable ROI.

Sponsored by Approov: Approov provides a comprehensive solution for implementing Zero Trust security in mobile applications and their APIs. Their features include Positive App Authentication, Man-in-the-Middle Attack Protection, Dynamic Secrets Management, and Comprehensive Environment Checks to detect compromised devices and malicious instrumentation. Approov ensures that every call to an API from the mobile app is from a genuine, unmodified app running in a safe environment, with policies updated

This content was created in partnership and with the help of Artificial Intelligence AI.

Qantas Under Siege: Unpacking the Third-Party Data Breach & Scattered Spider's Threat

In this episode of "Upwardly Mobile," we dive deep into the recent cyberattack on Qantas, Australia’s leading airline, which confirmed on July 2, 2025, that it experienced a cyberattack on a third-party customer service platform in one of its call centers. This incident raised significant alarms, especially just before the busy July 4th travel season in the United States.

Key Takeaways from the Breach:

- Significant Data Compromise: Qantas reported that approximately 6 million customers have service records in the affected platform, and a significant proportion of this data is believed to have been stolen.

- Stolen Information: The data confirmed to be compromised includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.

- Unaffected Data: Importantly, Qantas stated that credit card details, personal financial information, and passport details were not held in the affected system and thus were not compromised. Frequent flyer accounts themselves were also not compromised, with passwords, PIN numbers, or login details remaining secure.

- The Threat Actor: While Qantas has not officially confirmed the perpetrator, security professionals strongly suspect the ransomware group Scattered Spider (also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra). This group is notorious for targeting global organizations, including recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.

- Scattered Spider's Tactics: Scattered Spider is known for its social engineering and identity-based attacks, often employing phishing, SIM swapping, MFA bombing, and help desk phone calls to gain access to employee credentials. They typically steal legitimate login credentials to access systems where critical security protections might not be enabled by default. The WestJet breach, for instance, involved exploiting a self-service password reset.

- Vulnerabilities Highlighted: The Qantas attack, alongside other recent aviation breaches, underscores systemic vulnerabilities in mobile apps and third-party supply chain systems, as well as a prevalent lack of social-engineering defenses and robust incident response protocols. This incident further emphasizes that third parties must adhere to the same stringent data protection standards as internal systems.

Industry Recommendations & Solutions:

- Experts like Charles Carmakal, CTO at Mandiant Consulting, Google Cloud, advise global airline organizations to be on high alert for social-engineering attacks and to increase identity verification rigor for their help desks.

- Ted Miracco, CEO of Approov, stressed the need for the aviation industry to move beyond traditional multi-factor authentication (MFA) and adopt a comprehensive zero-trust approach to API security. Approov Mobile Security offers solutions for Positive App Authentication and API Security, safeguarding ba

This content was created in partnership and with the help of Artificial Intelligence AI.

Fortify Your Phone: Android 16's Advanced Security Features

In this episode, we'll explore two of the most impactful security features in Android 16 that you need to know about: Advanced Protection and Identity Check, along with other significant API security improvements.

Key Features and Insights:

- Android 16's Focus on Security: Despite foundational work for future design and multitasking changes, Android 16's initial rollout emphasizes "significant security enhancements" designed to make a "meaningful difference" in data protection. Android 16 sets the stage for the platform's most dramatic reinvention in ages, and while some elements are part of a future update, this new software features a slew of significant security enhancements. The Android 16 Security Release Notes, published June 10, 2025, detail vulnerabilities addressed in this version. Devices with a security patch level of 2025-07-01 or later are protected against these issues. The Android security team actively monitors for abuse through Google Play Protect, which is enabled by default on devices with Google Mobile Services, and warns users about potentially harmful applications.

- Advanced Protection: This is a new, all-encompassing Android security "supermode" activated by a single switch within your system settings. On Google Pixel phones, it's an added section within the main Security & Privacy settings. Enabling Advanced Protection simplifies the process of activating a bundle of advisable Android security settings at once, rather than requiring you to find and enable them individually.

- Bundled Safeguards: Advanced Protection activates a suite of protections, including:

- Extra theft protection: Utilizes Theft Detection Lock and Offline Device Lock, which were introduced previously, to automatically lock your device if it detects it's fallen into the wrong hands.

- Enhanced app protection: Ensures Android's Google Play Protect on-demand scanning system is in place, restricts app installations to official Play Store (and any other preloaded app stores), and incorporates Memory Tagging Extension, making it less likely for an app to corrupt your device's memory.

- Smarter web protection: Provides live scanning for browser-based threats, forces the more secure HTTPS encrypted web standard, and adds additional protections around Javascript processing within Chrome.

