how to prevent MFA Bypass attacks, a more common tool for cybercriminals to exploit mobile apps.
how to prevent MFA Bypass attacks, a more common tool for cybercriminals to exploit mobile apps.

In this blog post, I’ll discuss how to prevent MFA Bypass attacks which are becoming an increasingly more common tool for cybercriminals to compromise iOS and Android apps and steal user data.

Multi-factor authentication (MFA) is one of the most widely recommended best-practices that security experts recommend — to defend against unauthorized access to sensitive systems and data via insecure mobile apps. It’s alarming, though not terribly surprising, to see that hackers are getting better at defeating security defenses using a variety of sophisticated MFA Bypass methods. They are even using malware, bots, and highly automated tools and techniques to make their attacks more robust, scalable, and ultimately successful — resulting in high-profile successful account takeovers, data theft, and mobile fraud operations, mobile ransom and more. Some recent examples of malware that are turning MFA Bypass into a successful attack vector are Eventbot, Cerberus and Rampant Kitten. The vulnerabilities inherent to MFA were discussed at RSA2019, in the 12 ways to hack MFA session. …


Image for post
Image for post

How to use SSL Certificate Validation & Certificate Pinning to Prevent Phishing

What is Mobile Phishing?

Mobile Phishing is a cybercrime in which an attacker impersonates a legitimate/trusted institution and uses social engineering techniques to trick mobile users into doing what the hacker wants. The goal of phishing is usually either to trick mobile users into providing sensitive information (e.g. PII, username/password, SS #, banking details, credit card info, etc) or to download/install malware (for example using a fake app, or clone, or malware embedded inside a legitimate app). There are many many different forms and variants of phishing, such as spearphishing (high-value targets, usually execs), vishing (voicemail based), smishing (SMS based), and much more. Phishing is one of the most versatile and reliable attack methods of all time, and it’s often used as a raw material in blended attacks (such as MitM attacks, ransomware, malware/trojan propagation, session hijacking, etc). You can think of phishing as a ‘swiss-army-knife’ of cybercrime, except that phishing actually works! …


How I fixed vulnerabilities in Uber’s mobile app in minutes without coding
How I fixed vulnerabilities in Uber’s mobile app in minutes without coding

In preparing for APIWorld I came across a Forbes article about a vulnerability in Uber’s Mobile API which prompted me to ask the question: how secure are your Mobile APIs. I decided to have a look at Uber’s app myself and build mobile app and API Security into the Uber app using a no-code platform. I recorded a video showing how I secured the app. You can view the video at the bottom of this blog post.

Back to the API Security vulnerabilities found by the security researcher: The Forbes article explains how a white-hat security researcher was able to execute a complete account takeover of any Uber user’s account with little more than a simple API call using Uber’s mobile API. Lucky for Uber (and every Uber customer), Anand reported the vulnerability to Uber as part of a responsible disclosure program. It never made its way into the wild. …


Image for post
Image for post

I want to thank everyone for reading my 1st blog on Appdome’s COVID-19 Mobile Consumer Survey. That blog revealed critical mobile consumer data, from over 4000 respondents in the United States and globally: (1) consumers are using mobile apps more than ever in COVID-19, (2) consumer confidence in using mobile apps is at an all-time low, and (3) more than two-thirds of mobile app consumers feel very strongly that mobile app makers have a higher duty to protect mobile apps and users in COVID-19.

In this blog, I’ll cover the threats mobile consumers fear most. Understanding this voice of the consumer is the key to creating sustainable and lasting mobile businesses in the pandemic and beyond. We’ll uncover if consumers fear one type of threat more than others. We’ll also discover if mobile consumers will cut developers some slack based on the type of app or what kind of data is in the app. In other words, do consumers believe that protection against one type of threat or securing of one kind of app is more important than others? …


This article provides detailed information on no-code mobile app obfuscation, including detailed step-by-step instructions on how to implement obfuscation in any iOS or Android app in seconds — no coding required.

