Approov’s 2025 Momentum: Awards, Funding, Growth — and a Look at Mobile Security Trends
2025 has been a landmark year for Approov, reflecting our growing impact and momentum in mobile app and API security. We began the year by winning the Cyber Innovation Award at the Scottish Cyber Awards, a recognition of our team’s dedication and innovation. This was followed by the successful close of a £5 million Series A funding round led by IFS and Maven Capital Partners, enabling us to expand our Edinburgh-based R&D team and accelerate real-time security innovation for the AI era.
Building on this growth, we opened our new headquarters in Edinburgh’s New Town, reinforcing our commitment to advancing mobile and API security from the heart of Scotland.
This year also saw a major product milestone with Approov’s full integration into the Cloudflare platform, delivering a single, unified layer of defense against mobile bots, fake apps, and API abuse - extending Cloudflare’s industry-leading bot mitigation with deterministic, zero-false-positive mobile security and full visibility across both mobile and web attack surfaces.
At the start of 2025, we shared bold predictions on how mobile cybersecurity would evolve. Now, as the year ends, we’re reflecting on how those trends are playing out.
React2Shell lands on CISA’s KEV list: patch immediately
A newly disclosed critical RCE flaw in React Server Components has been added to CISA’s KEV catalog, highlighting the need for immediate patching. With a CVSS score of 10.0 and active exploitation observed shortly after disclosure, the vulnerability puts React/Next.js backends at serious risk, allowing attackers to take over servers via unauthenticated requests amid widespread scanning and compromise activity.
WhatsApp API flaw let researchers scrape 3.5 billion accounts
Researchers found that WhatsApp’s contact-discovery API lacked rate limiting, enabling phone number queries at massive scale—over 100 million per hour—and allowing the mapping of 3.5 billion active accounts. By chaining other APIs, they also gathered profile photos, “about” text, device info, and metadata, showing how unprotected endpoints can be exploited to build large identity datasets for phishing and social engineering.
App Developers Urge EU Action on Apple Fee Practices
A coalition of app developers and consumer advocates is calling on EU regulators to take tougher action against Apple’s App Store fee practices, arguing the company’s revised pricing still breaches the Digital Markets Act. Despite a €500 million fine earlier this year, critics say Apple’s updated commission structure — including fees on external payments — continues to disadvantage European developers, prompting demands for stronger enforcement and possible legal escalation.
How the Shai-Hulud npm Attack Evolved in Its Second Wave
The second wave of the Shai-Hulud npm supply chain attack highlights how attackers are doubling down on compromised open-source packages to expand reach and persistence across the JavaScript ecosystem. This phase shows more deliberate targeting, broader package propagation, and clearer signs of automation, reinforcing how quickly trusted dependencies can become large-scale attack vectors.
