Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
-
Upload
phillip-johnson -
Category
Documents
-
view
217 -
download
0
Transcript of Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.
![Page 1: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/1.jpg)
Practical Steps to Secure your APIs for Mobile
Mark O’Neill
VP Innovation, Axway
![Page 2: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/2.jpg)
About me
• Co-founder of Vordel (SOA/API Gateways)– Acquired by Axway in 2012
• VP Innovation at Axway• Based in Boston, MA• Blog: www.soatothecloud.com
2
![Page 3: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/3.jpg)
Agenda
• APIs for Mobile– “Digital Business”
• Security issues for APIs– Data harvesting– API Key sniffing– Insecure use of plain HTTP
• OAuth– What can go wrong?– OAuth model applied to Mobile
• Solutions– API Management– “Certificate Pinning”
3
![Page 4: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/4.jpg)
“Digital Business”
• Creating new channels for revenue– Cloud, Mobile, Social– Over 3 hours per day on smartphones [Analysys Mason]
![Page 5: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/5.jpg)
5
Where do APIs fit in?
• Enabling mobile apps
Health Records… Utility Metering… Payments
All get their data through APIs
![Page 6: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/6.jpg)
APIs – A soft underbelly?
• Security vulnerabilities related to APIs
![Page 7: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/7.jpg)
API Security
Axway #APIWorkshops
![Page 8: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/8.jpg)
Identity - Key
• Users often allow the app to interact with APIs on their behalf• e.g. call the Twitter API to send tweets
• Protection of OAuth credentials is important• “Permission-based Web”
![Page 9: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/9.jpg)
+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+
| | | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+
| | | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+
OAuth Actor Model applied to Mobile:Count the credentials…
App Developer
Resource Owner
Authorization Server
Resource Server
Client
API Business Owner
The App
The User
The API
Developer Portal
Developer Portal Credentials
Client API Credentials
Resource Owner Credentials
Access Token
Refresh Token
![Page 10: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/10.jpg)
More API Misuse – Why throttling is needed
![Page 11: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/11.jpg)
Insecure use of plain HTTP
• Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html
11
![Page 12: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/12.jpg)
Weak API Key Authentication
12
• Problem:• API Keys are often simply passed in URLs
• &APIKey=123456• Vulnerable to sniffing if SSL isn’t used (often it is not..)
• Amazon uses two keys:• Secret Key ID to perform HMAC signing
• With detection of replay attacks• Access Key ID to identify the client
![Page 13: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/13.jpg)
Self-service internal and external developersto use APIs
Manage and SecureAPI, SOA and XML traffic
API Portal
API Gateway
API ManagerPublish and Manage API Consumption by internal and external
partners
Enter API Management…
On Premise
![Page 14: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/14.jpg)
API First
Axway #APIWorkshops
The API is the
contract
…And the product
WSDL is the
Contract
Backend App is the Product
APIs SOA/ESB
Courtesy of Kevin Kohut, Accenture ( @Kkohut )
![Page 15: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/15.jpg)
API Catalog
• Lifecycle Management of APIs• Versioning• “Single Store of Truth”
The API Catalog is the modern-day Registry Repository
Version Lifecycle Info
![Page 16: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/16.jpg)
Self Service
• Self-Service Developer Enrollment• Registration workflows
![Page 17: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/17.jpg)
In-place API Testing
• Test-as-you-go• “Try it out” for API Methods• Including using API Keys…
![Page 18: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/18.jpg)
Stakeholders in API Management
Client Applications
REST API
SOAP/XML/REST/JSON
API Manager
Services
Applications
Data
Application Developers
API Portal
API
API Registration & Lifecycle
API Catalog
Partner & Policy Administration
Self-Service API consumption
Build developer community
New channel to market brand
API Developers
API Administrators
Self-register to resourcesBrowse and learn APIs
Manage application credentials
REST
SOAP Web Services
POX, JMS, FTP
Integration with non-REST API services
Policy Enforcement
API Gateway
Register and manage API lifecyclePerform partner, policy and process admin
Monitor and report API use
Policy Developers
Create and extend policies
Integrate with applications and
infrastructure
![Page 19: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/19.jpg)
Managing mobile app access to APIs
19
![Page 20: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/20.jpg)
Mobile App Monitoring in Action
20
![Page 21: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/21.jpg)
Managing API Keys and OAuth
21
![Page 22: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/22.jpg)
Quota Management for APIs
22
• Managing usage quotas for APIs on an app-by-app basis
![Page 23: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/23.jpg)
Certificate Pinning
23
• Problem:• API Keys are vulnerably when stored on the client
• Solution: “Certificate Pinning”:• Leverages native mobile OS support for protecting
certificates• Uses Mutual SSL• End-user credentials (e.g. username/password)
then sent over this Mutual SSL connection
![Page 24: Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649dc65503460f94aba0a0/html5/thumbnails/24.jpg)
Further questions
24
• @Axway• @TheMarkONeill• Visit us at the Axway Booth
• Thank you!