Paulo Renato

I am Paulo Renato, a Developer Advocate for Mobile and API Security and author of a series of articles on Mobile and API security.

Rather than securing an API key, wouldn’t it be better not to have it in the app or at least to make sure that if it is extracted then it can’t be used?

Don't access Third Party APIs directly from a mobile app. Learn how to do it securely with a Reverse Proxy between the mobile app and the Third Party APIs.

"Bypassing certificate pinning is easier than many people think. This article describes how to defend your mobile business against such attacks."

Learn how to repackage a mobile app in order to make it trust in custom SSL certificates. This will enable us to bypass certificate pinning.

Learn what certificate pinning is, when to use it, how to implement it in Android, and how it can prevent a MitM attack.

Learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal that API key. Finally, you will see at a high level how MitM attacks can be mitigated.

Flaw in Android allows apps to capture video and audio without requiring the necessary permissions.

Abusing HTTP HEAD request to bypass Github OAuth flow.

Discover how easy is to grab an API key by reverse engineering the binary of a mobile app, through the use of an open source tool, even by non-developers.

A new recently patched remote code execution bug in PHP7 lets hackers hijack the websites running on some NGINX and php-fpm configurations.

The lesson to be learned here is that releasing a mobile app without a way of identifying itself to the API server is like leaving your car with the doors closed but not locked, and the keys in the ignition.

Have a question about Mobile API Security? Try me!

The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the sudoers configuration explicitly disallows the root access.

Researchers claim 30% of all Android devices, and 5% of iOS devices, are transmitting data that could be used to track and profile users

Millions of iOS users could be vulnerable to man-in-the-middle attacks that trace back to flawed Twitter code used in popular iPhone apps.

Cyber attackers infected 800,000 users with banking information stealing malware – but mistakes have allowed researchers to look behind the scenes of a successful hacking campaign.

Using techniques like Https, API Keys, User Agents, Captchas, IP Blocking and Rate Limiting, User Authentication and Access Tokens may seem more than enough to protect an API, but we will see how they are not enough to stop the API from being abused by bots, hackers or just users with bad intentions.

Zero day vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.

A hacker has revealed an iOS exploit that's unpatchable and could impact millions of iOS devices. But, it's 2019. A jailbreak is only really useful for security researchers. Do you agree?

With the increasing use of mobile apps, APIs became popular and mobile app secrets became the way to access the APIs. Putting secrets the source code of mobile apps is a huge cause of concern in terms of security because they can be extracted and reused for unauthorized API access.

Some Mobile devices are shipped from factory with ADB enabled. Is yours one of them?

Is your browser hacking you? It may be easier than what yout think!!!

A curated developer article on DevArt.

Even when using a VPN, like Open VPN you can have DNS leaks, that will allow for example your ISP to know what your are doing.

"CTF or Capture the Flag is a competition aimed to raise awareness around security in an organization of any size."

Companies are hacking back against cybercriminals to try to prevent—or at least limit the damage of—Equifax-style disasters. One problem: It’s not all that legal.