The Age of Agentic AI: Securing Mobile APIs Against Bots with Brains Episode Summary: Welcome back to "Upwardly Mobile"! In this episode, we dive deep into the rapidly evolving mobile threat landscape defined by the rise of "Agentic AI." With Android 17 set to transform our smartphones into active, on-device AI orchestrators by Summer 2026, the security stakes have never been higher. We unpack the alarming findings from the 2026 Cloudflare Threat Report, which highlights the total industrialization of cyber threats and how attackers are using AI as a massive force multiplier. We also explore why legacy bot defenses—like rate limiting, CAPTCHAs, and behavioral biometrics—are completely failing against modern AI bots that can dynamically rewrite code and mimic human behavior with 99% accuracy. Finally, we discuss how the integration of Cloudflare's edge network with Approov's deterministic device attestation is providing the ultimate defense-in-depth architecture to stop mobile API abuse at the source. If you are attending the RSA Conference (RSAC) in San Francisco this March 2026, be sure to catch up with our sponsors at Approov to learn how to future-proof your mobile architecture! Key Takeaways: - The Android 17 Revolution: Android 17 shifts the OS from a reactive tool to an active "agent phone" that orchestrates multi-step workflows across apps. While this brings massive benefits in speed and privacy, it also dramatically expands the attack surface for prompt injections and cross-app data leakage. - The Industrialization of Cyber Threats: The 2026 Cloudflare Threat Report reveals that AI has lowered the barrier to entry for highly effective cyber operations, moving the industry toward automated, machine-speed exploits. - The Death of Legacy Bot Defenses: Legacy probabilistic defenses like WAFs and CAPTCHAs are failing because multimodal LLM agents can now solve logic puzzles and mimic human "thumb jitter" perfectly. - Cryptographic Proof of Life: To stop agentic AI, security must shift from asking "Is this a bot?" to demanding deterministic, cryptographic proof of the device and app's integrity. - A New Defense-in-Depth: Combining Cloudflare's global edge network with Approov's deep runtime analysis and "Zero Secrets" architecture ensures that only untampered, legitimate app instances can access your APIs. Sponsor Links: - Secure your Mobile APIs today: Visit https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com to learn how to eliminate hardcoded secrets and implement deterministic device attestation. Source Materials & Further Reading: - Android 17: Android Is Becoming an Agent - Are you ready? - 2026 Cloudflare Threat Report: How adversaries are weaponizing the Internet - When the Bot Has a Brain: Defending Mobile APIs in the Era of Agentic Attackers (Approov RSAC 2026 Presentation) - See You at RSA 2026: Let's Talk Stopping Mobile API Abuse at the Source Keywords for SEO: Agentic AI, Mobile API Security, Android 17, Cloudflare Threat Report 2026, Approov, Bot Mitigation, RSA Conference 2026, Cybersecurity, Device Attestation, Zero Secrets Architecture, AI Bots, Malware Defense, Prompt Injection, API Abuse.        

📣 New Podcast! "The Age of Agentic AI: Securing Mobile APIs Against Bots with Brains" on @Spreaker #agenticai #android17 #apisecurity #approov #botmitigation #cloudflare #cybersecurity #mobilesecurity #rsac2026 #upwardlymobile #zerotrust

Epic Victory: Google Play's Walled Garden Opens Up & What It Means for Developers Epic Victory: Google Play's Walled Garden Opens Up & What It Means for Developers Episode Summary: In this episode of Upwardly Mobile, we dive deep into the landmark antitrust settlement between Epic Games and Google that is set to fundamentally reshape the Android app ecosystem globally. After years of legal battles sparked by Epic's "Project Liberty" and the removal of Fortnite from the Play Store, a jury found Google guilty of maintaining an illegal monopoly. We break down the newly announced March 2026 settlement, which significantly drops Play Store commission fees and introduces a game-changing "Registered App Stores" program. What does this mean for mobile developers, app revenue, and Android security? Tune in to find out! Brought to you by Approov: As Android opens its doors to third-party "Registered App Stores" and frictionless sideloading, ensuring your mobile app and APIs are protected from malicious clones and tampering is more critical than ever. Secure your mobile business and authenticate your apps natively with https://approov.com/. Key Topics Discussed: - The Origins of the Lawsuit: How Epic Games' Tim Sweeney bypassed Google's standard 30% fee by allowing direct purchases in Fortnite, leading to the game's removal and a massive antitrust lawsuit. - The Courtroom Battle: The revealing internal practices uncovered during the trial, including Google's "Project Hug" and millions of dollars spent to prevent developers from abandoning the Play Store. - The 2026 Settlement Details: How Google is dropping its standard Play Store commission to 20% for in-app purchases and 10% for recurring subscriptions. - Registered App Stores Program: A deep dive into Google's new framework that allows alternative Android app stores (like the Epic Games Store) to become "first-class citizens" on Android devices, removing the scary, "doom-laden" security pop-ups previously associated with sideloading. - Global Rollout Timeline: When these major fee changes and developer programs will go live, starting in the US, UK, and European Economic Area in June 2026, and expanding globally by September 2027. Source Materials & Further Reading: - TechCrunch: https://techcrunch.com/ - Wikipedia: https://en.wikipedia.org/w/index.php?title=Epic_Games_v._Google&oldid=1338953412 Targeted SEO Keywords: Epic Games vs Google, Google Play Store settlement, Android app ecosystem, Registered App Stores program, mobile app development, third-party app stores, sideloading Android apps, app store commission fees, Tim Sweeney, Fortnite Android return, mobile app security, API protection. 

📣 New Podcast! "Epic Victory: Google Play's Walled Garden Opens Up & What It Means for Developers" on @Spreaker #androiddev #approov #appstore #epicgames #fortnite #googleplay #mobilesecurity #sideloading #upwardlymobile

Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security Episode Summary: In this episode of Upwardly Mobile, we dive deep into the digital exploitation landscape of one of the world's largest audio streaming platforms. We break down the massive credential stuffing attack that compromised 350,000 Spotify users, exposing the dangers of poor password hygiene and unsecured databases. We also explore the ongoing controversies surrounding Spotify, including lawsuits over artificial streaming, bot farms, and the platform's "Discovery Mode". Additionally, we highlight a growing trend where malicious actors are weaponizing Spotify's search features to promote pirated software, phishing schemes, and malware. Finally, we pivot to actionable solutions for developers, exploring how Zero Trust Runtime Protection and App Attestation can prevent automated mobile attacks. Brought to you by Approov: Don't let bots, scripts, or fake apps compromise your platform. Learn how to stop credential stuffing and secure your APIs at https://approov.com/. Sponsor Spotlight: Approov Mobile Security Are your mobile apps and APIs safe from automated credential stuffing, emulators, and Man-in-the-Middle (MitM) attacks? Approov ensures that only genuine mobile app instances running in safe environments can access your APIs, blocking scripts, modified apps, and bots in real-time. 👉 Secure your mobile platforms today at https://approov.com/. Source Materials & Further Reading: - https://www.itpro.com/ - https://www.noise11.com/ - https://dig.watch/ - https://approov.com/ Keywords: Credential stuffing, mobile app security, Spotify hack, artificial streaming, bot farms, zero trust runtime protection, API security, mobile malware, phishing schemes, app attestation, Approov. 

📣 New Podcast! "Unpacking the Spotify Exploits: Credential Stuffing, Fake Streams, and Mobile App Security" on @Spreaker #apisecurity #approov #appsec #credentialstuffing #cybersecurity #mobilesecurity #spotify #spotifyhack #upwardlymobile #zerotrust

Securing Mobile Healthcare | The Hidden Dangers in Mental Health Apps Episode Summary: In this episode of Upwardly Mobile, we dive deep into a shocking new cybersecurity report revealing that millions of users' highly sensitive medical data may be at risk. We discuss the recent discovery of 1,500 vulnerabilities across 10 incredibly popular mental health apps—which have been downloaded over 14 million times. From leaked therapy transcripts and mood logs to the high black-market value of these stolen health records, we unpack the unique risks threatening the digital healthcare space today. Finally, we explore actionable solutions for healthcare providers and developers to lock down their platforms, featuring insights on Runtime Application Self-Protection (RASP), dynamic certificate pinning, and end-to-end API security. Key Topics Discussed in This Episode: - The Mental Health App Crisis: How researchers at Oversecured uncovered 54 high-severity flaws in leading mental health applications, leaving sensitive data like Cognitive Behavioral Therapy (CBT) session notes and medication schedules exposed. - The Black Market for Health Data: Why cybercriminals are targeting therapy records, which can sell for upwards of $1,000 each—far more than stolen credit card numbers. - Common Developer Pitfalls: The dangers of outdated apps, plaintext configuration data, hardcoded Firebase URLs, and insecure encryption keys. - Securing Mobile Health: How technologies like Runtime Application Self-Protection (RASP) and dynamic certificate pinning can prevent Man-in-the-Middle (MitM) attacks, block bots, and ensure HIPAA and GDPR compliance. Sponsor: This episode is brought to you by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Approov provides complete, end-to-end protection for mobile health apps and APIs. Their lightweight SDK and RASP technology can be deployed in just a single sprint to block bot attacks, prevent credential stuffing, and stop API abuse. Ensure your patients' health data is safe, even on jailbroken devices or insecure Wi-Fi networks. Learn how to protect your revenue and patient trust at https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com. Resources & Source Materials: - TechRadar Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.techradar.com - Approov Mobile Health Security: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.com SEO Keywords: Mobile app security, mental health apps, healthcare data breach, API security, mobile health compliance, HIPAA compliance mobile apps, RASP technology, cybersecurity podcast, Oversecured vulnerabilities, patient data protection, Approov mobile security.       

