Explore mobile app and API security strategies in this OWASP Foundation conference talk from AppSecCali 2019. Follow the fictional ShipFast courier service as it evolves its security approach to counter threats from the malicious ShipRaider. Dive into topics such as OAuth2 user authorization, TLS, certificate pinning, HMAC call signing, app hardening, and white box crypto. Learn about man-in-the-middle attacks, app decompilation, debugging, and reverse engineering techniques used by attackers. Gain insights into defense-in-depth techniques for protecting both mobile apps and API backends. Access fully worked open source examples and additional homework assignments for deeper exploration. Presented by Skip Hovsmith, Principal Engineer at CriticalBlue, this 53-minute talk covers a wide range of mobile security topics, including API keys, rate limiting, behavioral API security, app integrity measurement, and OAuth2 flow strengthening.