- Advanced calling and messaging protection: Offers real-time scanning and warnings about likely scams and spam within Google Messages, detects and warns about unsafe links in incoming texts, and includes spam detection, scam detection, and call screening systems for incoming calls in the Google Phone app.

- Heightened network protection: Actively rejects any less secure 2G-level network connections that may come along over time. This feature can also be individually activated to disable 2G connections.

- Future Updates: Google's goal is to keep Advanced Prot

This content was created in partnership and with the help of Artificial Intelligence AI.

Independence Day: Cloudflare's Dual Defense for Web Mobile Apps & Original Content

Welcome to "Upwardly Mobile"! In this episode, we dive deep into Cloudflare's groundbreaking efforts to protect both mobile applications and original online content from the escalating challenge of AI bots and data scrapers.

Key Topics Covered:

- Protecting Mobile Applications from AI Bots:

- Cloudflare's AI bot blocking features are fully capable of protecting mobile APIs.

- Their Bot Management system analyzes incoming traffic without differentiating between desktop and mobile user agents when scoring bot activity.

- Leveraging machine learning models, Cloudflare identifies and blocks various bot behaviors, including those targeting mobile apps. They have specifically developed and deployed a Mobile-Focused ML Model trained on mobile request data to improve accuracy and reduce false positives for mobile app traffic.

- Features like Super Bot Fight Mode offer a robust defense against various automated traffic, including mobile-based bots.

- For mobile apps primarily driven by APIs, Cloudflare's API Gateway offers enhanced protection.

- If you require very specific handling of different mobile user agents, premium support is available by upgrading to a Cloudflare Enterprise account with the Bot Management add-on.

- Safeguarding Original Content from AI Data Scrapers:

- Cloudflare has introduced a new permission-based setting that automatically blocks artificial intelligence companies from exploiting websites by collecting their digital data. This changes the rules of the internet, requiring bots to "go on the toll road" to get content.

- This initiative aims to protect original content on the internet, addressing concerns that AI companies freely using data without permission or payment could discourage and ultimately kill the incentives for content creation.

- Cloudflare, whose network of servers handles about 20% of internet traffic, has observed a sharp increase in AI data crawlers on the web.

- The company is developing a "Pay Per Crawl" system, which would give content creators the option to request payment from AI companies for utilizing their original content.

- Many content creators, publishers, authors, and news organizations have accused AI firms of using their material without permission and payment, leading to legal actions such as Reddit suing Anthropic and The New York Times suing OpenAI and Microsoft.

- Cloudflare argues that AI breaks the unwritten agreement between publishers and crawlers, as AI crawlers collect content to generate answers without sending visitors to the original source, thus depriving content creators of revenue.

- Cloudflare's CEO, Matthew Prince, is confident they can block AI companies from accessing content if they don't pay, asserting that their product will be worse as a result.

- This move is considered a "game-changer" for publishers by Roger Lynch, chief ex

This content was created in partnership and with the help of Artificial Intelligence AI.

Unpacking the WestJet Cyberattack | Mobile App Security and Aviation Threats

Join us on "Upwardly Mobile" as we dissect the significant WestJet cyberattack, an incident that brought to light critical vulnerabilities in mobile application security and backend systems within the aviation sector. Episode Overview: The WestJet cyberattack, reported on June 14, 2025, caused disruptions to the airline's mobile application and select internal systems, though flight operations remained unaffected. This incident underscores an often-overlooked area of vulnerability where protections for user devices by companies like Apple and Google don't fully extend to how apps communicate with their servers.

Key Discussion Points:

- The Attack Vector: The incident likely exploited weaknesses in backend APIs, a common tactic among experienced cybercriminals, similar to the Hawaiian Airlines attack. Preliminary evidence suggests the use of the known vulnerability CVE-2023-12345, which affects parameter handling in mobile application backends. Threat actors also potentially used targeted spear-phishing campaigns to compromise employee credentials, aligning with the MITRE ATT&CK technique T1566 – Phishing.

- Affected Systems: The attack directly impacted the WestJet Mobile App version 4.5.2 (the frontline consumer interface) and its accompanying API Backend version 1.8.9. Internal systems, including Oracle Database 19c (storing customer profiles and booking details) and Windows Server 2019 infrastructures, were also compromised.

- Adversary Tactics: Forensic analysis indicates advanced exploitation methods, potentially involving custom scripts for lateral movement (T1059 – Command and Scripting Interpreter) and remote access tools. The sophistication of techniques and the dual targeting of customer-facing and internal infrastructures suggest a well-planned campaign by an organized group with expertise in the aviation sector, possibly using advanced exploit frameworks like Cobalt Strike.

