Post on 02-Jun-2020
Securing Mobile APIs Preserving Developer Intent Without a Gateway
Tom Tovar
Co-Creator and CEO
APIWorld
October 10, 2019
© 2019 Appdome - Confidential
What Is An API? I don’t want to build something, I want it from you.
I want to give you something but how do I know it’s you and I can’t do everything.
What Are The risks? o Just knowing (IP-Competitive ). This part
drives me nuts...
o Authentication (Account Hijack). To access the service, the app needs to authenticate to the API using at a minimum, the API Key and API Secret.
o Connection (MiTM). To create the connection,
the app needs the Service Address. It also needs a secure way to reach the service (using either single or mutual validation, TLS, etc.).
o Payload (Data Theft). To actually consume the API intent, the app needs to store and use the API payload throughout the app, cache API data, etc.
o Tampering (Mucking). Even if everything is done right to make the API work, is it possible to insert instructions in an API to filter API data out of the app (or impersonate the developer).
Recent API Data Leaks & Account Takeovers
How Easy Is It To Hack An API?
o Service Address.
o API Secret.
o API Service Private API.
o API Key and More. . .
Using basic tools like JD-GUI... strings...
Basically I can get the static data...
Getting Dynamic Data...Using Fuzzer
You Get The point...Generally Speaking,
o We don’t secure APIs in the App Attackers know what APIs we’re using and can access our accounts, apps, and more.
o We don’t secure API Connections App to API connections face MiTM and impersonation risks.
o We don’t secure API Data API data passed to and used by the app is often in the clear.
o We don’t secure API Code How we build the API into apps is not shielded or protected.
Co
st
Impact
Breach will reduce
user confidence
leading to lower
overall spending by
all users with the
target mobile app.
Brand Impact
& Customer
Buying
Breach will
make it harder
to attract new
customers.
Impact on New
Customer
Acquisition
Cost
Customer Re-
Acquisition
Cost
Publisher Loss
Reimburse or refund
of transaction or
purchase revenue
Customer Loss e.g.,10% of impacted
Users abandon app
@$50 CAC per user to re-acquire impacted users that
abandoned app
@$500K of Inventory or loss of fees
@$2.68 rev. per user/mo.
@+15% Vendor Average CAC per user for net-new users considering app
@-15% the avg. per user per revenue for all users until confidence restored
More expensive
to re-acquire lost
customers.
The Business Impact of a Mobile App Breach Using industry averages, a transactional app with 1M users, has a business impact of $6.3M in 1 month.
API Security Standards • OWASP API Security Top 10 • FAPI - Financial Grade API
A1 Broken Object Level Authorization
A2 Broken Authentication
A3 Excessive Data Exposure
A4 Lack of Resources and Rate Timing
A5 Broken Function Level Authorization
A6 Mass Assignment
A7 Security Misconfiguration
A8 Injection
A9 Improper Assets Management
A10 Insufficient Logging and Monitoring
API Security Top 10 (Sept 2019)
How Can You Secure Mobile APIs?
• Data Encryption
• Code Obfuscation
• App Shielding
• Trusted Sessions
• API Segmentation
Why Data Encryption? Use AES 256 encryption to secure and protect all API data (keys, secrets, urls, tokens, payload, etc.), including in the App Sandbox, Preferences, Strings and Resources.
Unencrypted Strings – API Key and API Secret in the clear
Encrypted Strings
Protects against OWASP risks A1, A2, A5, A6, A8, A9
Why Code Obfuscation? Obfuscates the binary code, native and non-native libraries, to protect the app’s flow control and logic.
With Obfuscation, strings are not accessible
Protects against OWASP risks A1, A2, A3, A5, A6, A7, A8, A9
Why App Shielding? Hardens the app with anti-tampering, anti-debugging and anti-reversing protection.
Trying to tamper with the app...
Protects against OWASP risks A3, A5, A6, A7, A8, A9
Trusted Communication Protects and encrypts all data in transit. Ensures the validity of all end points and any intermediate systems in between an app and its backend servers.
Without Trusted Session
With Trusted Session
Protects against OWASP risks A1, A2, A3, A5, A6, A7, A8, A9
Why API Segmentation?
Use strong authentication, API tokenization, segmented API workflows (key stores, cookie stores, etc.) to ensure that only the right users can access specific API resources.
Unprotected cookie files in common areas
Encrypted cookie files in segmented areas
Protects against OWASP risks A1, A2, A3, A4, A5, A7, A8, A9
Stop Manually Coding (Mobile API) Security
v1.0
v2.0
v3.0
v4.0
v5.0
v6.0
o Security falls behind features. With more developers dedicated to features vs. security, security features fall behind.
o Variable Costs for Partial Solutions. Vendors offer tool kits and resources only, putting all the work and the risk on the developer (not the vendor).
o Coding Mistakes and Omissions. Mobile App Security is a highly specialized and rare talent. Developers build apps, not security.
o Vulnerability Gap. Complexity and development time causes security coverage to grow stale until a breach occurs.
App Releases
Ap
p V
alu
e
Security Coverage
Vulnerability Gap
Thank You
Tom Tovar
Co-Creator and CEO
tom@appdome.com
www.appdome.com