Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed:...
Transcript of Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed:...
![Page 1: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/1.jpg)
1 Photo by Aaron Lau on Unsplash
Preventing and Countering
Mobile API Abuse
Skip Hovsmith
8 October 2019
![Page 2: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/2.jpg)
2
About Me
• Focus on API security, especially with mobile clients
• Chips -> HW/SW -> Embedded/Android/HSMs -> mobile/API security
medium.com/@skiph approov.io
![Page 3: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/3.jpg)
3
The Dark API Economy
• In 2018, Akamai observed:
• Over 27B credential abuse attempts in 6 months
• 83% of CDN traffic was API content, not HTML.
• Gartner reports:
• By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.
![Page 4: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/4.jpg)
4
Mobile Apps Rely on APIs
Traditional
Mobile
58% Mobile Desktop 42%
![Page 5: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/5.jpg)
5
API Attacks Expose Everything
• Apps limit the range and speed an API manipulates user data.
• Without the usage constraints, a bot can rapidly manipulate and exfiltrate all your valuable data.
![Page 6: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/6.jpg)
6
APIs Open New Business Opportunities and Vulnerabilities
APIs Open New Business Opportunities
• Public APIs are well documented
• Structured styles like REST are often easy to guess and extrapolate
• Leaky APIs disclose implementation details and error handling
• Hidden APIs are accidentally exposed by autodoc services
![Page 7: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/7.jpg)
7
Single App, Single API?
Travel App API
Travel App
![Page 8: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/8.jpg)
8
Many Apps, Many APIs
Multiple devices with multiple app and API versions for each
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Native Apps Hybrid Apps Legacy Versions Single Page Web Apps
![Page 9: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/9.jpg)
9 Photo by Camila Quintero Franco on Unsplash
ShipFast
Package Delivery Service
![Page 10: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/10.jpg)
10
ShipFast Shipper’s App
![Page 11: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/11.jpg)
11
ShipFast Shipper’s App
![Page 12: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/12.jpg)
12
ShipFast Shipper’s App
![Page 13: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/13.jpg)
13
ShipFast Shipper’s App
![Page 14: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/14.jpg)
14
ShipFast Shipper’s App
![Page 15: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/15.jpg)
15
ShipFast Shipper’s App
![Page 16: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/16.jpg)
16
ShipFast Shipper’s App
![Page 17: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/17.jpg)
17
ShipFast API
<UserTok>
ShipFast App ShipFast Backend Auth Server
Starts app, logs in
Get any active delivery
See available shipment
Accept shipment
Pickup shipment
Deliver shipment
Collect gratuity!
<credentials>
GET /shipments/active, Authorization=<UserTok>
404 or current shipment
Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>}
POST /shipments/update_state/<x>, Authz..., state=Accept
POST /shipments/update_state/<x>, Authz..., state=Pickup
POST /shipments/update_state/<x>, Authz..., state=Deliver
GET /shipments/delivered, Authz…
Delivered shipment info
In Headers: Authorization: Bearer <access-token>
GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n>
![Page 18: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/18.jpg)
18 Photo by Camila Quintero Franco on Unsplash
ShipRaider
Helping Shippers maximize their earnings!
![Page 19: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/19.jpg)
19
ShipRaider Shipper’s Edge
![Page 20: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/20.jpg)
20
ShipRaider Shipper’s Edge
![Page 21: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/21.jpg)
21
ShipRaider Shipper’s Edge
![Page 22: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/22.jpg)
22
ShipRaider Shipper’s Edge
![Page 23: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/23.jpg)
23 Photo by Camila Quintero Franco on Unsplash
App Authentication
It’s not just who you know!
![Page 24: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/24.jpg)
24
App Identity using API Keys
• “SF-API_KEY” identifies the client app with every API call
• API Backend verifies the API key along with user access token
• API Key is commonly an opaque KEY or an ID:SECRET pair
• Don’t reveal the API secret to anybody!
QXBwcm9...
ShipFast App
ShipFast API Backend
GET /shipments/… SF-API_KEY=QXBwcm9…
![Page 25: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/25.jpg)
25
ShipFast API
<UserTok>
ShipFast App ShipFast Backend Auth Server
Starts app, logs in
Get any active delivery
See available shipment
Accept shipment
Pickup shipment
Deliver shipment
Collect gratuity!
<credentials>
GET /shipments/active, Authorization=<UserTok>
404 or current shipment
Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>}
POST /shipments/update_state/<x>, Authz..., state=Accept
POST /shipments/update_state/<x>, Authz..., state=Pickup
POST /shipments/update_state/<x>, Authz..., state=Deliver
GET /shipments/delivered, Authz…
Delivered shipment info
In Headers: Authorization: Bearer <access-token> SF-API_KEY: <api-key>
GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n>
![Page 26: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/26.jpg)
26
Keeping Secrets: Attack Surfaces
Attack Surface 3 : In Transit
Attack Surface 2: At Rest and At Run
Time
API
Mobile App
QXBwcm9...
