Cyberattack on the telecom supply chain compared to May 2021 Colonial pipeline attack.

Upwardly Mobile: Episode Notes Episode Title: App Store Revolution: Google Play Opens to Third-Party Payments (The Epic Games Aftermath) Summary: In this episode of Upwardly Mobile, we break down the monumental shift in the Android ecosystem following the Supreme Court’s refusal to hear Google's final appeal. Google has finally opened its Google Play app store to third-party payment options for U.S. developers, settling a multi-year legal battle initiated by Epic Games. We discuss what this means for developers seeking to maximize revenue, the new freedom to direct users to cheaper external payment options, and the resulting challenges in maintaining app integrity and security now that developers are operating outside Google Play Billing exclusivity. Plus, we explore crucial security solutions, like Approov, that can help developers protect their apps when relying less on Google Mobile Services (GMS) for integrity checks. Key Takeaways - Policy Shift: Following years of legal challenges, Google is now required to allow U.S. app developers to use alternative payment methods and link users directly to external payment sources. This means developers can process payments outside of Google’s ecosystem and inform users about alternative pricing. - End of Exclusivity: Previously, Google generally mandated the use of Google Play Billing and collected a commission on nearly every in-app purchase. Now, developers can provide direct links to external checkout pages and offer options like PayPal or their own payment systems. - Timeline and Scope: This change became effective immediately as of October 29, 2025. However, the new rules currently apply only in the U.S. and the District Court order is set to expire on November 1, 2027. - Security Challenges: While developers gain freedom and potential revenue maximization by avoiding Play Store commissions, distributing and processing payments externally requires implementing their own robust security, update, and analytics systems, as Play services like integrity verification may not be available. - App Attestation Alternative: For developers building non-GMS Android apps or those seeking customizable security outside of Google’s structure, Approov provides a solution. Approov is a runtime application self-protection (RASP) tool that offers app attestation—verifying the integrity and authenticity of an app and the device it runs on—without relying on Google PlayIntegrity or SafetyNet. Sponsored by Approov Protect your app and APIs regardless of your payment processing choices. Approov offers comprehensive runtime application self-protection (RASP) and serves as a reliable, GMS-independent alternative to Google PlayIntegrity for robust app attestation and real-time threat detection. Learn more or start a free trial today: https://notebooklm.google.com/notebook/approov.io Relevant Links & Resources - Google Opens App Store to Third-Party Payment Systems (PaymentsJournal): https://www.paymentsjournal.com/google-opens-app-store-to-third-party-payment-systems/ - Google Play now allows Android apps to use other billing systems in the US (9to5Google): https://9to5google.com/2025/10/30/google-play-now-allows-android-apps-to-use-other-billing-systems-in-the-us/ - How Organizations Can Chart the Course to Agentic Commerce (Must Read): [Relevant link to PaymentsJournal content on commerce] (October 31, 2025) Keywords Google Play, third-party payments, Epic Games, app store, commission, app security, app attestation, Approov, U.S. court ruling, Google Play Billing, non-GMS apps, developer revenue, digital payments, emerging payments, API security.            