About Mobile App Obfuscation

In recent years, decompilers have reached a maturity level that allows recovering source code back from mobile apps with ease. Obfuscation has become a well established preventive measure developers use against static reverse engineering attempts.

What sets various obfuscation solutions apart is several things:

  1. Ease of use
    This can range from using specialized compilers to post-build tools.
  2. Performance
    Some obfuscation methods incur a performance penalty, while others do not impact performance at all. …

Appdome’s COVID-19 Mobile Consumer Survey — Security Expectations
Appdome’s COVID-19 Mobile Consumer Survey — Security Expectations

Consumer Expectations About Mobile Security

COVID-19 has transformed the mobile app economy in some big ways. Overnight, more people and more businesses than ever are using and relying on mobile apps. Here at Appdome, we wanted to know if mobile consumer expectations about the security in mobile apps has also shifted. And if so, by how much — so we asked mobile users directly. Understanding mobile consumer perspectives is critical to building sustainable mobile economies, protecting mobile data, and protecting mobile users. We hope you find this COVID-19 Mobile Consumer Survey research useful in building your own mobile business.

Executive Summary of Appdome’s COVID-19 Mobile Consumer Survey

This is a four-part blog series that examines consumer attitudes toward mobile app security, including how the pandemic has shaped mobile consumer expectations and perceptions about mobile app security. Given the extensive nature of the research, I’ll cover the results in separate blog posts as follows (this blog is part…


COVID-19 has transformed the mobile app economy in some big ways. Overnight, more people and more businesses than ever are using and relying on mobile apps. Here at Appdome, we wanted to know if mobile consumer expectations about the security in mobile apps has also shifted. And if so, by how much — so we asked mobile users directly. Understanding mobile consumer perspectives is critical to building sustainable mobile economies, protecting mobile data, and protecting mobile users. We hope you find this COVID-19 Mobile Consumer Survey research useful in building your own mobile business.

Executive Summary of Appdome’s COVID-19 Mobile Consumer Survey

This is a four-part blog series that examines consumer attitudes toward mobile app security, including how the pandemic has shaped mobile consumer expectations and perceptions about mobile app security. Given the extensive nature of the research, I’ll cover the results in separate blog posts as follows (this blog is part…


Image for post
Image for post

Working in mobile security over the last 5 years I often get asked the same combination or variant the following questions:

  1. What’s the difference between native apps and non-native apps?
  2. What’s the difference between “cross-platform” apps and “hybrid apps”?
  3. How do cross-platform apps and hybrid apps relate to the ‘native vs non-native’ app question?
  4. And finally what are Progressive Web Apps (PWA) and how do they fit into the mix?

Sooooo, if you’re not a mobile developer this all may sound like alphabet soup to you. Well, don’t worry you’re not alone. As I said, I get these questions all the time. …


Image for post
Image for post

Mobile app obfuscation is one of the best defenses to prevent reverse engineering of Android and iOS apps to thwart hacking attempts. Hackers use reverse engineering techniques, such as static and dynamic code analysis to learn how your app functions and to understand the app’s logic. They use this knowledge later to attack your app and exploit your app’s weaknesses and vulnerabilities.

What is mobile app obfuscation?

In mobile app development, obfuscation is the process of obscuring or scrambling your compiled app’s source or binary code so that it’s not readable or otherwise understandable to hackers — all without impacting your code’s function. It’s one of your ‘first lines of defense in a layered security strategy. …


Why do people (and hackers) Jailbreak iOS & Root Android?

Hackers Jailbreak iOS & Root Android devices so they can unlock/control the OS and escalate administrative privileges. Once they control the OS, they usually try to disable security protections. This puts your app in a relatively defenseless state, and easy to attack.

Jailbreaking has a long history going back to pre-2008 when Apple didn’t have an AppStore. If you wanted “cool stuff” you had to look outside Apple or else, you were relegated to running everything over a browser. Today, there are many reasons people jailbreak or root their mobile devices. Just philosophically gaining greater control over a personally owned device could be a driver. …

About

AlanB

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store