📣 New Podcast! "Securing Mobile Healthcare | The Hidden Dangers in Mental Health Apps" on @Spreaker #apisecurity #appdevelopment #approov #cybersecurity #databreach #healthtech #hipaa #infosec #mentalhealthapps #mobilesecurity #upwardlymobile

The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis 🎧 Episode Summary In this episode of Upwardly Mobile, we dive into two critical stories reshaping the mobile security landscape. First, we unpack the architecture of Dopamine, the modern "rootless" jailbreak that has cracked iOS 15 and iOS 16 without touching the system partition. We explore how it bypasses Apple’s Signed System Volume (SSV) and what this means for app developers trying to detect compromised devices. Then, we shift gears to a systemic failure in government fintech: why the "Lock Card" feature in EBT mobile apps is failing to stop fraud. We break down how attackers are bypassing mobile controls using legacy magstripe rails and bot attacks. 🚀 Key Topics Discussed - The Dopamine Architecture: Understanding the shift from "rootful" to "rootless" jailbreaking. - How it Works: The exploit chain, including PAC and PPL bypasses, and the creation of the fake root environment in /var/jb. - Detection Challenges: Why traditional jailbreak detection methods struggle against rootless environments and the reliance on finding tweak injection libraries like ElleKit. - The EBT Mobile Failure: Why locking your EBT card in the mobile app doesn't actually stop thieves at the register. - API Abuse: How botnets are hammering IVR and app APIs to time their theft perfectly. 🔗 Resources & Links Dopamine Jailbreak: - Official Project: https://github.com/opa334/Dopamine - Installation Guide: https://ios.cfw.guide/installing-dopamine/ - Technical Insight: https://ellekit.space/dopamine/ EBT & Mobile Fraud Analysis: - The Mechanics of Theft: https://www.propel.app/ebt-theft/how-are-ebt-benefits-being-stolen/ - Systemic Vulnerabilities: https://www.pa.gov/agencies/osig/what-we-do/bureau-of-fraud-prevention-and-prosecution/snap-skimming 🛡️ Sponsor This episode is brought to you by Approov. Is your mobile app running on a jailbroken device? Are bots scraping your API endpoints? Approov provides a comprehensive mobile security solution that ensures only genuine mobile app instances, running on safe mobile environments, can access your backend APIs. 👉 Learn more at: https://approov.com/ 🔍 SEO Keywords Dopamine Jailbreak, Rootless Jailbreak, iOS 15 Jailbreak, iOS 16 Security, Mobile App Security, EBT Fraud, Skimming, API Security, Sideloading, TrollStore, Magstripe Vulnerabilities, App Attestation.

📣 New Podcast! "The "Rootless" Revolution: Inside the Dopamine Jailbreak & The EBT Security Crisis" on @Spreaker #approov #appsec #cybersecurity #dopamine #fintechsecurity #infosec #jailbreak #mobilesecurity #upwardlymobile

SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud? Episode Summary In this episode of Upwardly Mobile, we investigate a growing financial crisis affecting the nation’s most vulnerable families. The USDA now estimates that up to $12 billion is stolen annually from the Supplemental Nutrition Assistance Program (SNAP). We explore how transnational criminal rings are using sophisticated technology—from physical skimmers to brute-force cyberattacks—to drain EBT cards in seconds. We also break down why the government’s latest solution—mobile apps that allow users to "lock" their cards—is failing to stop the theft. We analyze the technical vulnerabilities of the legacy magstripe system and explain why app-based controls are often bypassed by backend fraud and race conditions. This episode is sponsored by https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2F. Mobile apps are now the front door to critical services, but as we discuss in this episode, they are only as strong as the security frameworks behind them. Approov provides comprehensive mobile app protection, ensuring that the requests hitting your API are from genuine apps running on untampered devices. Key Topics & Takeaways: • The Scale of the Problem: Federal investigators estimate that SNAP fraud has hit all-time highs, potentially reaching $12 billion annually. Georgia alone reported nearly $23 million stolen in just the first quarter of 2025. • How the Fraud Works: Criminals are utilizing advanced skimming technology and "brute force" software that can guess a four-digit PIN in less than a second. The Secret Service notes that these are often transnational organized crime groups capable of working easily across borders. • The "Lock" Feature Failure: Many states, including Georgia, encouraged users to download apps like ConnectEBT to "lock" their cards. However, users like Sheria Robertson report having funds stolen mere minutes after unlocking the app to make a purchase. • The Technical Vulnerability: The core issue is that EBT cards still rely on legacy magnetic stripe technology rather than secure chips (EMV). Because the backend system relies on static track data and a PIN, the mobile app’s "lock" feature is often bypassed by race conditions or bot attacks on IVR systems. • Bot Attacks: Cybercriminals are using bots to hammer IVR systems to check balances and time their withdrawals the moment funds are deposited. Featured Stories & Data: • Victim Spotlight: Sheria Robertson, a single mother who lost her Thanksgiving food budget to thieves in Brooklyn, NY, despite being in Georgia and using the app's security features. • Investigator Insight: Mark Haskins from the USDA Food and Nutrition Service explains that criminals are "taking it to the next level" with cyber and brute force attacks. • State Data: Top states for reported fraud include Georgia, New York, and California. Relevant Links & Resources: • USDA SNAP Replacement of Stolen Benefits Dashboard • Report Fraud: USDA Office of Inspector General Hotline [(800) 424-9121] • Technical Deep Dive: https://www.google.com/url?sa=E&q=https%3A%2F%2Fbreached.company%2Febt-cyberattacks-multi-state-crisis-threatens-food-security-for-millions%2F • News Coverage: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.wsbtv.com%2Fnews%2Flocal%2Fatlanta%2Fgeorgia-officials-say-state-snap-system-subject-cyberattack%2FCRX6VB4INZH2VJNVJ3DPWY3DBQ%2F • Propel App Resource: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.propel.app%2Febt-theft%2Fhow-are-ebt-benefits-being-stolen%2F Keywords: SNAP fraud, EBT skimming, food stamp theft, mobile app security, Approov, ConnectEBT, cybercrime, magnetic stripe vulnerability, USDA, social safety net, financial fraud, IVR bot attacks.

📣 New Podcast! "SNAP | Why Mobile Apps Are Failing to Stop Food Stamp Fraud?" on @Spreaker #approov #cybersecurity #ebt #fintech #infosec #mobilesecurity #snapfraud #upwardlymobile

The Punkt MC03: Can You De-Google Without the Headache? In this episode, we explore the landscape of "privacy-first" smartphones, focusing on the newly unveiled Punkt MC03. We break down whether this Swiss-designed, German-made device can finally offer a viable alternative to the data-harvesting giants of the mobile world. We discuss the trade-offs of leaving the Google ecosystem, the unique "subscription-based" operating system model, and whether the return of the removable battery signals a shift in hardware trends. Key Topics & Timestamps: - The "De-Googled" Promise: The Punkt MC03 runs AphyOS, a custom version of Android that strips out Google Mobile Services to minimize background tracking and profiling. - AphyOS & The Subscription Model: Unlike standard Android phones, the MC03 relies on a subscription model (approx. $10/month after the first year) to fund security updates and infrastructure rather than selling user data to ad networks. - Security Architecture: The device splits the user experience into a secure "Vault" for vetted apps (like Proton and Signal) and a "Wild Web" environment for general Android apps, allowing users to isolate risky applications. - Hardware Highlights: The phone features a 6.67" OLED screen, IP68 rating, and a 5,200 mAh removable battery—a design choice driven by upcoming EU regulations regarding repairability. - Overcoming Past Failures: We discuss how the MC03 improves upon the "difficult-to-recommend" MC02 with a smoother onboarding process, an improved 64MP camera, and the option to install the Play Store for users who can't go fully cold-turkey. - The Competition: How the MC03 stacks up against other privacy-focused devices like the Murena Fairphone and other non-GMS ROMs like GrapheneOS. Sponsor: This episode is brought to you by Approov. Protect your mobile APIs from scripts, bots, and modified apps. Ensure that the requests you receive are from the genuine mobile app you released. - Visit https://approov.com/ to learn more about comprehensive mobile app security. Relevant Links & Source Materials: - ZDNET Review: https://www.zdnet.com/article/punkt-mc03-phone-ces-2026/ – Coverage of the US launch, pricing, and removable battery features. - Android Police Coverage: https://www.androidauthority.com/punkt-mc03-hands-on-ces-2026-3630101/ – An in-depth look at the onboarding improvements and specs. - Punkt Official Site: https://www.punkt.ch/products/mc03-premium-secure-smartphone – Direct specs and philosophy from the manufacturer. - Murena / /e/OS: https://thisgetthoughts.bearblog.dev/fairphone-5-murena-eos-review-part-2-the-os/ – Context on the competitor mentioned in the episode. Keywords: Punkt MC03, AphyOS, Non-GMS, De-Google, Mobile Privacy, Data Sovereignty, Removable Battery, Android Security, Fairphone, Murena, Apostrophy OS, Mobile Security.  Disclaimer: Information regarding pricing ($699 device / $10 monthly sub) and release dates (Spring 2026 for US) is based on reports from ZDNET and Android Police coverage of CES 2026.