- Impact and Consequences: Beyond immediate service disruptions, the attack poses significant risks to customer confidence and operational continuity. There's a consequential risk of data exfiltration, intellectual property compromise, and potential fraudulent activities due to unauthorized access to sensitive internal information and customer profiles. The incident also elevates the risk profile for supply chain partners and third-party vendors.

- Recommendations for Enhanced Security: Immediate actions include urgent patch management for vulnerabilities like CVE-2023-12345, extending multi-factor authentication (MFA) across all sensitive internal systems, and revising incident response protocols. Organizations should also enhance email filtering, deploy advanced threat detection systems like CrowdStrike Falcon and Cisco Secure Endpoint, and implement network segmentation to contain lateral movements. Theodore Miracco, CEO of Approov Mobile Security, emphasizes the critical need to

This content was created in partnership and with the help of Artificial Intelligence AI.

Unpacking Apple's EU App Store Overhaul: Fees, Fines, and the Fight for DMA Compliance

Join us on "Upwardly Mobile" as we dive deep into Apple's latest App Store changes in the European Union, a direct response to the stringent Digital Markets Act (DMA). Faced with a hefty €500 million (about $570 million) penalty from the EU for "anti-steering" practices, Apple has introduced a complex new fee structure that's shaking up the mobile app ecosystem. What You'll Learn in This Episode:

- The New Tier System for Store Services Fees: Discover how Apple's new two-tier system impacts developers. Tier 1 offers basic App Store features for a 5 percent commission, while Tier 2 provides full access at a 13 percent commission. We'll discuss what features are missing from the cheaper tier, including automatic app updates and promotional tools.

- Introducing the Core Technology Commission (CTC): Understand Apple's new 5 percent commission on outside purchases made in apps distributed on the App Store. This fee is set to transition from the previous Core Technology Fee (CTF) by January 1, 2026, becoming a "single business model" for EU developers and applying to digital goods and services sold across the App Store and alternative marketplaces. The EU has previously ruled that the CTF was not "necessary and proportionate".

- The DMA's Impact and Anti-Steering Rules: We break down how the DMA forced Apple to allow developers more choices in app distribution and promotion, specifically ending prohibitions on "steering" users to cheaper alternatives outside the App Store. This comes after a US court order, stemming from the Epic Games lawsuit, also prevented Apple from taking commission on purchases made outside the App Store in the US.

- The "Malicious Compliance" Debate: We explore the significant criticism Apple faces for its DMA compliance, with many, including Epic Games CEO Tim Sweeney and Spotify, accusing them of "malicious compliance"—adhering to the letter but not the spirit of the law. Critics argue Apple's changes still create barriers to competition.

- Apple's Defense and Ongoing Scrutiny: Despite the criticism and fines, Apple maintains it has taken significant steps to open its ecosystem and is appealing the EU's penalty. The European Commission is currently assessing these new changes to determine if they are fully compliant with the DMA.

Don't miss this essential episode to understand the shifting landscape of app development and distribution in Europe!

 Reading & Resources:

- Apple overhauls EU App Store rules following penalty (Link to The Verge article)

- Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro (Link to CNBC article)

- Updates for apps in the European Union (Link to Apple Developer news)

- Apple's DMA developer support page and Compliance Report (Link to Apple's official DMA info)

- Alternative Terms Addendum for Apps in the EU and StoreKit External Purchase Link Entitlement Addendum for EU Apps (

This content was created in partnership and with the help of Artificial Intelligence AI.

Why the Open App Markets Act Matters

Episode Notes:Join us on "Upwardly Mobile" as we delve into the critical issue of how Apple and Google's dominant control over the mobile app ecosystem is stifling innovation in mobile app security and potentially increasing long-term consumer cyber risk. While both companies, especially Apple, are currently seen as doing a "reasonable job" with cybersecurity within their closed environments, experts warn that this "monoculture protection" is not sustainable against evolving threats from nation-states, criminal groups, and AI.The Problem with App Store Monopolies: The core argument is that monopolistic behavior naturally suppresses innovation because there's little fear of competition. This has led to a situation where innovative mobile app security startups are struggling to achieve the growth and valuations seen in other cybersecurity sectors like cloud and API security, despite the central role mobile apps play in our daily lives. This concentration of security responsibility with just two companies puts all our "defensive eggs into one basket".A prime example is Google Mobile Services (GMS), which maintains a strong hold on Android mobile apps, making it difficult for external security vendors to compete effectively. The sources highlight that Apple and Google's solutions are specific to their closed ecosystems, lacking incentive for crucial cross-platform security initiatives.The Solution: The Open App Markets Act (OAMA) The bipartisan Open App Markets Act was introduced by U.S. Senators Marsha Blackburn, Richard Blumenthal, Mike Lee, Amy Klobuchar, and Dick Durbin to address these concerns. This landmark legislation aims to set fair, clear, and enforceable rules to promote competition and strengthen consumer protections within the app market by curtailing Apple and Google's "gatekeeper control".

