[2024]Digital Global Overview Report 2024 Meltwater.pdf
Mobile - Your API Security Blindspot by David Stewart, Approov
1. Mobile
- Your API Security Blindspot
David Stewart
david.stewart@approov.io
@approov_io
www.approov.io
2. Agenda
● API security architecture overview
● Why is mobile special?
● Attacks against mobile platforms
● What can you do?
● Recommendations
3. A Typical API Architecture - Se cu rity
Source: Edge Security with an API Gateway
Note: “By 2020, more than half of all data thefts were traceable to unsecure APIs”
https://www.gartner.com/document/4009103
4. A Typical API Architecture - AP I Gate w ay
Note: Are all authenticated, authorized, low frequency API requests good?
Source: Edge Security with an API Gateway
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
6. A Typical API Architecture - W AF
Source: Edge Security with an API Gateway
Note: How do you define a known threat and who defines it?
7. A Typical API Architecture - Clou d Costs
Source: Edge Security with an API Gateway
Note: Why process API requests which can be identified as bad at the edge?
8. (Naive) View of Protecting a Mobile Channel
The User
The Service
Check user credentials and possession of a valid API key.
Username/password
OAuth2
OpenID Connect
Biometrics
WAF
API Gateway
CDN
TLS
9. Mobile Apps: Gifts that Keep on Giving
Downloadable and
runnable by anyone,
anytime, for any
duration and on any
platform.
10. Mobile APIs: Flood Gates Waiting to Open
An app limits the range/speed an
API can manipulate user data.
However, a bot can rapidly
manipulate and exfiltrate all your
valuable data.
In 2020 the average cost of a data breach is
$3.86M (Ponemon)
11. (Naive) View of Protecting a Mobile Channel
The User
The Service
Check user credentials and possession of a valid API key.
Username/password
OAuth2
OpenID Connect
Biometrics
WAF
API Gateway
CDN
TLS
12. Hackers View of a Mobile Channel (1)
The Mobile App
The User
The Service
Reverse engineering
Tampering/repackaging
Data manipulation
13. Hackers View of a Mobile Channel (2)
The Mobile Device
The User
The Service
Emulation/Simulation
Auto-launching
Instrumentation frameworks
14. Hackers View of a Mobile Channel (3)
The API Channel
The User
The Service
Person-in-the-Middle
TLS Decryption
TLS Unpinning
Scripting
15. Attacking the Mobile Channel
Note: The majority of these attacks are executed via scripts
16. (Revised) View of Protecting a Mobile Channel
Attack Surface 1:
User Credentials
Attack Surface 3:
Device Integrity
Attack Surface 2:
App Integrity
Attack Surface 4:
API Channel Integrity
Attack Surface 5:
Service Vulnerabilities
Trust nothing between user and service.
20. Channel Integrity Checks
Dynamic Certificate Pinning:
Continuous monitoring of pins from Approov cloud and immediate notification
of changes that will cause app pinning failures
21. Recommendations
● App integrity:
○ Ensure *only* genuine app instances can call your API
○ https://approov.io/product/developer
● Device integrity:
○ Ensure genuine apps are running on ‘safe’ devices.
○ https://approov.io/product/security
● Channel integrity:
○ Ensure certificate pinning is implemented safely.
○ https://www.approov.io/for/mitm-webinar/watch/
● Implementation, deployment, monitoring and management:
○ Ensure visibility into your installed base and can react quickly to new threats.
○ https://blog.approov.io/a-short-tour-of-the-approov-metrics
Note: Don’t think that API
vulnerabilities are your only
problem!
22. Next Steps
● Check out our website Resource page:
○ https://approov.io/resource
● Use case review with API security expert (ask them anything!)
○ david.stewart@approov.io
○ https://approov.io/product/demo/
● Sign up for a free Approov trial (no credit card needed)
○ https://approov.io/signup
23. Approov API Threat Protection
Stop API Security Threats at the Edge
www.approov.io
https://approov.io/signup
24. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here