📣 New Podcast! "The Punkt MC03: Can You De-Google Without the Headache?" on @Spreaker #android #approov #cybersecurity #degoogle #mobileprivacy #punktmc03 #righttorepair #technews #upwardlymobile

Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers In this episode of Upwardly Mobile, we dive deep into the evolving landscape of Android malware. We break down the emergence of Wonderland (formerly WretchedCat), a sophisticated SMS stealer targeting users in Uzbekistan through legitimate-looking "dropper" applications. We explore how threat actors, specifically the "TrickyWonders" group, are leveraging Telegram and malicious ad campaigns to bypass security checks and hijack devices. We also discuss the broader trend of Malware-as-a-Service (MaaS), including new threats like Cellik, Frogblight, and NexusRoute that are lowering the barrier to entry for cybercriminals globally. From real-time screen streaming to bypassing Google Play protections, we analyze the tactics defining modern mobile security threats. Key Topics Discussed: - The Rise of Droppers: How malware operators are shifting from "pure" Trojans to "droppers" (like MidnightDat and RoundRift) that appear harmless to evade detection before deploying payloads. - Wonderland's Capabilities: How this malware establishes bidirectional communication to intercept OTPs, steal contacts, and execute USSD requests. - The MaaS Economy: A look at the "Cellik" RAT, which offers one-click APK building to bundle malware inside legitimate apps, and "Frogblight," which targets users via fake court documents. - Government Impersonation: How "NexusRoute" is targeting users in India by mimicking government service portals to steal financial data and UPI PINs. - Defense Strategies: The importance of blocking unknown source installations and monitoring for suspicious SMS/USSD patterns. Sponsored By: This episode is brought to you by Approov. Stop mobile app abuse and API misuse. Ensure that the requests your API handles are from the genuine mobile app running on a safe mobile device. 👉 Visit our sponsor: https://approov.io/ Relevant Links & Source Materials: - The Hacker News: https://thehackernews.com/2025/12/android-malware-operations-merge.html - SC Media: https://www.scworld.com/brief/android-malware-wonderland-evolves-with-dropper-apps-targeting-uzbekistan - Cypro: https://www.cypro.se/2025/12/22/android-malware-operations-merge-droppers-sms-theft-and-rat-capabilities-at-scale/ Keywords: Android Malware, Wonderland, SMS Stealer, Dropper Apps, Mobile Security, Remote Access Trojan (RAT), TrickyWonders, Cybersecurity, One-Time Password (OTP) Theft, Malware-as-a-Service, Approov.     

📣 New Podcast! "Unmasking "Wonderland" – The New Wave of Android Droppers & SMS Stealers" on @Spreaker #androidmalware #approov #appsecurity #cybersecurity #infosec #mobilesecurity #technews #upwardlymobile #wonderlandmalware

2026 Mobile API and AI Security Predictions 2026 Mobile API and AI Security Predictions Episode Summary: In this episode of Upwardly Mobile, we audit the accuracy of Approov’s 2025 cybersecurity forecast. Of the seven trends predicted, four proved to be "absolutely correct." We break down these key hits: the dual-use of AI by attackers and defenders, the undeniable dominance of cross-platform development, the crackdown on open-source supply chain risks, and the heavy impact of new global breach reporting mandates. The 4 Mobile Security Trends That Defined the Year Key Topics — The 4 Correct Predictions: • 1. AI’s Double-Edged Sword: We discuss how 2025 wasn't just about AI hype—it was about operational impact. Attackers utilized LLMs to lower the bar for API abuse and generate scripts to bypass WAFs, while defenders leaned on AI for anomaly detection and scan interpretation to speed up code reviews. • 2. Cross-Platform is King: The prediction that cross-platform development would be "the way forward" held true. We analyze how Flutter and React Native maintained dominance in 2025, becoming the norm for enterprise and fintech apps, though Huawei’s HarmonyOS remained a regional outlier. • 3. The Open Source Crackdown: Scrutiny on open-source software (OSS) intensified as predicted. With attackers targeting ecosystems like npm and PyPI, and regulations like the EU CRA enforcing SBOMs, organizations were forced to verify their supply chains and adopt runtime protection to catch tampering. • 4. The Breach Reporting Crunch: Approov correctly forecasted that breach reporting would demand massive investment. With the EU NIS2 Directive and PCI DSS 4.0 coming into full effect, the focus shifted from simple disclosure to operational resilience—requiring companies to report incidents in hours, not days. Featured Resources & Links: • Approov Report: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fblog%2Fapproov-predicted-7-mobile-cybersecurity-trends-for-2025-did-they-happen – The full retrospective on which predictions hit the mark and which were too optimistic (like the adoption of certificate pinning). • Expert Insights: https://www.google.com/url?sa=E&q=https%3A%2F%2Fwww.lastwatchdog.com%2Flw-roundtable-part-2-mandates-surge-guardrails-lag-intel-from-the-messy-middle%2F – Further reading on the friction between compliance mandates and security realities. Sponsor: This episode is brought to you by Approov. Don’t let your mobile app be the weak link. Approov provides comprehensive runtime security, ensuring that only your genuine app communicates with your API. • Visit: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io • Solutions: https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fruntime-secrets-protection and https://www.google.com/url?sa=E&q=https%3A%2F%2Fapproov.io%2Fproduct%2Fapi-security. Keywords: Mobile Security, Cybersecurity Predictions, AI Threats, Flutter, ReactNative, Open Source Security, SBOM, NIS2 Compliance, Supply Chain Attacks, Approov, API Security. 

📣 New Podcast! "2026 Mobile API and AI Security Predictions" on @Spreaker #ai #apisecurity #approov #compliance #cybersecurity2025 #mobileappsecurity #opensource #upwardlymobile

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking? Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed: - The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries. - The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked. - The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks. - The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting. Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs. - Visit the Sponsor: https://approov.io/ Featured Sources & Further Reading: - BleepingComputer: https://www.bleepingcomputer.com/ – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape. - Malwarebytes: https://www.malwarebytes.com/ – Analysis of the privacy implications, including the exposure of users in restrictive regimes. - Privacy Guides: https://www.privacyguides.org/ – Discussing the patch and how alternative messengers handle contact discovery. Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov. 