The Billion-Download Backdoor: Defending Client-Side Supply Chains Against Crypto-Draining NPM Attacks -------------------------------------------------------------------------------- Episode Notes In early September 2025, the open-source software ecosystem faced a massive supply chain attack when attackers compromised trusted maintainer accounts on npm using targeted phishing emails. This security breach led to the injection of malicious code into 18 widely used npm packages—such as chalk, debug, and ansi-styles—which together account for more than 2 billion downloads per week. This episode dives into the mechanics of the attack, the threat posed by the complex malware deployed, and the role of advanced AI-powered defenses in preventing client-side disaster. Key Takeaways The Threat Landscape The attackers' primary goal was crypto-stealing or wallet draining. The compromised packages contained obfuscated JavaScript, which, when included in end-user applications (including web projects and mobile apps built with frameworks like React Native or Ionic), was activated at the browser level. This malware would intercept network traffic and API requests, ultimately swapping legitimate cryptocurrency addresses (including Bitcoin, Ethereum, and Solana) with the attackers' wallets. The attack leveraged the human factor, as maintainers were tricked by phishing emails urging them to update two-factor authentication credentials via a fake domain, npmjs[.]help. The Evolution of Malware: Shai-Hulud Beyond crypto-hijacking, researchers detected a complex self-replicating worm dubbed Shai-Hulud. This advanced payload targets development and CI/CD environments: • Autonomous Propagation: Shai-Hulud uses existing trust relationships to automatically infect additional NPM packages and projects. • Credential Theft: Using stolen GitHub access tokens, the worm lists and clones private repositories to attacker-controlled accounts. • Secret Harvesting: It downloads and utilizes the secret-scanning tool TruffleHog to harvest secrets, keys, and high-entropy strings from the compromised environment. • Malicious Workflows: Shai-Hulud establishes persistence by injecting malicious GitHub Actions workflows into repositories, enabling automated secret exfiltration. Automated Defense with AI Security Cloudflare’s client-side security offering, Page Shield, proved critical in mitigating this threat. Page Shield assesses 3.5 billion scripts per day (40,000 scripts per second) using machine learning (ML) based malicious script detection. • Page Shield utilizes a message-passing graph convolutional network (MPGCN). This graph-based model learns hacker patterns purely from the structure (e.g., function calling) and syntax of the code, making it resilient against advanced techniques like code obfuscation used in the npm compromise. • Cloudflare verified that Page Shield would have successfully detected all 18 compromised npm packages as malicious, despite the attack being novel and not present in the initial training data. • While patches were released quickly (in 2 hours or less), Page Shield was already equipped to detect and block this threat, helping users "dodge the proverbial bullet". Security Recommendations To protect against fast-moving supply chain attacks, organizations must maintain vigilance and implement automated defenses: 1. Audit Dependencies: Review your dependency tree, checking for versions published around early–mid September 2025. Developers should pin dependencies to known-good versions. 2. Rotate Credentials: Immediately revoke and reissue any exposed CI/CD tokens, cloud credentials, or service keys that might have been used in the build pipeline. 3. Enforce MFA: Tighten access policies and enforce multi-factor authentication (MFA) on all developer and CI/CD access points. 4. Proactive Monitoring: Monitor build logs and environments for signs of suspicious scanning activity, such as the use of TruffleHog. -------------------------------------------------------------------------------- 🔗 Relevant Links and Resources • Cloudflare: https://blog.cloudflare.com/how-cloudflares-client-side-security-made-the-npm-supply-chain-attack-a-non/     ◦ Cloudflare Page Shield Script detection • Trend Micro Research: What We Know About the NPM Supply Chain Attack • Kaspersky Blog: Popular npm packages compromised 🛡️ Sponsor This episode of Upwardly Mobile is brought to you by our friends at https://approov.io/mobile-app-security/rasp/. -------------------------------------------------------------------------------- Keywords: NPM supply chain attack, Cloudflare Page Shield, Shai-Hulud worm, Cryptohijacker, crypto-stealing malware, client-side security, JavaScript obfuscation, open-source security, dependency audit, CI/CD security, phishing attack, MPGCN, machine learning security, developer accounts compromise, npm packages, software security.          

The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection. - App Attestation: https://approov.io/ uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image. - Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API. - Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation. - Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets. Links & Resources Source Material Reference: - Excerpts from "https://undercodetesting.com/the-unseen-storm-how-a-simple-weather-app-exposes-critical-api-security-flaws/" - Excerpts from "https://approov.io/addressing-the-security-trust-gap-in-a-mobile-world" Sponsor: - Learn how Approov protects your revenue and business data by deploying Mobile Security: https://www.approov.io/ Keywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 

Secure your mobile app APIs with Approov and Cloudflare integration, ensuring only genuine apps on uncompromised devices can access backend infrastructure.