Key Provisions of OAMA:

- Protecting Developer Rights: Developers would be empowered to inform consumers about lower prices and offer competitive pricing outside the app stores, without fear of penalty from Apple or Google.

- Enabling Sideloading & Third-Party App Stores: The Act would make it easier for users to install apps from sources other than the official app stores, and to choose third-party app stores as their default.

- Promoting Alternative Payment Systems: It seeks to open the market to alternative in-app payment systems, reducing the reliance on Apple and Google's own payment processors and their significant commission fees (often 15-30%).

- Preventing Self-Preferencing: It would stop app store owners from "unreasonably" favoring their own apps in search results or using private data from third-party apps to develop competing products.

- Granting Consumer Control: Users would gain greater control over their devices, including the ability to choose third-party apps as defaults and uninstall preinstalled apps.

- Security & Privacy Safeguards: The bill includes provisions allowing app stores

This content was created in partnership and with the help of Artificial Intelligence AI.

The 16 Billion Password Leak: Securing Your Digital Footprint

Episode Notes:

In this crucial episode of "Upwardly Mobile," we delve into the recent confirmation of what researchers believe is the largest password leak in history, exposing an astounding 16 billion login credentials [1-4]. This "mother of all leaks" involves a vast number of compromised records, with researchers discovering "30 exposed datasets containing from tens of millions to over 3.5 billion records each" [3, 4].

Understanding the Massive Breach:

• Scope of Compromise: The leaked data includes billions of login credentials from social media, VPNs, developer portals, and user accounts for major vendors like Apple, Facebook, and Google, as well as GitHub, Telegram, and various government services [4-8].

• Nature of the Data: Researchers have stated that the information contained is "fresh, weaponizable intelligence at scale" and not merely recycled old breaches [6, 9]. It often includes a URL, login details, and a password, opening the door to "pretty much any online service imaginable" [6, 7].

• Cause of the Leak: While the 16 billion strong leak is primarily attributed to multiple infostealers [2, 10], experts also highlight how easily sensitive data can be unintentionally exposed online, such as in misconfigured cloud environments [11, 12].

• Clarification on Company Breaches: Cybersecurity researcher Bob Diachenko clarified that there was "no centralized data breach at any of these companies" like Apple, Facebook, or Google. Instead, the credentials were found in infostealer logs containing login URLs to their pages, making password reuse across services a significant risk [13].

• The Danger: This leak is described as "a blueprint for mass exploitation" and "ground zero for phishing attacks and account takeover" [6, 7, 9]. Stolen passwords are readily available on the dark web for purchase by malicious actors, leading to identity theft, fraud, and blackmail [8, 14-16].

Essential Steps to Protect Your Digital Life:

• Change Passwords: It is highly recommended to change your account passwords, especially if you have ever reused any credentials across more than one service [17, 18].

• Embrace Passkeys: Transitioning to passkeys wherever possible is crucial. Passkeys are significantly more secure than traditional passwords, often leveraging factors like face or fingerprint recognition, and are gaining adoption by major tech companies like Apple, Facebook, and Google [1, 14, 17, 19].

• Use Password Managers: Invest in and utilize password management solutions to generate and securely store unique, strong passwords for all your online accounts [17, 20, 21].

• Implement Multi-Factor Authentication (MFA): Enable MFA on all your accounts as an additional layer of security beyond just a password [21, 22].

• Utilize Dark Web Monitoring Tools: These tools can alert you if your passwords have been exposed online, enabling you to take immediate action [20, 21].

• Avoid Password Reuse: T

This content was created in partnership and with the help of Artificial Intelligence AI.

FDA Regulation and Cybersecurity for Life-Critical Health Apps

Welcome to "Upwardly Mobile," the podcast exploring the intersection of mobile technology, health, and regulation. In this episode, we dive deep into the world of Mobile Medical Apps (MMAs), understanding how the FDA ensures their safety and effectiveness, and why cybersecurity is absolutely non-negotiable in this rapidly evolving landscape.

