Mobile - Your API Security Blindspot by David Stewart, Approov
•
0 gefällt mir•96 views
apidays LIVE Paris 2021 - APIs and the Future of Software December 7, 8 & 9, 2021 Mobile - Your API Security Blindspot David Stewart, CEO at Approov
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Mobile - Your API Security Blindspot by David Stewart, Approov
Ähnlich wie Mobile - Your API Security Blindspot by David Stewart, Approov (20)
Mehr von apidays
Mehr von apidays (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Mobile - Your API Security Blindspot by David Stewart, Approov
- 1. Mobile - Your API Security Blindspot David Stewart david.stewart@approov.io @approov_io www.approov.io
- 2. Agenda ● API security architecture overview ● Why is mobile special? ● Attacks against mobile platforms ● What can you do? ● Recommendations
- 3. A Typical API Architecture - Se cu rity Source: Edge Security with an API Gateway Note: “By 2020, more than half of all data thefts were traceable to unsecure APIs” https://www.gartner.com/document/4009103
- 4. A Typical API Architecture - AP I Gate w ay Note: Are all authenticated, authorized, low frequency API requests good? Source: Edge Security with an API Gateway
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. A Typical API Architecture - W AF Source: Edge Security with an API Gateway Note: How do you define a known threat and who defines it?
- 7. A Typical API Architecture - Clou d Costs Source: Edge Security with an API Gateway Note: Why process API requests which can be identified as bad at the edge?
- 8. (Naive) View of Protecting a Mobile Channel The User The Service Check user credentials and possession of a valid API key. Username/password OAuth2 OpenID Connect Biometrics WAF API Gateway CDN TLS
- 9. Mobile Apps: Gifts that Keep on Giving Downloadable and runnable by anyone, anytime, for any duration and on any platform.
- 10. Mobile APIs: Flood Gates Waiting to Open An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. In 2020 the average cost of a data breach is $3.86M (Ponemon)
- 11. (Naive) View of Protecting a Mobile Channel The User The Service Check user credentials and possession of a valid API key. Username/password OAuth2 OpenID Connect Biometrics WAF API Gateway CDN TLS
- 12. Hackers View of a Mobile Channel (1) The Mobile App The User The Service Reverse engineering Tampering/repackaging Data manipulation
- 13. Hackers View of a Mobile Channel (2) The Mobile Device The User The Service Emulation/Simulation Auto-launching Instrumentation frameworks
- 14. Hackers View of a Mobile Channel (3) The API Channel The User The Service Person-in-the-Middle TLS Decryption TLS Unpinning Scripting
- 15. Attacking the Mobile Channel Note: The majority of these attacks are executed via scripts
- 16. (Revised) View of Protecting a Mobile Channel Attack Surface 1: User Credentials Attack Surface 3: Device Integrity Attack Surface 2: App Integrity Attack Surface 4: API Channel Integrity Attack Surface 5: Service Vulnerabilities Trust nothing between user and service.
- 17. The Blindspot Revealed What to do? Shield your surfaces.
- 18. App Integrity Checks Under the hood: 1. Register app 2. App authenticated 3. Approov token delivered 4. Token validated Repeat 2. every 5 minutes https://approov.io/download/Approov-Whitepaper-Security-Trust-Gap.pdf
- 19. Device Integrity Checks Environmental checks run at app launch and every 5 minutes during the session
- 20. Channel Integrity Checks Dynamic Certificate Pinning: Continuous monitoring of pins from Approov cloud and immediate notification of changes that will cause app pinning failures
- 21. Recommendations ● App integrity: ○ Ensure *only* genuine app instances can call your API ○ https://approov.io/product/developer ● Device integrity: ○ Ensure genuine apps are running on ‘safe’ devices. ○ https://approov.io/product/security ● Channel integrity: ○ Ensure certificate pinning is implemented safely. ○ https://www.approov.io/for/mitm-webinar/watch/ ● Implementation, deployment, monitoring and management: ○ Ensure visibility into your installed base and can react quickly to new threats. ○ https://blog.approov.io/a-short-tour-of-the-approov-metrics Note: Don’t think that API vulnerabilities are your only problem!
- 22. Next Steps ● Check out our website Resource page: ○ https://approov.io/resource ● Use case review with API security expert (ask them anything!) ○ david.stewart@approov.io ○ https://approov.io/product/demo/ ● Sign up for a free Approov trial (no credit card needed) ○ https://approov.io/signup
- 23. Approov API Threat Protection Stop API Security Threats at the Edge www.approov.io https://approov.io/signup
- 24. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here