The GitHub API Key Gold Rush: How Exposed Credentials Are Fueling the Next Wave of Cyber Attacks - "Undercode Testing": Monitor hackers like a pro. Get

UK CMA Declares Apple & Google Have Strategic Market Status (SMS): The Future of Mobile Competition and Security In this pivotal episode of "Upwardly Mobile," we break down the monumental decision by the UK Competition and Markets Authority (CMA) to officially designate Apple and Google with Strategic Market Status (SMS) in their respective mobile platforms. This move is set to reshape digital markets across the UK and has massive implications for app developers, businesses, and mobile security worldwide. Key Takeaways from the CMA's Decision (Published 22 October 2025): The CMA launched its investigations in January 2025 under the Digital Markets, Competition and Consumers Act 2024 (DMCCA), aiming to address the "unprecedented market power" held by a few large digital firms. - SMS Designation Confirmed: Following consultation with over 150 stakeholders, the CMA confirmed that both Apple and Google meet the legal tests for having Substantial and Entrenched Market Power (SEMP) and a Position of Strategic Significance (POSS) in their mobile platforms. - Scope of Mobile Platforms: The designation applies to the holistic Mobile Platform provided by each company, grouping together highly interconnected digital activities: - Apple: Smartphone Operating System (iOS), Tablet Operating System (iPadOS), Native App Distribution (App Store), and Mobile Browser and Browser Engine (Safari and WebKit). - Google: Mobile Operating System (Android), Native App Distribution (Play Store), and Mobile Browser and Browser Engine (Chrome and Blink). - Market Dominance: CMA findings confirmed that almost all UK mobile device holders use either Apple or Google's platform. Users are unlikely to switch between them, reinforcing their dominance. Furthermore, to reach both user bases, businesses must distribute their content through both platforms, effectively making them "must-have" channels. - Market Entrenchment: The CMA concluded that competitive constraints are currently limited. Despite the rapid deployment of technologies like Artificial Intelligence (AI), these developments are deemed unlikely to eliminate Apple or Google’s market power over the five-year designation period. - Economic Impact: The designation acknowledges the crucial role of these platforms, noting that the UK app economy generates an estimated 1.5% of the UK’s GDP and supports about 400,000 jobs, encompassing sectors like FinTech and mobile gaming. What Happens Next? The SMS designation itself is not a finding of wrongdoing and does not introduce immediate new requirements. However, it acts as the gateway for the CMA to introduce targeted and proportionate interventions, such as Conduct Requirements or Pro-Competition Interventions, designed to ensure open choices, fair dealing, and trust and transparency within these vital digital activities. This action mirrors regulatory efforts globally, including the EU’s Digital Markets Act (DMA) and legal actions in the US and Japan. 🎧 Sponsored by Approov We are entering a "pivotal era for mobile technology" where regulatory interventions like the CMA’s SMS designation and the EU's DMA are weakening the centralized control over app distribution held by Apple and Google. This shift "opens the floodgates for alternative app stores, sideloading, and direct-to-consumer models". As mobile security risks move beyond platform constraints, secure your applications and APIs with a truly cross-platform, developer-centric solution. Visit approov.io for more information on how to implement modern app and API protection. 🔗 Useful Links & Resources - https://assets.publishing.service.gov.uk/media/68f8c09325d7d8af156dc294/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://assets.publishing.service.gov.uk/media/68f8bf4780cf98c6e8ed8f83/Final_decision_report.pdf (22 October 2025): [www.gov.uk/cma] - https://www.gov.uk/government/news/cma-confirms-apple-and-google-have-strategic-market-status-in-mobile-platforms: [www.gov.uk/cma] 💡 Keywords CMA, Strategic Market Status (SMS), Digital Markets Competition and Consumers Act 2024 (DMCCA), Apple Mobile Platform, Google Mobile Platform, mobile platform, app distribution, mobile browser, mobile security, iOS, Android, App Store, Play Store, WebKit, Blink, API protection, sideloading, app economy, tech regulation. 

Approov's participation at Cloudflare Connect 2025 highlighted key insights on API security, strategic partnerships, and the future of secure connectivity.

API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps The F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials: - Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities. - Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws. - Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups. Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action: - Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities. - Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure. - Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network. - Change Credentials: Change all default credentials immediately. Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore https://approov.io/mobile-app-security/rasp/api-security/. Approov provides crucial mobile app and API protection by verifying the authenticity of mobile apps and ensuring only legitimate, untampered clients can access your APIs. Relevant Links - https://my.f5.com/manage/s/article/K000156572:  - https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices:  - Sponsor Website: https://approov.io/ Keywords: F5, BIG-IP, API Security, Mobile App Security, Zero-Day Vulnerability, Source Code Theft, Nation-State Hacking, CISA, Emergency Directive, Zero Trust, Load Balancer, Firewall, Patching, UNC5221, BRICKSTORM, Cybersecurity, Network Topology, Credential Abuse, Upwardly Mobile

UK highly significant cyberattacks jumped by 50% over the past year, Australian cyber incidents rose 11% over the past year, Ofcom fined 4chan under new online safety regime, Researchers eavesdropped ...