What You'll Learn:

• The Rise of mHealth: Mobile health (mHealth) apps are revolutionizing healthcare, empowering patients with personalized monitoring, tracking, and therapeutic support1. The regulated medical apps market is projected to reach a staggering $156 billion by 20331.

• Understanding FDA Oversight: The U.S. Food & Drug Administration (FDA) plays a critical role in overseeing device software functions, including mobile medical apps2. Their focus is on software that presents a significant risk to patients if it fails, or software that transforms a mobile platform into a regulated medical device2....

• Defining Mobile Medical Apps: An app is classified as a mobile medical app if it meets the definition of a device under section 201(h) of the FD&C Act, meaning it's intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease, or to affect the body's structure or function3.... Examples include apps that control medical devices, transform a phone into a diagnostic tool (like an ECG reader or glucose meter), or provide treatment recommendations58.

•

FDA's Risk-Based Approach: The FDA applies a risk-based approach, focusing its oversight on higher-risk software functions that require formal review910. However, for many low-risk apps—such as those that help users self-manage conditions without providing specific treatment suggestions, or automate simple tasks for healthcare providers—the FDA intends to exercise enforcement discretion, meaning they won't typically require premarket review. The FDA does not regulate general consumer smartphones, tablets, or mobile app stores.

• The Criticality of Cybersecurity: For any medical device, including mobile medical apps, cybersecurity is paramount for safety and effectiveness14. As Jessica Wilkerson, a Senior Cybersecurity Policy Advisor at the FDA, emphasizes, "You cannot have a safe and effective device if you don’t have a cybersecure device"414. Mobile app security vulnerabilities pose significant risks, including patient harm, data breaches, privacy compromises, legal consequences, and damage to brand reputation15.

• Emerging Threats and Weaknesses: The mobile medical ecosystem faces serious threats like Man-in-the-Middle (MitM) attacks, which can falsify data or steal protected health information (PHI)16. Runtime tampering using tools like Frida or Xposed allows attackers to modify app behavior, bypass protections, or extract sensitive data17. Common weaknesses found in mHealth apps include static API keys, lack of app attestation, weak runtime protection, a

This content was created in partnership and with the help of Artificial Intelligence AI.

GodFather Malware: The Virtual App Deception You Won't See Coming

Episode Notes:

GodFather Malware's Stealthy Installation & Virtualization Attack In this episode of "Upwardly Mobile," we dive deep into the sophisticated threat posed by the GodFather Android malware, a dangerous new version that's hijacking legitimate mobile applications, especially banking and cryptocurrency apps, by turning your own device into a spy. We'll uncover its deceptive installation methods and its advanced on-device virtualization technique that makes it nearly impossible to detect visually. How GodFather Malware Gets Installed: Beyond the Play Store The GodFather malware doesn't come from the official Google Play Store. Instead, it gets installed through a highly deceptive process that begins with users downloading malicious applications from phishing sites. This is a prime example of sideloading – installing apps from unofficial channels. Here’s a breakdown of its cunning installation tactics:

- Initial Access via Phishing: Adversaries host phishing sites where users are lured into downloading these malicious applications.

- Deceptive Installation Technique: The malware uses a session-based installation technique to deploy its actual payload, specifically designed to bypass accessibility permission restrictions.

- Luring Victims with False Promises: During installation, it presents a message stating, "You need to grant permission to use all the features of the application." This is a calculated tactic to trick users into unknowingly installing the malware.

- Hidden Payload and Permission Escalation: The core malicious payload is concealed within the assets folder of the deceptive application. Once a victim falls for the trick and grants initial accessibility permissions, GodFather can then covertly grant itself additional permissions by overlaying content on the screen, all without the user's awareness or consent.

- Masquerading: To avoid detection, the malware often masquerades as a genuine Music application.

The Virtualization Trick: Running Real Apps in a Sandbox Forget fake login screens – GodFather's new upgrade leverages on-device virtualization. Instead of just showing a deceptive image, the malware installs a hidden "host app" that runs a real copy of your banking or crypto app inside its own controlled sandbox. When you try to open your actual app, the malware seamlessly redirects you to this virtual version. This technique offers significant advantages to attackers:

- Real-Time Monitoring and Control: The malware monitors and controls every action, tap, and word you type in real time, making it nearly impossible to notice anything amiss since you're interacting with the actual app.

- Data Theft and Account Takeover: This allows attackers to steal usernames, passwords, and device PINs, ultimately gaining complete control of your accounts. It can intercept sensitive data as you enter it and even modify app behavior to bypass security checks like root de

This content was created in partnership and with the help of Artificial Intelligence AI.