📣 New Podcast! "The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?" on @Spreaker #apisecurity #approov #cybersecurity #dataprivacy #mobileappsecurity #upwardlymobile #whatsapp

Apple's DMA Non-Compliance: An Open Letter Apple's DMA Non-Compliance: An Open Letter In this episode of *Upwardly Mobile*, we break down the seismic shift in the mobile app landscape following the European Commission’s decision to formally fine Apple €500 million for breaching the Digital Markets Act (DMA). We explore why regulators view Apple’s recent changes not as genuine adherence to the law, but as "malicious compliance"—a deliberate attempt to technically meet requirements while maintaining control and fees. We also discuss the December 2025 Open Letter sent by app developers to EU President Ursula von der Leyen, which argues that Apple’s new 20% commission on external transactions continues to violate the law and stifle fair competition. Finally, we contrast the situation in Europe with recent US court rulings involving Epic Games, where judges have ordered Apple to stop charging for services it doesn't provide, raising the question: Why are European developers getting a worse deal?. Key Topics Discussed: *   **The €500M Fine:** The European Commission found Apple in breach of "anti-steering" obligations, restricting developers from directing users to cheaper offers outside the App Store. *   **"Malicious Compliance":** An analysis of how Apple’s fee structures and "scare screens" are viewed by critics and regulators as structural impediments to the DMA’s goals. *   **The Meta Connection:** A look at the parallel €200M fine imposed on Meta regarding their "pay or consent" model. *   **The Developer Pushback:** Insights from the "CleanV2" Open Letter, where developers demand the removal of new commission fees that range up to 20%. *   **Transatlantic Tensions:** How the US Ninth Circuit Court of Appeals ruling regarding Epic Games highlights disparities in global enforcement. **Sponsor:** This episode is brought to you by **Approov**. Securing mobile apps is hard; Approov makes it easy. Ensure your APIs are only accessed by genuine instances of your mobile app and block scripts, bots, and modified apps. **Visit: [https://approov.io](https://approov.io)** **Resources & Source Materials:** *   **European Commission Press Release:** Details on the April 2025 fine regarding Apple’s anti-steering practices. *   **Kluwer Competition Law Blog:** "The DMA's Teeth: Meta and Apple Fined by the European Commission" by Alba Ribera Martínez. *   **Clean App Foundation Open Letter:** The December 2025 appeal to the European Commission regarding Apple's persistent non-compliance. *   **Analysis of US Rulings:** Context on the Epic Games vs. Apple court case and fee limitations. Digital Markets Act, DMA, Apple Fine, App Store Fees, Anti-Steering, Malicious Compliance, European Commission, Margrethe Vestager, Sideloading, Epic Games, Mobile App Security, Tech Policy, Antitrust.

📣 New Podcast! "Apple's DMA Non-Compliance: An Open Letter" on @Spreaker #antitrust #apple #approov #appstore #digitalmarketsact #dma #eu #mobiledev #upwardlymobile

Chinese Hackers & the React2Shell Crisis Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and Links - SecurityWeek (Source Context): (Note: Specific articles discussed are embedded within the episode content.) - Expo Changelog: For specific SDK patch instructions. - Sponsor Link: Protecting mobile app integrity against security threats is vital: https://approov.io/podcast Keywords (Optimized for SEO) React2Shell, , Remote Code Execution (RCE), China-linked hackers, Earth Lamia, Jackpot Panda, React Server Components (RSC), Next.js vulnerability, React 19 security, web security, patch management, cyber espionage, critical vulnerability, application security

📣 New Podcast! "Chinese Hackers & the React2Shell Crisis" on @Spreaker #cve_2025_55182 #cve202555182 #cybersecurity #earthlamia #jackpotpanda #nextjs #react2shell #upwardlymobile #websecurity

Sanchar Saathi |The Mobile App Triggering India's Surveillance Firestorm Sanchar Saathi: The Mandatory Cyber Safety App Triggering India's Surveillance Firestorm In this critical episode of "Upwardly Mobile," we dive into the escalating controversy surrounding India's Sanchar Saathi app, a government-mandated digital tool that is fueling a nationwide debate over state surveillance and digital privacy. Designed as a citizen-centric safety tool to combat telecom fraud and track lost or stolen devices using their unique IMEI, the app has been lauded by the government for its success in blocking millions of fraudulent connections and stolen phones. However, a recent directive mandating its pre-installation on all new smartphones sold in India has drawn fierce criticism from privacy advocates, opposition politicians, and major tech firms. What You Will Learn in This Episode: The Core Conflict: Safety vs. Snooping - The Mandate: The Indian telecom ministry privately ordered all smartphone manufacturers to preload Sanchar Saathi on new devices within 90 days, requiring the app to be "visible, functional, and enabled" upon first setup. This directive could eventually roll out the app to more than 735 million existing phone users via software updates. - Government Defense: Officials state the app is strictly for cyber security and curbing the "serious endangerment" caused by IMEI tampering, promising adequate security for personal information. They also claim the app is optional and does not read private messages. - Surveillance Fears: Privacy experts and the political opposition argue the mandate is unconstitutional and creates a massive surveillance surface area. Opposition leaders have even compared the move to 'Pegasus'. Technical Deep Dive into Privacy Risks - The Sanchar Saathi app requests a range of "dangerous" or "high-risk" permissions. - The app has the capability to read call logs and all incoming SMS, technically allowing it to parse bank transaction alerts, 2FA codes, and map a user's social graph. - It accesses device identifiers, binding a user's identity to the hardware IMEI, which breaks standard rules for resettable identifiers and aids tracking. - If pre-installed as a system-level application (the proposed state), experts warn that permissions could be auto-granted without user consent, the app could run continuous background services, and it would be virtually impossible for 99% of users to uninstall. - The privacy policy is weak, lacking explicit mechanisms for data deletion, correction, or a clear opt-out feature. Industry Resistance - Tech giants were given 90 days to comply with the pre-installation mandate. - Apple has specifically resisted the mandate, citing concerns over privacy and system security, as iPhones require explicit user confirmation for permissions and prevent automatic background registration. - The mandate is technically easier to implement on Android devices, which make up over 95% of the Indian smartphone market. Keywords Sanchar Saathi, India digital privacy, state surveillance, government mandate, telecom fraud, cyber safety app, IMEI tracking, pre-installation controversy, Android security, iOS privacy, Apple resistance, call log permissions, data deletion rights, digital rights, Indian politics. Digital Autonomy and the Sanchar Saathi App - - Link 1: https://indianexpress.com/article/explained/explained-sci-tech/telecom-scindia-sanchar-saathi-optional-key-concerns-10397728/ - Link 2: https://www.ndtv.com/india-news/sanchar-saathi-communications-ministry-jyotiraditya-scindia-big-brother-or-cybersafety-boost-deep-dive-into-sanchar-saathi-app-9735477 - Link 3: https://indianexpress.com/article/technology/tech-news-technology/sanchar-saathi-app-preinstalled-android-ios-privacy-security-concerns-10397922/ - Link 4: https://www.bbc.com/news/articles/cedxyvx74p4o - Link 5: https://www.reuters.com/sustainability/boards-policy-regulation/what-is-indias-politically-contentious-sanchar-saathi-cyber-safety-app-2025-12-02/ Sponsor This episode is brought to you by https://approov.io/podcast, helping developers secure their mobile APIs and prevent reverse engineering and unauthorized data access. - Sponsor Website: approov.io

📣 New Podcast! "Sanchar Saathi |The Mobile App Triggering India's Surveillance Firestorm" on @Spreaker #android #apple #approov #bigbrother #cybersafety #digitalprivacy #indiatech #samsung #sancharsaathi #statesurveillance #telecomfraud #upwardlymobile #xiaomi

Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits The biggest shopping days of the year—Black Friday and Cyber Monday—have also become the prime hunting grounds for cybercriminals, with global financial losses from attacks predicted to hit $10 billion in 2024. In this episode, we dive deep into the rising statistics shaping financial cybersecurity during the holiday shopping season, focusing on how sophisticated, AI-driven scams and mobile app vulnerabilities are creating a perfect storm for retailers and consumers alike. Episode Highlights: The State of Financial Cybercrime Cybercriminal activity spikes by 70% during Black Friday compared to regular shopping days. Statistics show that cyberattacks during this period were projected to rise by 20% in 2024, following a 15% increase in 2023. Key Threats and Data: - The Rise of Fake Shops: Scammers are evolving at an unprecedented pace, using AI to generate persuasive copy and fully functional storefront templates that mimic legitimate communication flawlessly. A recent analysis found a 250% jump in fake Black Friday shops leading up to the sales weekend. - Targeting E-commerce: E-commerce platforms experience a 65% surge in phishing attacks. Phishing scams remain the most common threat, accounting for 42% of attacks on financial transactions during the 2023 holiday shopping period. - Prevalent Fraud Types: Financial institutions report detecting 30% more fraudulent transactions during Cyber Monday. Card-not-present fraud was the leading method used by cybercriminals in 2023, accounting for over 75% of online fraud cases. Credential stuffing incidents surged by 80% during Cyber Monday in 2023, affecting over 40 million accounts globally. - The Cost: Financial fraud cases during holiday shopping periods account for nearly $8.5 billion annually. Small and medium-sized businesses (SMBs) are highly vulnerable, reporting an average loss of $120,000 per cyberattack. The Mobile Frontline: While many focus on suspicious websites, the true cybersecurity frontline for e-commerce is increasingly within mobile apps. Attacks on mobile apps used for shopping increased by 50% in 2023, often involving malicious app clones. Attackers exploit vulnerabilities like Man-in-the-middle (MitM) attacks intercepting API traffic and extracting API keys reverse-engineered from app binaries. Standard defenses like TLS encryption and certificate pinning offer necessary but incomplete protection. Industry Response: Financial institutions are bolstering security by integrating biometric authentication into 50% of mobile banking apps, adopting real-time transaction monitoring (reducing fraud by 40%), and using tokenization technology in 65% of online transactions. Furthermore, Zero Trust architecture is gaining traction, with 55% of organizations adopting it to secure financial systems. Sponsor Spotlight This episode is brought to you by Approov, the mobile security platform addressing vulnerabilities where they start: the mobile API. Approov provides a pragmatic defense-in-depth approach by ensuring that only genuine, unmodified apps connect to your backend. Approov neutralizes Black Friday exploits by using dynamic attestation to verify app integrity, and protects against API key theft by delivering short-lived, attested tokens at runtime, preventing API keys from residing within the app binary. Protect your mobile commerce from sophisticated fraud. Learn more about Approov's Mobile API Protection: - https://approov.io/podcast Relevant Source Links For more information and detailed statistics referenced in this summary: - Financial Cybersecurity Statistics for Black Friday and Cyber Monday 2025 (via CoinLaw): [Link to CoinLaw Article] - Online scams skyrocket before Black Friday – NordVPN warns what shoppers should watch out for (via TechRadar): [Link to TechRadar Article] - https://cybermagazine.com/articles/darktrace-reports-692-surge-in-black-friday-cyber-scams  Keywords & Hashtags (SEO Optimized) Keywords: Black Friday, Cyber Monday, cybersecurity statistics, financial fraud, e-commerce security, mobile commerce, API protection, card-not-present fraud, phishing scams, ransomware, credential stuffing, AI-powered scams, fake shops, Approov, NordVPN, retail cybercrime, tokenization, Zero Trust. 