Corporate Extortion and the Fall of BreachForums: Tracking ShinyHunters In this episode of "Upwardly Mobile," we dive into the world of high-stakes corporate extortion, focusing on the sophisticated cybercriminal group ShinyHunters (also tracked as UNC6040) and the subsequent takedown of their infamous platform, BreachForums. The sources detail how the FBI, in collaboration with French law enforcement authorities, seized the Breachforums.hn domain, which the Scattered Lapsus$ Hunters (a gang linked to ShinyHunters, Scattered Spider, and Lapsus$) were using as a data leak and extortion site. This action involved switching the domain’s nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed the seizure, noting that law enforcement gained access to BreachForums database backups dating back to 2023 and escrow databases since the latest reboot, effectively declaring that "the era of forums is over". Despite the clearnet site takedown, the threat actors maintained that their Tor dark web site was still accessible and that the seizure would not affect their campaign. The Massive Salesforce Extortion Campaign The core focus of the Scattered Lapsus$ Hunters’ recent activity was an extensive Salesforce extortion campaign. This campaign originated in May 2025 when ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The hackers claimed to have stolen more than one billion records containing customer information. The long list of affected companies included major corporations such as FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, and Chanel. Salesforce has publicly stated that they will not engage, negotiate with, or pay any extortion demand. Beyond Salesforce: Discord and Red Hat The criminal group also claimed responsibility for other significant intrusions: - https://www.bleepingcomputer.com/news/security/red-hat-confirms-security-incident-after-hackers-breach-gitlab-instance/: The Scattered Lapsus$ Hunters took credit for compromising a Red Hat GitLab server, stealing more than 28,000 Git code repositories and sensitive internal documents, including customer secrets and infrastructure details. - https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service: ShinyHunters claimed responsibility for an incident affecting Discord users. Discord confirmed that an unauthorized party compromised a third-party customer service provider (5CA), impacting a limited number of users who had contacted Customer Support or Trust & Safety teams. Critically, the unauthorized party gained access to a small number of government-ID images submitted for age verification appeals, as well as usernames, emails, limited billing info, and IP addresses. Tactics and Targets The group employs sophisticated tactics, including exploiting zero-day vulnerabilities, such as a critical flaw in Oracle’s E-Business Suite software (CVE-2025-61882). Furthermore, members of the group have been known to distribute malware—specifically the commercially available ASYNCRAT backdoor—disguised as a Windows screensaver file (.scr) via menacing, targeted emails. This highlights the constant pressure faced by security professionals, often from threat actors derisively called "Advanced Persistent Teenagers" (APTs). Links & Resources - Law Enforcement Takedown: Nameservers used in the FBI seizure: ns1.fbi.seized.gov and ns2.fbi.seized.gov. - Publications Cited: https://www.bleepingcomputer.com/news/security/fbi-takes-down-breachforums-portal-used-for-salesforce-extortion/. - Discord Security Incident: Discord confirmed they would contact impacted users via [email protected]. - Security Validation: Join the Picus BAS Summit to experience the future of security validation. - ASYNCRAT Analysis: Virustotal analysis on the ASYNCRAT malware provided via link. 🛡️ Sponsor: https://approov.io/ To ensure your mobile and web applications are secure against sophisticated attacks, trust the experts. Learn more about enhanced security measures and API protection at approov.io. Keywords ShinyHunters, BreachForums, Salesforce Extortion, FBI Takedown, Scattered Lapsus$ Hunters, Data Breach, Red Hat, Discord Hack, Voice Phishing, Cybercrime, Hacking Forum, ASYNCRAT, UNC6040, CVE-2025-61882, Security Validation. Relevant 

Ensure your AI-powered mobile app is secure from new threats by implementing robust security measures. Learn how to protect your app and API with insights.