Attack Surface 1: User Credentials
Attack Surface 4: Accidental Leakage
![Page 27: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/27.jpg)
27 Photo by Camila Quintero Franco on Unsplash
Basic Mistakes
Don’t make it too easy!
![Page 28: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/28.jpg)
28
Don’t Publish Your Keys
Ryan Hellyer had always wanted to open source his website.
Satisfied that he had taken all the necessary security precautions, Hellyer pushed all the contents of his site to a new GitHub repository.
Not four hours later, Hellyer received an urgent message from Amazon...
Don’t print it in your logs either!
https://wptavern.com/ryan-hellyers-aws-nightmare-
leaked-access-keys-result-in-a-6000-bill-overnight
![Page 29: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/29.jpg)
29
How ShipRaider Stole the API Key
● The API key is stored in the manifest!
● Manifest is easy to obtain from the published app – just unzip!
![Page 30: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/30.jpg)
30 Photo by Camila Quintero Franco on Unsplash
Basic Plan
Mitigate after a breach
![Page 31: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/31.jpg)
31
Detect and Block Abnormal Usage of APIs
• API Probing
• App layer DDOS attacks
• Data Scraping / Exfiltration
• Credential Stuffing
![Page 32: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/32.jpg)
32
Rate Limiting and Load Shedding
• Quotas, spike arrests, concurrency limits
• Vary by expense of call (DB access)
• For ShipFast, a shipper is making too many shipment request calls
• Fixed or load adaptive
• Tend to be very lenient - don't risk rejecting legitimate customer usage
“Leaky Bucket” Rate Limiting
Filled by Maximum API Request Rate
Drained by Actual API Request Rate
Overflow Discarded
Practical Intro: https://stripe.com/blog/rate-limiters
![Page 33: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/33.jpg)
33
Behavioral API Security
• Detect malicious API usage patterns
• For ShipFast, a shipper appears to be moving too fast
• Employ big data with machine learning
• May emit false positives
![Page 34: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/34.jpg)
34 Photo by Camila Quintero Franco on Unsplash
Secure Communication
Protect secrets in transit
![Page 35: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/35.jpg)
35
Don’t Call APIs in the Clear
• Use TLS (https) to ensure
message integrity and
confidentiality between client
and server...
• ...if you trust the certification
IBM
![Page 36: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/36.jpg)
36
Breaking TLS
• ShipRaider controls the client
• Installs fake server certificate on client device
• Enables Man in the Middle snooping and tampering
API
Mobile App
Intended Communication Channel
![Page 37: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/37.jpg)
37
Certificate Pinning
• ShipFast counters with certificate pinning…
• Client keeps whitelist of trusted certificates
• Only accepts connections from a whitelisted certificate
• Attacker cannot match a whitelisted certificate or know the certificate’s private key
• ShipRaider hooks the pinning check (e.g SSL-TrustKiller) …
![Page 38: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/38.jpg)
38
Pinning Upkeep
• Server certificates, their public keys or fingerprints are client secrets
• Certificates may expire or be revoked
• Updating the certificates on the client is a maintenance challenge and a possible attack vector
• Depends on app integrity to prevent attacker bypassing pinning logic (e.g SSL-TrustKiller)
Mobile App
e54499be5aed
![Page 39: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/39.jpg)
39
Remove Secret from the Channel
• Assume secret hidden somehow inside app
• Signing proves client possesses secret and request is untampered
• Secret not transmitted; only run time signature
• Responses can be signed; can use full encryption
ShipFast App
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…
Original Message
HMAC
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…, SF-HMAC=GXbgtwg…
+ APP_SECRET 4ymoofRe0l87Q…
Signature=GXbgtwg…
ShipFast API
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…, SF-HMAC=GXbgtwg…
Received Message
HMAC
+ APP_SECRET 4ymoofRe0l87Q…
== ?
API Key: APP_ID APP_SECRET
![Page 40: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/40.jpg)
40
How ShipRaider Broke the HMAC
● Download the APK, unzip it and run dex2jar…
● Immediately reveals the HMAC secret
● No matter how hard you hide the secret, if it’s valuable enough, it will be found eventually.
![Page 41: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/41.jpg)
41
Calculate Secret at Runtime
● Avoid a static secret value that can be easily extracted
● Calculate a secret value at runtime instead:
● Must be deterministic so it can be known by server
● ObfuscatedSecret used for Request HMAC
![Page 42: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/42.jpg)
42
ShipRaider Steals Runtime Secret
• HMAC secret id obfuscated but still a run time constant
• Repackage app for debugging
• Break at HMAC calculation
• Read the secret!