📣 New Podcast! "Black Friday's Hidden Threat: Stopping AI-Powered Fraud and Mobile Commerce Exploits" on @Spreaker #aiscams #apisecurity #approov #blackfridayfraud #cybermonday #cybersecurity #digitalpayment #ecommercesecurity #mobilesecurity #upwardlymobile

X Joins App Fairness Coalition to Combat Monopolies In this pivotal episode of https://approov.io/podcast, we dive into the significance of https://x.com (formerly known as Twitter) joining the https://appfairness.org/(CAF). This move signals growing momentum in the global effort to reform the mobile app ecosystem, currently dominated by Apple and Google, whose practices are alleged to harm consumers and developers alike. We examine X's commitment to dismantling monopolistic practices and fostering a digital future where competition thrives and innovation is rewarded. Furthermore, we discuss the context of this fight, including the recent U.S. Department of Justice (DOJ) antitrust complaint filed against Apple. CAF asserts that Apple’s alleged illegal conduct—including abusing App Store guidelines to increase prices and choke off competition—must be addressed, urging Congress to pass legislation like the Open App Markets Act. Tune in to understand how companies are pushing back against the "shackles on developers" to create a level playing field for the more than 80 members of this independent nonprofit organization. Discussion Points - Dismantling Monopolies: X’s Head of Global Government Affairs stated that joining CAF is a testament to their commitment to dismantling monopolistic practices and building a mobile ecosystem that truly serves its users and fosters growth. - The Problem with Gatekeepers: The current mobile app ecosystem is dominated by Apple and Google, who use their power to harm developers and users through excessive costs and restrictions on innovation. Global Policy Counsel for CAF noted that businesses on platforms like X are harmed by these anticompetitive app store practices. - The Antitrust Fight: The DOJ, along with 16 attorneys general, filed an antitrust complaint against Apple, accusing the company of illegally monopolizing smartphone markets. CAF supports this strong stand against Apple’s "stranglehold over the mobile app ecosystem". - The Path Forward: CAF advocates for legislation, like the Open App Markets Act, to create a free and open mobile app marketplace and put an end to the anticompetitive practices of all mobile app gatekeepers. - About CAF: The Coalition for App Fairness is an independent nonprofit organization focused on protecting consumer choice, fostering competition, and creating a level playing field for app and game developers globally. https://approov.comSponsored Segment:  The increasing regulatory and commercial pressures are weakening app store monopolies. As the mobile ecosystem decentralizes, the need for robust, independent security is crucial. Our sponsor, Approov, provides strong, app-centric security solutions that operate independently of basic app store protections. Approov helps mobile app developers reduce security dependencies on app stores by delivering runtime protection and attestation for mobile apps and their APIs, shielding against tampering and unauthorized access. Approov’s approach decentralizes security, ensuring developers are not limited by the basic security checks provided by Apple, Google, or any third-party app store (especially relevant as regulations like the EU DMA take effect). Key security features include: - https://approov.io/mobile-app-security/rasp/dynamic-cert-pinning/: Secures connections against man-in-the-middle attacks and allows instant over-the-air (OTA) updates without requiring republishing through app stores. - https://approov.io/mobile-app-security/rasp/runtime-secrets/: API keys and secrets are removed from the app and delivered only to verified app instances, protecting against reverse engineering and credential scraping attempts. - https://approov.io/mobile-app-security/rasp/: Provides real-time shielding against threats like OS manipulation or hostile frameworks, regardless of how or where the app is distributed, including alternative app stores. This ability to deliver critical updates and security policies directly from Approov’s cloud platform ensures the quickest possible response to threats, bypassing store-mediated app updates. Keywords  X, Twitter, Coalition for App Fairness (CAF), Mobile App Ecosystem, App Store Monopolies, Antitrust, Apple Antitrust, Google Play Store, Developer Freedom, App Competition, Open App Markets Act, Approov, App Security, API Protection, Runtime Protection, App Attestation, EU DMA.        Relevant Links - X Joins CAF Announcement: [Link to source (though the specific URL is not provided in the excerpts, we reference the content that would link to this news)] - CAF Mission & Membership: appfairness.org - DOJ Antitrust Complaint Context: [Link to source (though the specific URL is not provided in the excerpts, we reference the content)] - Sponsor Approov: Secure your mobile apps independently of app stores at approov.com - Approov Security Details: - How Approov Works: [Link to source] - Approov vs. Mobile App Hardening: [Link to source] - Approov's Role in a Post-DMA Landscape: [Link to source and]

📣 New Podcast! "X Joins App Fairness Coalition to Combat Monopolies" on @Spreaker #antitrust #appfairness #approov #appsecurity #appstorereform #developerfreedom #mobilemonopolies #openappmarketsact #upwardlymobile #x

F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps & APIs API Security Under Fire: F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps The F5 BIG-IP Breach and What It Means for Developers This week on Upwardly Mobile, we dive into the fallout from the catastrophic security breach at F5 Networks, where a sophisticated nation-state adversary compromised the integrity of the critical BIG-IP product line. We discuss why this incident poses an imminent and unacceptable risk to organizations—especially mobile app developers who rely on F5 devices for critical API security infrastructure like load balancing and firewalling. The Compromise: Source Code, Credentials, and Zero-Day Roadmaps The threat actor maintained long-term, persistent access to F5’s internal systems, specifically the BIG-IP product development environment and engineering knowledge platforms. This sophisticated attack led to the theft of crucial materials: - Proprietary Source Code: Portions of the proprietary source code for the flagship BIG-IP product line were exfiltrated. While F5 confirmed the actor did not inject malicious code, possessing the source code allows adversaries to analyze it for vulnerabilities or backdoor opportunities. - Vulnerability Roadmap: Attackers gained access to internal documentation detailing undisclosed (zero-day) vulnerabilities that F5 engineers were investigating or fixing. This provides the adversaries with a virtual roadmap, enabling them to rapidly develop exploits for unpatched flaws. - Customer Configuration Data: A small portion of customer-specific data was stolen, including network topologies, device configurations, or deployment details. For developers managing mobile APIs, this stolen information increases the risk that sensitive credentials can be abused and attackers can target specific deployment setups. Urgent Action Required: The CISA Emergency Directive The severity of the incident prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an Emergency Directive for federal agencies, underscoring the potential for widespread exploitation. Developers and organizations using F5 devices must take immediate action: - Patch Immediately: Install the latest security updates, particularly the Quarterly Security Notification F5 released simultaneously, which addressed 44 new vulnerabilities. - Isolate Management Interfaces: Identify all F5 resources and critically, isolate management interfaces from the internet to prevent initial access and investigate any exposure. - Adopt Zero Trust: Implement a zero trust architecture to reduce the attack surface and block lateral movement. Prioritize connecting users directly to applications, not the underlying network. - Change Credentials: Change all default credentials immediately. Sponsor Segment Securing mobile APIs from threats that target application logic and device integrity is paramount. To fortify your defenses against sophisticated adversaries like the one in the F5 breach, explore https://approov.io/mobile-app-security/rasp/api-security/. Approov provides crucial mobile app and API protection by verifying the authenticity of mobile apps and ensuring only legitimate, untampered clients can access your APIs. Relevant Links - https://my.f5.com/manage/s/article/K000156572:  - https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices:  - Sponsor Website: https://approov.io/ Keywords: F5, BIG-IP, API Security, Mobile App Security, Zero-Day Vulnerability, Source Code Theft, Nation-State Hacking, CISA, Emergency Directive, Zero Trust, Load Balancer, Firewall, Patching, UNC5221, BRICKSTORM, Cybersecurity, Network Topology, Credential Abuse, Upwardly Mobile