Mobile is officially the digital default. In this episode of Upwardly Mobile, we explore the staggering statistics showing mobile devices dominating global internet usage and discuss the critical security challenges that arise from this mobile-first environment. We then delve into the cutting-edge solution offered by our sponsor, Approov, and their latest platform update, https://www.businesswire.com/news/home/20251007833296/en/Approov-Launches-Next-Generation-Attestation-to-Secure-Mobile-Apps-Against-Threats-from-AI-and-Meet-New-EU-Regulations, including AI-driven attacks and new regulatory pressures. The Mobile Tipping Point: 64% and Rising The mobile landscape is at an inflection point. As of 2025, over 64% of all website traffic comes from mobile devices. This dominance is driven by the fact that nearly 96.3% of internet users access the internet using a mobile phone. • This shift is not just a trend; it is the new normal. • Mobile traffic reached 64.1% in Q2 2025, marking eight consecutive quarters of growth. • Developing regions are leading the surge, with Africa having the highest proportion of mobile internet traffic at 69.13%, and Asia seeing 72.3% of all web traffic coming from smartphones. • The most common activities performed on smartphones include playing a game (68%), listening to music (67%), and using social media (63%). The Security Gap in a Mobile-First World The widespread adoption of mobile creates significant security vulnerabilities. Automated threats make it easier for bad actors to clone legitimate apps, steal data, and commit fraud, which can cause irreparable damage to a brand's reputation and financially devastate users. Furthermore, new security gaps are emerging due to regulations like the EU’s Digital Markets Act (DMA), which mandates support for third-party app stores, increasing the risk of fraudulent apps. Approov 3.5: Protecting the Critical Connection Approov, the leader in mobile API security, addresses these threats by acting as a digital gatekeeper. Approov protects the critical connection between a mobile app and a company's backend servers (APIs). It ensures that only genuine, untampered apps running in a secure environment can access sensitive services, blocking automated bots, modified apps, and cloned apps before they can compromise data. The latest platform update, Approov 3.5, delivers next-generation attestation: • Ready for the DMA and Open App Stores: Approov’s cloud-based verification ensures only genuine app instances—regardless of their distribution source—can access a company’s APIs. • Hardware-Backed Security (Android): Cryptographic keys are stored in a secure, isolated “vault” on the device’s hardware, making cloning an app’s identity virtually impossible. • Defense Against AI-Powered Attacks: The platform provides real-time threat analytics, allowing security teams to dynamically issue over-the-air (OTA) updates to block emerging AI threats without requiring an app update. • Immutable App Signature: This feature creates a unique fingerprint upon installation, continuously verifying the app’s integrity against tampering or repackaging with malware. • Memory Dump Detection: A new defense actively blocks attackers attempting to scrape sensitive information, such as AI secrets or user credentials, directly from the device’s memory. Approov has proven that robust security can be achieved without compromising user experience, offering fast and responsive cross-platform security checks for iOS, Android, and HarmonyOS. By verifying API requests, Approov reduces API attacks by over 95%. -------------------------------------------------------------------------------- Keywords Mobile traffic, API security, Approov 3.5, mobile app security, Digital Markets Act (DMA), hardware-backed security, 64% web traffic, AI-powered attacks, mobile-first, app cloning, fraud prevention, mobile API. Sponsor Link For more information on securing your mobile application and APIs, please visit our sponsor: https://approov.io/.

Game engine developer Unity urges users to patch severe flaw, Hackers stole some Discord user data after a third-party compromise, US immigration dramatically expands its spying ability, Asahi reverts...

Though Unity claims there's no evidence of impact 'on users or customers.'