• ShipFast adds run-time anti-debug protection
![Page 43: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/43.jpg)
43
App Hardening Approaches
• Custom Secret Computation
• Split static secret into pieces
• Functionally recompute secret at runtime
• Obfuscation and Anti-Tamper
• Obfuscate app code and make tamper resistant
• Protects secrets and code comprehension
• White-Box Cryptography
• Represent a secret by its obfuscated operations
• Mathematically obfuscated operations
• Software and Hardware Backed KeyStores
• Operations performed without exposing keys
• Complexities in secure hardware usage
![Page 44: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/44.jpg)
44 Photo by Camila Quintero Franco on Unsplash
User Authentication
It’s really about app authorization
![Page 45: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/45.jpg)
45
OAuth2 Overview
• Authorization protocol
• Resource owner requests resource access for a client app
• Not authentication, but uses authentication services
• Resource owner authenticates with auth server
• Client authenticates with auth server
• Often extended with OpenID-Connect (OIDC)
• Different authorization grant types
• Client credentials grant
• Code grant
• Others
![Page 46: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/46.jpg)
46
Abstract Protocol Flow
Client
Resource
Owner
Authorization
Server
Resource
Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
- Resource Owner is typically the user
- Consents to authorization scope
Software App on
User’s Device
- Verifies Resource Owner identity
- Issues tokens for access
- Holds the protected user resources
- The API backend that provides content
![Page 47: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/47.jpg)
47
User’s Outh2 Code Grant Flow
• User authorizes client to access backend resources
• Client doesn’t see user credentials
• User authorizes client using yet another ID:SECRET
![Page 48: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/48.jpg)
48
OAuth2 Refresh Tokens
![Page 49: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/49.jpg)
49
OAuth2 Proof of Key Code Exchange (PKCE)
• Code challenge is hash of random value
• Mitigates against leaky client_secret
• Server compares with hash of code_verifier
![Page 50: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/50.jpg)
50 Photo by Camila Quintero Franco on Unsplash
Further Reduce the Attack Surface
The fewer secrets the better
![Page 51: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/51.jpg)
51
Multiple APIs, Multiple API Keys
The more secrets in the App, the harder to keep all safe
![Page 52: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/52.jpg)
52
API Proxy Pattern
• Protect just one secret in the App
• Any way to remove that last secret from the App?
![Page 53: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/53.jpg)
53
Secret as a Service
• Remove secret from the app?
• Signed, short-lived JWT token retrieved on request
• Secret can be revoked or updated without touching app
Shared Secret
![Page 54: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/54.jpg)
54
App Integrity Measurement
• Reliably perform non-replayable dynamic app integrity measurements
• The app does not make or know the integrity decision
• Use best practice SDK and communication hardening practices
• Can also do dynamic MitM protection by comparing server certs
![Page 55: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/55.jpg)
55
Strengthening OAuth2 Flow
•C
lien
t se
cre
t re
pla
ced
wit
h a
pp
rova
l to
ken
•O
Au
th2
to
ken
iss
ue
d o
nly
to
le
git
ima
te a
pp
![Page 56: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/56.jpg)
56
ShipShape
• No secrets in app
• Secure communication
![Page 57: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/57.jpg)
57 Photo by Camila Quintero Franco on Unsplash
Where We Stand
![Page 58: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/58.jpg)
58
Architecture Pattern
• Authorize both who (user) and what (app)
• Only time-limited, run time tokens
• Easy secret maintenance – not on device
• API Server can provide rate limiting and auth services
• Are we done?
![Page 59: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/59.jpg)
59
Conclusion
• Authenticating app identity just as important as user identity
• Keep secrets off the app and out of the channel
• Limit the Attack Surfaces:
• User and App Auth
• Channel and Run Time Protection
• Behavioral Analysis
• ShipRaider will return!
![Page 60: Preventing and Countering Mobile API Abuse...3 The Dark API Economy •In 2018, Akamai observed: •Over 27B credential abuse attempts in 6 months •83% of CDN traffic was API content,](https://reader036.fdocuments.us/reader036/viewer/2022071109/5fe480cc109ef47e22561c81/html5/thumbnails/60.jpg)
60
Additional References
• ShipFast
• https://github.com/approov/shipfast-api-protection
• https://medium.com/approov/shipfast-api-protection-walkthrough-part-1-d00810b4138dgithub
• Mobile API Security
• https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10
• https://approov.io/blog
• All things OAuth2
• OAuth2 in Action by Justin Richer and Antonio Sanso
• https://hackernoon.com/strengthening-oauth2-for-mobile-f4f3925dbf18