📣 New Podcast! "F5's Zero-Day Roadmap and the Unacceptable Risk to Mobile Apps & APIs" on @Spreaker #apisecurity #appsec #bigip #cisa #f5breach #mobileappdev #nationstatehacker #upwardlymobile #zeroday #zerotrust

Big Tech's Gamble: Lawsuits Challenge Apple, Google, and Meta Over Social Casino Apps In this episode of Upwardly Mobile, we dive into the significant legal challenges facing major technology companies—Apple, Google (Alphabet), and Meta Platforms—as they are forced to defend themselves against class action lawsuits alleging that they promoted and profited from illegal social casino gambling apps. A recent ruling by U.S. District Judge Edward Davila in San Jose, California, denied the companies' requests to dismiss the lawsuits. The plaintiffs, numbering in the dozens, contend that the companies' platforms—Apple’s App Store, Google’s Play Store, and Meta’s Facebook—promoted an “authentic Vegas-style experience of slot machine gambling” through an allegedly illegal racketeering conspiracy. Key Takeaways from the Litigation: - The Liability Claim: The core claim is that the defendants "willingly assist, promote and profit from" allegedly illegal gambling. This is achieved by: - Offering users access to the apps through their stores. - Taking a substantial percentage of consumer purchases (estimated at 30% commission, totaling over $2 billion) on in-app transactions for items like Game Coins and Sweeps Coins. - Processing these allegedly illicit transactions using proprietary payment systems. - Using targeted advertising to "shepherd the most vulnerable customers" to the casino apps. - The Section 230 Defense Rejected: Apple, Google, and Meta argued that Section 230 of the federal Communications Decency Act protected them from liability because this law shields online platforms from lawsuits over third-party content. Judge Davila rejected this argument, finding that the companies did not act as "publishers" when processing payments. The judge emphasized that the "crux of plaintiffs’ theory is that defendants improperly processed payments for social casino apps". - "Neutral Tools" Argument Undercut: The court called it irrelevant that the companies provided "neutral tools" (like payment processing) to support the apps. - Damages Sought: The lawsuits seek unspecified compensatory and triple damages, among other remedies. - Appeals and Case History: Judge Davila allowed the defendants to immediately appeal his decision to the 9th U.S. Circuit Court of Appeals, acknowledging the importance of the Section 230 issues. The litigation against the Silicon Valley-based companies began in 2021. - Additional Suits: Separately, a new lawsuit was filed against Apple and Google by lead Plaintiff Bargo (not naming the social casino operators), alleging the distribution of "patently illegal gambling software" in New Jersey and New York. This complaint includes legal claims under NJ and NY gambling loss recovery statutes, consumer protection laws, and RICO laws. Sponsor Message: This episode of Upwardly Mobile is brought to you by our sponsor. Learn how to secure your mobile app business today. Visit https://approov.io/. Relevant Source Materials & Case Information: - Article Reference (Legal Analysis): Excerpts from "Apple and Google Hit with New Social Casino Gambling Lawsuit," National Law Review (October 02, 2025). (Article written by James G. Gatto of Sheppard, Mullin, Richter & Hampton LLP). - Article Reference (News): "Apple, Google, Meta must face lawsuits over gambling apps," Honolulu Star-Advertiser (Oct. 1, 2025). - Article Reference (Judicial Denial): "Judicial Denial for Tech Giants in Casino App Lawsuits" (Sept 30). - Amicus Brief Reference: In re: Casino-Style Games Litigation (Nos. 22-16914, 22-16916, 22-16888, 22-16889, 22-16921, 22-16923) U.S. Court of Appeals for the Ninth Circuit. - District Court Case Reference (Northern District of California): In re Apple Inc App Store Simulated Casino-Style Games Litigation, No. 21-md-02985; In re Google Play Store Simulated Casino-Style Games Litigation, No. 21-md-03001; and In re Facebook Simulated Casino-Style Games Litigation, No. 21-02777. - Sponsor Link: https://approov.io/ Keywords for SEO Optimization: Social Casino Lawsuit, Apple, Google, Meta, Section 230, Gambling Apps, App Store, Play Store, Communications Decency Act, Platform Liability, Edward Davila, Consumer Protection, Racketeering, Illegal Gambling, Tech Litigation, In-App Purchases, RICO.

📣 New Podcast! "Big Tech's Gamble: Lawsuits Challenge Apple, Google, and Meta Over Social Casino Apps" on @Spreaker #approov #appstore #bigtechliability #gamblinglaw #googleplay #section230 #socialcasino #upwardlymobile

How Misconfigured Firebase Servers Exposed User Credentials and Private Data? In this critical episode of Upwardly Mobile, we delve into the alarming cybersecurity incident involving massive data exposure stemming from misconfigured Firebase servers. Cybersecurity researchers uncovered a breach that exposed the sensitive information and plaintext passwords of over 1.8 million users. This wasn't the result of sophisticated hacking, but rather "basic negligence" and developers failing to implement standard security settings. We discuss why Firebase, Google's popular backend-as-a-service (BaaS) for mobile apps , has become a liability risk when developers neglect configuration best practices. What was exposed and the devastating scope of the leak: The scope of this data leak is massive, involving publicly accessible Firebase real-time databases used by more than 900 mobile applications, predominantly Android-based . These affected apps spanned categories including health, fitness, education, and finance. The highly sensitive user data exposed included: • Plaintext passwords (unencrypted) • Usernames, email addresses, and phone numbers • Billing information • High-privilege API tokens, AWS root access tokens, and private chat logs • Millions of user ID photos . The Failure of Security as an Afterthought: Experts warn that storing plaintext passwords on open cloud databases in 2025 is "reckless" . The breach occurred because developers failed to secure their Firebase instances, often by extending insecure "test-mode" configurations or inadvertently leaving production environments vulnerable. Responsibility for this preventable disaster lies with both the developers and Firebase itself, for allowing insecure default settings.We also explore the technical mechanism behind these breaches: Automated scanning tools (like OpenFirebase) are actively exploiting this vulnerability by parsing Android Package Kit (APK) files to extract Firebase project IDs, API keys, and subsequently probing service URLs for unauthenticated access. This incident serves as a strong wake-up call for the tech industry, emphasizing the critical need for mandatory security training and treating security as a core function of software development—not an afterthought. -------------------------------------------------------------------------------- 🛡️ Sponsor: Approov Protect your mobile APIs and prevent automated attacks that exploit hardcoded secrets and misconfigurations. Secure your apps from the client-side up. Learn more and protect your platform at https://approov.io/podcast -------------------------------------------------------------------------------- Source Materials & Links • Article 1: "Massive data leak exposes passwords of 1.8 million users through misconfigured Firebase servers," ZENDATA (May 25, 2025). • Article 2: "Numerous Applications Using Google's Firebase Platform Leaking Highly Sensitive Data," Cyber Security News (September 25, 2025). -------------------------------------------------------------------------------- Keywords: Data Leak, Firebase Security, Plaintext Passwords, Cybersecurity, Mobile App Security, Google Firebase, Cloud Misconfiguration, Data Breach, Developer Negligence, API Security, Android Security, BaaS, App Development.

