Mobile - Your API Security Blindspot by David Stewart, Approov
0 likes117 views
The document discusses the vulnerabilities and security threats associated with mobile APIs, highlighting the unique challenges posed by mobile platforms. It provides recommendations for ensuring app, device, and channel integrity through practices such as token validation and certificate pinning. The document also emphasizes the importance of visibility and rapid response to threats in API security architecture.
Mobile - Your API Security Blindspot by David Stewart, Approov
- 1. Mobile - Your API Security Blindspot David Stewart david.stewart@approov.io @approov_io www.approov.io
- 2. Agenda ● API security architecture overview ● Why is mobile special? ● Attacks against mobile platforms ● What can you do? ● Recommendations
- 3. A Typical API Architecture - Se cu rity Source: Edge Security with an API Gateway Note: “By 2020, more than half of all data thefts were traceable to unsecure APIs” https://www.gartner.com/document/4009103
- 4. A Typical API Architecture - AP I Gate w ay Note: Are all authenticated, authorized, low frequency API requests good? Source: Edge Security with an API Gateway
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. A Typical API Architecture - W AF Source: Edge Security with an API Gateway Note: How do you define a known threat and who defines it?
- 7. A Typical API Architecture - Clou d Costs Source: Edge Security with an API Gateway Note: Why process API requests which can be identified as bad at the edge?
- 8. (Naive) View of Protecting a Mobile Channel The User The Service Check user credentials and possession of a valid API key. Username/password OAuth2 OpenID Connect Biometrics WAF API Gateway CDN TLS
- 9. Mobile Apps: Gifts that Keep on Giving Downloadable and runnable by anyone, anytime, for any duration and on any platform.
- 10. Mobile APIs: Flood Gates Waiting to Open An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. In 2020 the average cost of a data breach is $3.86M (Ponemon)
- 11. (Naive) View of Protecting a Mobile Channel The User The Service Check user credentials and possession of a valid API key. Username/password OAuth2 OpenID Connect Biometrics WAF API Gateway CDN TLS
- 12. Hackers View of a Mobile Channel (1) The Mobile App The User The Service Reverse engineering Tampering/repackaging Data manipulation
- 13. Hackers View of a Mobile Channel (2) The Mobile Device The User The Service Emulation/Simulation Auto-launching Instrumentation frameworks
- 14. Hackers View of a Mobile Channel (3) The API Channel The User The Service Person-in-the-Middle TLS Decryption TLS Unpinning Scripting
- 15. Attacking the Mobile Channel Note: The majority of these attacks are executed via scripts
- 16. (Revised) View of Protecting a Mobile Channel Attack Surface 1: User Credentials Attack Surface 3: Device Integrity Attack Surface 2: App Integrity Attack Surface 4: API Channel Integrity Attack Surface 5: Service Vulnerabilities Trust nothing between user and service.
- 17. The Blindspot Revealed What to do? Shield your surfaces.
- 18. App Integrity Checks Under the hood: 1. Register app 2. App authenticated 3. Approov token delivered 4. Token validated Repeat 2. every 5 minutes https://approov.io/download/Approov-Whitepaper-Security-Trust-Gap.pdf
- 19. Device Integrity Checks Environmental checks run at app launch and every 5 minutes during the session
- 20. Channel Integrity Checks Dynamic Certificate Pinning: Continuous monitoring of pins from Approov cloud and immediate notification of changes that will cause app pinning failures
- 21. Recommendations ● App integrity: ○ Ensure *only* genuine app instances can call your API ○ https://approov.io/product/developer ● Device integrity: ○ Ensure genuine apps are running on ‘safe’ devices. ○ https://approov.io/product/security ● Channel integrity: ○ Ensure certificate pinning is implemented safely. ○ https://www.approov.io/for/mitm-webinar/watch/ ● Implementation, deployment, monitoring and management: ○ Ensure visibility into your installed base and can react quickly to new threats. ○ https://blog.approov.io/a-short-tour-of-the-approov-metrics Note: Don’t think that API vulnerabilities are your only problem!
- 22. Next Steps ● Check out our website Resource page: ○ https://approov.io/resource ● Use case review with API security expert (ask them anything!) ○ david.stewart@approov.io ○ https://approov.io/product/demo/ ● Sign up for a free Approov trial (no credit card needed) ○ https://approov.io/signup
- 23. Approov API Threat Protection Stop API Security Threats at the Edge www.approov.io https://approov.io/signup
- 24. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here