In this episode of Upwardly Mobile, we dive into the significant legal challenges facing major technology companies—Apple, Google (Alphabet), and Meta Platforms—as they are forced to defend themselves against class action lawsuits alleging that they promoted and profited from illegal social casino gambling apps. A recent ruling by U.S. District Judge Edward Davila in San Jose, California, denied the companies' requests to dismiss the lawsuits. The plaintiffs, numbering in the dozens, contend that the companies' platforms—Apple’s App Store, Google’s Play Store, and Meta’s Facebook—promoted an “authentic Vegas-style experience of slot machine gambling” through an allegedly illegal racketeering conspiracy. Key Takeaways from the Litigation: - The Liability Claim: The core claim is that the defendants "willingly assist, promote and profit from" allegedly illegal gambling. This is achieved by: - Offering users access to the apps through their stores. - Taking a substantial percentage of consumer purchases (estimated at 30% commission, totaling over $2 billion) on in-app transactions for items like Game Coins and Sweeps Coins. - Processing these allegedly illicit transactions using proprietary payment systems. - Using targeted advertising to "shepherd the most vulnerable customers" to the casino apps. - The Section 230 Defense Rejected: Apple, Google, and Meta argued that Section 230 of the federal Communications Decency Act protected them from liability because this law shields online platforms from lawsuits over third-party content. Judge Davila rejected this argument, finding that the companies did not act as "publishers" when processing payments. The judge emphasized that the "crux of plaintiffs’ theory is that defendants improperly processed payments for social casino apps". - "Neutral Tools" Argument Undercut: The court called it irrelevant that the companies provided "neutral tools" (like payment processing) to support the apps. - Damages Sought: The lawsuits seek unspecified compensatory and triple damages, among other remedies. - Appeals and Case History: Judge Davila allowed the defendants to immediately appeal his decision to the 9th U.S. Circuit Court of Appeals, acknowledging the importance of the Section 230 issues. The litigation against the Silicon Valley-based companies began in 2021. - Additional Suits: Separately, a new lawsuit was filed against Apple and Google by lead Plaintiff Bargo (not naming the social casino operators), alleging the distribution of "patently illegal gambling software" in New Jersey and New York. This complaint includes legal claims under NJ and NY gambling loss recovery statutes, consumer protection laws, and RICO laws. Sponsor Message: This episode of Upwardly Mobile is brought to you by our sponsor. Learn how to secure your mobile app business today. Visit https://approov.io/. Relevant Source Materials & Case Information: - Article Reference (Legal Analysis): Excerpts from "Apple and Google Hit with New Social Casino Gambling Lawsuit," National Law Review (October 02, 2025). (Article written by James G. Gatto of Sheppard, Mullin, Richter & Hampton LLP). - Article Reference (News): "Apple, Google, Meta must face lawsuits over gambling apps," Honolulu Star-Advertiser (Oct. 1, 2025). - Article Reference (Judicial Denial): "Judicial Denial for Tech Giants in Casino App Lawsuits" (Sept 30). - Amicus Brief Reference: In re: Casino-Style Games Litigation (Nos. 22-16914, 22-16916, 22-16888, 22-16889, 22-16921, 22-16923) U.S. Court of Appeals for the Ninth Circuit. - District Court Case Reference (Northern District of California): In re Apple Inc App Store Simulated Casino-Style Games Litigation, No. 21-md-02985; In re Google Play Store Simulated Casino-Style Games Litigation, No. 21-md-03001; and In re Facebook Simulated Casino-Style Games Litigation, No. 21-02777. - Sponsor Link: https://approov.io/ Keywords for SEO Optimization: Social Casino Lawsuit, Apple, Google, Meta, Section 230, Gambling Apps, App Store, Play Store, Communications Decency Act, Platform Liability, Edward Davila, Consumer Protection, Racketeering, Illegal Gambling, Tech Litigation, In-App Purchases, RICO.

In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings. We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps , has become a liability risk when developers neglect configuration best practices. What was exposed and the devastating scope of the leak: The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based . These affected apps spanned categories including health, fitness, education, and finance. The highly sensitive user data exposed included: • Plaintext passwords (unencrypted) • Usernames, email addresses, and phone numbers • Billing information • High-privilege API tokens, AWS root access tokens, and private chat logs • Millions of user ID photos . The Failure of Security as an Afterthought: Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless" . The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access. This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought. -------------------------------------------------------------------------------- 🛡️ Sponsor: Approov Protect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up. Learn more and protect your platform at https://approov.io/podcast -------------------------------------------------------------------------------- Source Materials & Links • Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025). • Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025). -------------------------------------------------------------------------------- Keywords: Data Leak, Firebase Security, Plaintext Passwords, Cybersecurity, Mobile App Security, Google Firebase, Cloud Misconfiguration, Data Breach, Developer Negligence, API Security, Android Security, BaaS, App Development.

Google appears to have deleted its political ad archive for the EU; so the last 7 years of ads, of political spending, of messaging, of targeting - on YouTube, on Search and for display ads - for coun...