Is Your API Being Abused – And Would You Even Notice If It Was?
1 like178 views
API abuse is set to become a leading attack vector for data breaches in enterprise web applications by 2022. Organizations need to ensure their APIs are secure and verify both users and devices to prevent hackers and bots from gaining access. Solutions for API security can be effective and are essential to protect mobile applications, which are often vulnerable.
Is Your API Being Abused – And Would You Even Notice If It Was?
- 1. Is Your API Being Abused? And Would You Even Know If It Was? NordicAPIs Platform Summit 2018
- 2. (AT&T Business: https://www.corp.att.com/edu/cybersecurity/managing-risks EY: https://www.slideshare.net/dynamiccio/cybersecurity-mock-cyberwar-gamehtml)
- 3. (AT&T Business: https://www.corp.att.com/edu/cybersecurity/managing-risks EY: https://www.slideshare.net/dynamiccio/cybersecurity-mock-cyberwar-gamehtml)
- 4. “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” (Gartner: How To Build An Effective API Security Strategy | 8 Dec 2017 | ID:G00342236)
- 9. Source: XMLdation – API/JSON Competitive Assets to meet PSD2
- 10. Your Business, On Line • Your target users to interact via mobile devices and apps. • They are consumers, customers, staff and suppliers. • Need quick, functionally rich, safe and convenient services. • Services could be online bookings, payment systems, CRM, HR Systems, etc.
- 11. “On average, 18 SDKs are integrated into an app… In an SDK there are 1 or more APIs...”.” Source: SafeDK, 2017 “Over 80% of major corporations have 10 or more mobile applications…” Source: ThreatMetrix, 2018
- 12. https://developer.twitter.com/en/docs/basics/authentication/guides/securing-keys-and-tokens “You should treat your API keys as you do your username and password. As mentioned above, API keys should not be hard-coded in source code repositories--just as usernames and passwords shouldn’t be.”
- 13. Dynamic Mobile App Legitimacy Solution • Dynamic: threat is always shifting. Approov is ahead of it. • Mobile App: any and every app you publish and all the 3rd party apps and services they access. • Legitimacy: uses forensic integrity technologies to identify if a user and device is real or not. Stops bots. Stops hackers. Stops imitators. • Solution: our software, deployed as a service. “The anti-bot solution for mobile” Approov recognizes and stops unidentified user access to your mobile apps, and only allows access to the users you want https://approov.io
- 14. (Image: byJcomp – Freepik.com https://www.freepik.com/free-photo/white-notebook-black-data-firewall_1150276.htm)
- 15. API Requests Using Valid User Credentials Case study: https://approov.io/case-studies/racing-post.html Racing Spreadsheet Analysis Data Scraping Bot / Script Reverse API Requests Racing Post Backend API Requests CSV Scrapers’ Cloned App Wireshark: Scrapers’ Automated Code
- 17. Faked Play Fake Account Creation Account Details More examples: https://hackerbot.net/ Fake Account Factory Fake Play Web App IP Address Spoofing Saved Game Editing User Access Reward Benefits Game Application Backend SignUp/Play Rewards
- 19. Aggregator App Aggregator Backend Device Farm Cloud Proxy Mobility Provider APIs Launch Provider App for unsupported operations Unlock & start car
- 20. Takeaways • API abuse is a clear and present danger. • If someone can game your system, they will. • Your mobile channel is your Achilles Heel. • API abusers may be your customers. • You need to know what is communicating with you, not just who. • Solutions don’t need to be complex.
- 21. Thank You! And Enjoy Your APIs! david.stewart@criticalblue.com @critblue https://approov.io