Salt Platform leverage Google Cloud's Apigee API Management to provide end-to-end API security that proactively protects against threats.

Retail cyberattacks underscore the urgent need for robust mobile app and API security to protect sensitive customer data and ensure business continuity.

OWASP API Security Top 10. In this post, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.

UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms. - SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms. - Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities: - Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit). - Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink). - Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels. - Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period. - Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming. What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored by Approov We are entering a "pivotal era for mobile technology" where regulatory interventions like the CMA’s SMS designation and the EU's DMA are weakening the centralized control over app distribution held by Apple and Google. This shift "opens the floodgates for alternative app stores, sideloading, and direct-to-consumer models". As mobile security risks move beyond platform constraints, secure your applications and APIs with a truly cross-platform, developer-centric solution. Visit approov.io for more information on how to implement modern app and API protection. 🔗 Useful Links & Resources - https://assets.publishing.service.gov.uk/media/68f8c09325d7d8af156dc294/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://assets.publishing.service.gov.uk/media/68f8bf4780cf98c6e8ed8f83/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://www.gov.uk/government/news/cma-confirms-apple-and-google-have-strategic-market-status-in-mobile-platforms: [www.gov.uk/cma] 💡 Keywords CMA, Strategic Market Status (SMS), Digital Markets Competition and Consumers Act 2024 (DMCCA), Apple Mobile Platform, Google Mobile Platform, mobile platform, app distribution, mobile browser, mobile security, iOS, Android, App Store, Play Store, WebKit, Blink, API protection, sideloading, app economy, tech regulation. 

In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings. We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps , has become a liability risk when developers neglect configuration best practices. What was exposed and the devastating scope of the leak: The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based . These affected apps spanned categories including health, fitness, education, and finance. The highly sensitive user data exposed included: • Plaintext passwords (unencrypted) • Usernames, email addresses, and phone numbers • Billing information • High-privilege API tokens, AWS root access tokens, and private chat logs • Millions of user ID photos . The Failure of Security as an Afterthought: Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless" . The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access. This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought. -------------------------------------------------------------------------------- 🛡️ Sponsor: Approov Protect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up. Learn more and protect your platform at https://approov.io/podcast -------------------------------------------------------------------------------- Source Materials & Links • Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025). • Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025). -------------------------------------------------------------------------------- Keywords: Data Leak, Firebase Security, Plaintext Passwords, Cybersecurity, Mobile App Security, Google Firebase, Cloud Misconfiguration, Data Breach, Developer Negligence, API Security, Android Security, BaaS, App Development.

In today's digital world, Application Programming Interfaces (APIs) play a central role in connecting various software systems. They are the backbone of modern applications, from social media services...

Salt Labs has identified an account takeover vulnerability in a popular online top-tier travel service for hotel and car rentals.

Remote Attestation vs. RASP: Securing Mobile APIs at the Edge (Zscaler vs. Approov/Cloudflare) On this episode of Upwardly Mobile, we dive deep into the most critical architectural debate in mobile API security today: Does security enforcement belong on the client device (RASP) or off-device at the network edge (Remote Attestation)? We break down the philosophical and technical differences between the integrated Zscaler ZSDK approach, which bundles Runtime Application Self-Protection (RASP), and the specialized, edge-native partnership between Approov and Cloudflare. Discover why security experts argue that because the attacker ultimately controls the client environment, remote attestation is superior for defense against sophisticated, targeted attacks. Episode Highlights & Key Concepts The Philosophical Divide: RASP vs. Remote Attestation The core of the debate centers on where security decision logic is insulated. - RASP (Runtime Application Self-Protection): This approach implements security logic within the application code to detect threats locally during runtime, often used for real-time overlay fraud, app tampering, and emulator abuse detection. - The Risk: Any locally enforced logic provides a target for advanced adversaries. Attackers can potentially reverse-engineer RASP checks and bypass local controls to execute API requests from a tampered application instance. - Remote Attestation (Approov/Cloudflare): This specialized approach verifies that only a genuine, untampered app can access APIs, protecting backend systems from unauthorized or rogue applications. - Superior Resilience: Approov’s architecture minimizes local enforcement, ensuring attestation decisions are made entirely in the cloud service. This insulates the enforcement logic on the backend, offering superior resilience against sophisticated, targeted attacks. - Zero Feedback Loop: A key security advantage is that the attacker receives no feedback from the client on why the token validation failed at the edge, significantly raising the cost and complexity of a successful attack bypass. Architectural and Operational Advantages The comparison between the integrated Zscaler Zero Trust Exchange (ZTNA/SSE) model and the Approov/Cloudflare Edge-First (WAAP) model highlights major differences in deployment, performance, and operational cost. - Enforcement Location and TCO: The Approov/Cloudflare model focuses enforcement entirely at the Cloudflare edge using serverless functions (Workers or API Shield). This is described as a zero-operations deployment model that removes the need for customer-managed infrastructure components like Zscaler’s required App Connectors. The serverless model accelerates time-to-value and minimizes maintenance overhead. - API Key Protection: Approov provides a critical security layer by leveraging attestation guarantees to securely deliver secrets, such as API keys, just-in-time to the application only when the environment is verified as genuine and unmodified. This capability directly mitigates the risks associated with reverse engineering hard-coded keys. - Performance and Scale: The Cloudflare/Approov integration leverages Cloudflare’s global, high-performance network. Comparative tests show Cloudflare is significantly faster than Zscaler in various Zero Trust scenarios, a crucial factor for a smooth user experience and ensuring users don't bypass security controls. Furthermore, Approov offers a commercial attestation fabric built for scale, guaranteeing no quotas or throttling on attestation traffic for high-volume apps. - API Governance: Cloudflare API Shield enhances protection with rigorous positive security via OpenAPI schema validation at the edge. This preemptively guards against modern API security risks like Broken Object Level Authorization (BOLA) by ensuring that only traffic conforming to the documented API structure is accepted. Secure Your Mobile APIs with the Industry's Leading Attestation Solution This episode is proudly brought to you by Approov, the definitive solution for continuous and deterministic mobile app attestation. Approov ensures that only genuine, untampered instances of your mobile application can access your backend APIs, protecting against bot attacks, API abuse, and sophisticated tampering. Learn how to deploy mobile API security today: 🔗 https://approov.io/  Keywords: Mobile API Security, Remote Attestation, RASP, Approov, Cloudflare, Zscaler, API Integrity, Mobile App Protection, Zero Trust Architecture, Edge Security, API Abuse Prevention, Serverless Security, JWT Attestation, Mobile Bot Mitigation, Cloudflare Workers, App Attestation. 