📣 New Podcast! "How Misconfigured Firebase Servers Exposed User Credentials and Private Data?" on @Spreaker #apiprotection #approov #cloudsecurity #databreach #firebasefail #mobilesecurity #plaintextpasswords #upwardlymobile #zendata

Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went Dark Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went Dark In this urgent episode of https://approov.io/podcast, we break down the spectacular rise and immediate fall of the highly controversial mobile application, Neon. The app, which recently topped the charts and went viral on platforms like TikTok, promised users payment in exchange for recording their phone calls. These recordings were then sold to AI companies for training. However, less than 24 hours after gaining widespread attention, a significant security flaw was discovered. According to reports from TechCrunch, this flaw allowed public access to extremely sensitive user data. The Security Catastrophe The call-recording app had rapidly climbed the App Store ranks, reporting 75,000 downloads in a single day. Despite its rapid growth, Neon was forced offline after the security issue was discovered by TechCrunch. The flaw was so severe that it allowed anyone utilizing a network analysis tool to access private information belonging to other users. Exposed data included: - Users' phone numbers. - Call recordings and accessible URLs to the raw audio files. - Text transcripts of the recorded calls. - Detailed metadata connected to the calls, including the phone number of the person called, the time and duration of the call, and the amount earned from the call. The Company Response Following the discovery, Neon founder Alex Kiam sent an email to customers notifying them of the app's temporary shutdown. Kiam stated that they were taking the app down to "add extra layers of security" because "Your data privacy is our number one priority". However, it is crucial to note that the email failed to warn users about the specific security issue or that their phone numbers, call recordings, and transcripts had been exposed. TechCrunch noted that although the app's servers were taken down, rendering the app useless, it remained available in the App Store. If Neon does make a comeback, it will certainly receive increased scrutiny regarding its security protocols. Secure Your Mobile Infrastructure with Our Sponsor In a world where mobile app security flaws can rapidly expose millions of data points, protecting your back-end servers and APIs is non-negotiable. Our episode today highlights the critical importance of mobile app protection from the get-go. Learn how to implement proactive mobile security measures. Visit: https://approov.io/ Relevant Source Materials & Further Reading - Excerpts from "Neon, the viral app that pays users to record calls, goes offline after exposing data | Mashable" - Excerpts from "Viral call-recording app Neon goes dark after exposing users' phone numbers, call recordings, and transcripts | TechCrunch" Keywords: Neon app security flaw, AI training data, call recording app, data privacy, cybersecurity, mobile app data exposure, Alex Kiam, App Store security, TechCrunch exclusive, data breach, viral app failure, mobile security. 

📣 New Podcast! "Neon's Data Disaster: How a Viral AI App Exposed 75,000 Users and Went Dark" on @Spreaker #appsecurity #cybersecurity #deepfakedata #mobilesecurity #neonapp #upwardlymobile

a cat is standing on its hind legs on a kitchen counter next to a spray bottle . ALT: a cat is standing on its hind legs on a kitchen counter next to a spray bottle .

It's decided. I am not old!

I can still climb up on the kitchen countertop to access the top shelf in the cupboard ...
#UpwardlyMobile

AI vs AI | Agentic AI Security: Top Threats & Best Practices for Apps and APIs Securing the Autonomous Frontier: Defending Apps and APIs from Agentic AI Threats Episode Notes In this episode of Upwardly Mobile, we delve into the critical and rapidly evolving landscape of Agentic AI security. As artificial intelligence advances beyond reactive responses to become autonomous systems capable of planning, reasoning, and taking action without constant human intervention, the need for robust security measures has become paramount. These intelligent software systems perceive their environment, reason, make decisions, and act to achieve specific objectives autonomously, often leveraging large language models (LLMs) for their core reasoning engines and control flow. The Rise of Agentic AI and Magnified Risks Agentic AI is rapidly integrating into various applications across diverse industries, from healthcare and finance to manufacturing. However, this increased autonomy magnifies existing AI risks and introduces entirely new vulnerabilities. As highlighted by the OWASP Agentic Security Initiative, AI isn’t just accelerating product development; it's also automating attacks and exploiting gaps faster than ever before. LLMs, for instance, can already brute force APIs, simulate human behavior, and bypass rate limits without triggering flags. Key security challenges with Agentic AI include: - Poorly designed reward systems, which can lead AI to exploit loopholes and achieve goals in unintended ways. - Self-reinforcing behaviors, where AI escalates actions by optimizing too aggressively for specific metrics without adequate safeguards. - Cascading failures in multi-agent systems, arising from bottlenecks or resource conflicts that propagate across interconnected agents. - Increased vulnerability to sophisticated adversarial attacks, including AI-powered credential stuffing bots and app tampering attempts. - The necessity for sensitive data access, making robust access management and data protection crucial. The OWASP Agentic Security Initiative has identified a comprehensive set of threats unique to these systems, including: - Memory Poisoning and Cascading Hallucination Attacks, where malicious or false data corrupts the agent's memory or propagates inaccurate information across systems. - Tool Misuse, allowing attackers to manipulate AI agents to abuse their integrated tools, potentially leading to unauthorized data access or system manipulation. - Privilege Compromise, exploiting weaknesses in permission management for unauthorized actions or dynamic role inheritance. - Intent Breaking & Goal Manipulation, where attackers alter an AI's planning and objectives. - Unexpected Remote Code Execution (RCE) and Code Attacks, leveraging AI-generated code environments to inject malicious code. - Identity Spoofing & Impersonation, enabling attackers to masquerade as AI agents or human users. - Threats specific to multi-agent systems like Agent Communication Poisoning and the presence of Rogue Agents, where malicious agents infiltrate and manipulate distributed AI environments. Essential Mitigation Strategies for Agentic AI Defending against these advanced threats requires a multi-layered, adaptive security approach. Our sources outline several crucial best practices for both app and API security: 1. Foundational App Security Best Practices: - Continuous Authentication: Move beyond session-based authentication. Implement behavioral baselines, short-lived tokens, session fingerprinting, and re-authentication on state changes to ensure the right user is in control. - Detecting AI-Generated Traffic: Employ behavioral anomaly detection, device and environment fingerprinting, adaptive challenge-response mechanisms, and input entropy measurement to identify and block sophisticated AI bots. - Secure APIs as Crown Jewels: Implement strict input validation, rate limiting per user/IP/API key, authentication/authorization at every endpoint, request signing, replay protection, and detailed logging. - Zero Trust Architecture: Assume no part of your infrastructure is inherently trusted. Enforce identity and access management at every layer, segment networks, use mutual TLS between services, and continuously monitor for unusual access patterns. - Harden MFA Workflows: Mitigate MFA fatigue attacks by moving away from push notifications as the primary MFA method, preferring hardware tokens or TOTP, and limiting approval attempts with exponential backoff. - LLM-Aware Security Filters: If your app uses LLMs, implement context-aware input sanitization, prompt filtering layers, output monitoring for hallucinations, and rate limit suspicious query patterns. - Encrypt and Obfuscate Client-Side Code: Protect intellectual property and reduce attack surface by obfuscating code, encrypting sensitive strings, implementing runtime code splitting, and avoiding embedding secrets in client code. - Train Detection Systems with Synthetic Attacks: Use AI-generated synthetic attack simulations to train ML classifiers for anomaly detection, turning AI's offensive power into a defensive advantage. - Adopt Secure-by-Design Principles: Integrate security into every phase of the development lifecycle, validating inputs, enforcing least privilege, using static/dynamic code analysis, and automating dependency management. - Stay Compliant with Emerging AI Security Standards: Implement transparent logging and audit trails for AI interactions, ensure explainability, follow data minimization principles, and prepare for AI risk management certifications. 2. API-Specific Defenses for Agentic AI: - Design for API Security by Default: Apply secure-by-design principles, enforce HTTPS/TLS 1.3, use least-privilege permissions, and implement strong authentication/authorization with dynamically-scoped tokens. - Identify & Monitor AI-Agent Traffic: Include agentic endpoints in API discovery and monitor traffic in real-time using AI-backed analytics to detect anomalous behavior. - Context-Aware Guardrails & Threat Modeling: Develop tailored agentic AI threat models like MAESTRO or SHIELD/ATFAA and implement LLM-aware guardrails to enforce boundaries. - Authenticate & Audit AI Agent Identities: Treat each agent as a non-human identity, enforce strong credential hygiene, rotate secrets, and audit identity posture. - Input/Output Filtering & Prompt Hygiene: Defend against prompt injection through sanitization, prompt separation, and adversarial testing. Enforce data hygiene for agent memory to mitigate poisoning attacks. - Continuous Authentication & Rate Limiting: Avoid long-lived sessions with continuous authentication and use strict rate limiting to prevent bots from chaining tasks or overwhelming endpoints. - Use Adaptive Security Tools & AI-Based Defense: Deploy API security platforms with real-time anomaly detection and consider a "good-guy" AI to inspect agent intents. - Red-Teaming & Continuous Testing: Simulate attacks like memory poisoning, prompt injection, and privilege misuse to uncover vulnerabilities proactively. - Training & Governance: Educate teams on agent-specific vulnerabilities and establish agent lifecycle governance with approval flows, isolation environments, and human-in-the-loop checkpoints. 3. OWASP's Mitigation Playbooks: The OWASP Agentic Security Initiative provides structured mitigation strategies organized into playbooks, addressing specific threat categories: - Preventing AI Agent Reasoning Manipulation: Focuses on reducing attack surface, implementing agent behavior profiling, preventing goal manipulation, and strengthening decision traceability. - Preventing Memory Poisoning & AI Knowledge Corruption: Involves securing AI memory access, detecting/responding to poisoning, and preventing the spread of false knowledge. - Securing AI Tool Execution & Preventing Unauthorized Actions: Emphasizes restricting AI tool invocation, monitoring/preventing tool misuse, and preventing resource exhaustion. - Strengthening Authentication, Identity & Privilege Controls: Covers secure AI authentication mechanisms, restricting privilege escalation, and detecting/blocking AI impersonation attempts. - Protecting Human-in-the-Loop (HITL) & Preventing Decision Fatigue Exploits: Aims to optimize HITL workflows, identify AI-induced human manipulation, and strengthen AI decision traceability. - Securing Multi-Agent Communication & Trust Mechanisms: Focuses on securing AI-to-AI communication, detecting/blocking rogue agents, and enforcing multi-agent trust and decision security. Companies like https://approov.io/blog/what-you-need-to-know-about-broken-object-level-authorization-bola offer patented mobile app attestation technology that ensures only genuine, unmodified apps running in trusted environments can access backend services and APIs, providing real-time verification, dynamic API shielding, and secure credential management to mitigate AI-driven credential leaks. By combining traditional API security fundamentals with agent-specific strategies, mobile developers can transform APIs from vulnerabilities into resilient trust boundaries, capable of resisting threats posed by autonomous, goal-oriented AI agents. Relevant Links: - Rocket Farm Studios: 10 App Security Best Practices for AI Threats - Learn more about securing apps against AI-driven threats: https://www.rocketfarmstudios.com/blog/10-app-security-best-practices-for-ai-threats/ - https://genai.owasp.org/resource/agentic-ai-threats-and-mitigations/