In this episode of https://open.spotify.com/show/3iYLhvcx8q1QwH0jc1QSld, we dive deep into the critical, yet often underestimated, world of mobile app security. Drawing on recent research, we uncover a staggering misalignment between perception and reality, highlighting why organizations are facing an average of nine mobile app security incidents per year, with an average financial toll reaching $6.99 million in 2025. While 93% of organizations believe their mobile app protections are sufficient, a substantial 62% have experienced at least one security incident in the past year. The repercussions extend beyond financial losses, including application downtime, sensitive data leaks, erosion of consumer trust, and a diminished user experience. We explore why traditional security measures, particularly code obfuscation, are no longer enough. Obfuscation, while deterring casual attackers, is ultimately a deterrent, not a preventative measure, offering minimal protection against runtime threats, dynamic analysis, and AI-assisted reverse engineering. The real target for modern attackers is increasingly Application Programming Interfaces (APIs). Mobile apps serve as entry points to exploit backend APIs for credential stuffing, data scraping, and business logic abuse, none of which static defenses can prevent. The weaponization of Artificial Intelligence (AI) further escalates these threats, enabling automated botnets, adaptive malware, and accelerated vulnerability discovery. The solution? A crucial shift towards a dynamic, runtime-centric security model rooted in Zero Trust principles. This approach demands continuous monitoring and verification, moving beyond static, pre-deployment checks to protect apps during execution. Key elements of this essential dynamic security strategy include: • https://approov.io/mobile-app-security/rasp/: Acting as the app’s internal bodyguard, RASP detects and responds to runtime threats like debuggers, tampering, root/jailbreak, and hooking frameworks, offering real-time protection and contextual awareness. • https://approov.io/mobile-app-security/rasp/app-attestation/: This is a standout feature, ensuring that only requests truly originating from your official, unmodified mobile app, running on a non-compromised device, are allowed to access your backend APIs. This effectively blocks bots, scripts, tampered apps, and mitigates API abuse. • https://approov.io/mobile-app-security/rasp/runtime-secrets/: This critical measure removes sensitive secrets (like API keys) from the app's code entirely. Instead, secrets are delivered securely at runtime, just-in-time, and only to attested apps, preventing extraction through reverse engineering. • Dynamic Channel Protection (Dynamic Pinning): Unlike brittle static certificate pinning, dynamic pinning allows for secure, over-the-air updates of certificate pins, ensuring continuous protection against Man-in-the-Middle (MitM) attacks without requiring app store updates. We also differentiate between leading mobile app security solutions: • https://www.guardsquare.com/, with products like DexGuard and iXGuard, excels in client-side mobile app protection, focusing on code obfuscation, hardening, and RASP to make the app's code incredibly difficult to compromise on the device. • https://approov.io/ emphasizes remote mobile app attestation, performing deep, continuous inspection of the mobile app and device in the cloud. This server-side decision-making makes it significantly harder for attackers to bypass the attestation process, ensuring only genuine apps access your APIs. Approov's positive security model effectively "locks down" backend APIs. Ideally, a comprehensive mobile app security strategy leverages both types of solutions: Guardsquare for strong in-app protection, and Approov for critical API integrity and abuse prevention. This multi-layered approach, combining static and dynamic defenses, is no longer optional but a fundamental requirement for achieving adequate resilience against modern mobile threats. -------------------------------------------------------------------------------- Relevant Links to Source Materials: • Learn more about the research highlighting the mobile app security blindspot: "https://www.devprojournal.com/technology-trends/security/research-exposes-7m-mobile-app-security-blindspot-fueled-by-overconfidence/"  • Explore in-depth the need for dynamic defenses: "WP- Mobile Security Beyond Obfuscation v1.0 FINAL B.pdf". • Discover Approov's approach to superior mobile API protection: "https://approov.io/info/role-of-attestation-in-mobile-app-security". Sponsor: This episode is brought to you by Approov. Safeguard your mobile apps and APIs with their unique, patented runtime shielding solution. Visit https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io to learn more.