📣 New Podcast! "AI vs AI | Agentic AI Security: Top Threats & Best Practices for Apps and APIs" on @Spreaker #agenticai #aisecurity #apisecurity #mobileapps #owasp #upwardlymobile #zerotrust

Smart Home Security: Navigating IoT Risks with Advanced Mobile App Protection In this episode, we dive deep into the pressing concerns of Internet of Things (IoT) security, especially within our increasingly connected smart homes. From smart refrigerators to water shut-off valves, these devices offer immense convenience but also present tempting targets for cybercriminals. We'll explore the array of vulnerabilities, real-world attack statistics, and the innovative solutions emerging to protect our digital and physical spaces.Key Discussion Points: - The Alarming State of IoT Security: - A shocking 57% of IoT devices are vulnerable to medium- or high-severity attacks, with 70% having serious security vulnerabilities overall. - A staggering 98% of IoT device traffic is unencrypted, and 43% of manufacturers don't even encrypt data during transmission, leaving sensitive information exposed. This is often due to cost-saving measures or limited processing power in basic device chips. - The volume of threats is immense, with 1.5 billion IoT attacks detected in just the first half of 2021. Devices can be targeted within 5 minutes of connecting to the internet, as bots constantly scan for new exploits. - IoT devices are a prime attack vector, accounting for 41% of attacks on enterprises in 2020 and comprising 33% of infected devices in botnets like Mirai. The infamous Mirai botnet, which shut down major internet services in 2016, infected over 25 million IoT devices by exploiting weak or default credentials, turning common items like printers and baby monitors into attack armies. - Smart home attacks rose by 600% in a single year, highlighting the escalating risk to everyday gadgets. - Many organizations face significant challenges, with 72% struggling to discover and classify all IoT devices on their networks, and 67% having limited or no visibility into their IoT environments. - A critical issue is the widespread use of weak or default passwords, responsible for 91% of IoT data breaches, alongside the concerning fact that 40% of IoT devices no longer receive vendor security updates, leaving them vulnerable. - Real-world incidents, such as cyberattacks on municipal water infrastructure, serve as a stark warning, demonstrating that compromised water control systems can have severe physical consequences, including interference with water composition or service disruption. - The Smart Home Ecosystem: A "Toxic Combination" of Apps and APIs: - Smart homes are controlled through a complex web of mobile apps and APIs, connecting everything from smart ovens to security cameras. - This creates a "toxic combination": mobile apps can be cloned, tampered with, or run on compromised devices, while APIs can be reverse-engineered and invoked by bots or fake clients. Attackers can easily automate abuse once app-to-API traffic is understood. - Hackers exploit common issues like lack of app attestation, repackaged or tampered apps, no detection of rooted/jailbroken devices, bypass of obfuscation, API keys hardcoded in the app, and static TLS certificate pins. - Threats extend beyond simple data breaches to more severe outcomes like device hijacking, Man-in-the-Middle (MitM) attacks, ransomware, and botnet creation, allowing malicious actors to manipulate physical devices or launch large-scale attacks. - Even smart water shutoff systems like Phyn, Moen Flo, and Flo-Logic, while protecting against water damage, introduce data privacy implications (e.g., detailed water usage patterns revealing intimate household routines) and the risk of unauthorized remote control by malicious actors who could repeatedly toggle the water supply, causing disruption or damage. Moen's privacy statement explicitly notes its business model includes "monetizing data". - Building a Secure Foundation: Solutions and Best Practices: - Adapting OAuth2 for IoT: The OAuth2 open authorization standard, popular on the web, is being adapted to help secure access to IoT devices. This involves the authorization grant flow where a client obtains an access token to delegate access to server resources. Modifications are necessary for constrained IoT environments, such as dynamically securing the channel between a client and resource server (e.g., Alice's phone and a door lock) by using a possession key shared via the authorization server. Another example is a medical device scenario where the authorization server encrypts the possession key into the access token claims using a pre-provisioned key pair. - Beyond Static Secrets: A more secure approach involves removing static client secrets from mobile apps and leveraging remote attestation services. A dynamic attestation service can verify an app's authenticity at runtime, returning an authenticating, time-limited client integrity token. - Zero Trust Security Model: Smart home platforms should adopt a Zero Trust security model, which inherently trusts nothing by default. Instead, each and every API request must cryptographically prove it originates from a legitimate, unmodified mobile app at runtime. This involves per-request attestation using short-lived, signed tokens and API-side validation. - Approov: Enhancing API and App Security: Solutions like Approov Mobile Security play a crucial role by continuously inspecting the app and device to validate the legitimacy of any request from the app, ensuring only authorized apps can access APIs. This not only protects against bots and unauthorized access but also helps reduce cloud costs and allows API owners dynamic control over access policies and certificates without requiring app updates. - Key Recommendations for Users and Manufacturers: - Always change default passwords immediately upon setup, using strong, unique combinations. - Regularly apply firmware and software updates provided by the manufacturer to patch critical security flaws. - Implement network segmentation, isolating smart home devices on a separate Wi-Fi network (e.g., a guest network or dedicated IoT VLAN) to limit potential lateral movement for attackers if one device is compromised. - Manufacturers must adopt secure development guidelines from day one, conducting regular penetration testing and prioritizing security throughout the product lifecycle, not as an afterthought. - Organizations need robust incident response plans and better visibility into their IoT inventories to quickly identify and address threats. - For critical systems like water shutoff valves, prioritize devices with robust, independent operation (e.g., hardwired connections, substantial battery backups) over those solely reliant on internet connectivity. Protect your connected devices and digital life by understanding these risks and implementing proactive security measures!Relevant Links: - IoT Security Challenges: Device Vulnerability & Attack Stats | PatentPC:https://patentpc.com/blog/iot-security-challenges-device-vulnerability-attack-stats - Phyn (Example of Smart Water Solution discussed):https://www.phyn.com/ - Secure your mobile apps and APIs with Approov:https://approov.io/ Keywords: IoT Security, Smart Home Security, API Security, Mobile App Security, OAuth2, App Attestation, Zero Trust, Mirai Botnet, Data Breaches, Device Hijacking, Network Segmentation, Cybersecurity, Smart Devices, Connected Home, Digital Privacy, Firmware Updates, Password Security, Water Damage Prevention, Phyn, Moen Flo, Flo-Logic, IoT Vulnerabilities, Mobile API Security.

📣 New Podcast! "Smart Home Security: Navigating IoT Risks with Advanced Mobile App Protection" on @Spreaker #apisecurity #appattestation #approov #flologic #homesecurity #iotsecurity #moen #oauth2 #phyn #smarthome #upwardlymobile

#DiaryOfRoundSparrow #RuleByStress

I really wonder if many people have never worked at a high-stress job. Since I was a white male with computer skills + talent in 1985 when I turned age 16, I was #UpwardlyMobile #FWakeUpwardly I worked a lot of places in Fort Wayne Indiana, I had pick of many jobs

Duchess the black continental giant looking completely unrepentant on the blue white & brown tartan patterned cushion of the wooden garden furniture, a chunk of rose bush she’s robbed in her mouth

Wot? It was in range! You know snackings are fair game if they are in range mum! #Rabbit #ContinentalGiant #Mountaingoat #upwardlymobile #rosethief

T-25 minutes until I start live-tweeting this year's @WBADC Stars of the Bar event! Hop to @WBADC's feed at 5:30pm for all the emotional, touching, and funny moments and GIFs! #wbastars #promotingwomenlawyers #lawyermoms #upwardlymobile #BacktoBasics