SESSION ID: MBS1-F03 API Abuse through Mobile Apps: New Attacks, New Defenses Skip Hovsmith Principal Engineer CriticalBlue @SkipHovsmith #RSAC Apply What You Learn Today #RSAC Appreciate how mobile apps are used to abuse APIs Follow and later review a chain of exploits to get a feel for the types of attacks you will encounter Invest in continually keeping the cost of abusing your APIs higher than the value extracted by abusing them 2 The Dark API Economy In 2018, Akamai observed: – 83% of CDN traffic was API content, not HTML. – Over 27B credential abuse attempts in 6 months Gartner reports: – By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. #RSAC #RSAC Mobile Apps Rely on APIs Traditional Mobile Shift from presentation markup to raw data transfer Stateless API calls are great for attackers 58% Mobile Desktop 42% #RSAC API Abuse in the Mobile Market 1. Exploit a mobile app and channel to architect an API attack 2a. Use bots to launch high volume APIdriven attacks: – Fast or sustained data exfiltration – Account takeover attacks – Application-level denial of service attacks 2b. Use tampered apps to game the implicit API business model – Modify API call sequences for gain or frustration #RSAC API Abuse Defense Objectives Prevent API reverse engineering Make it hard to construct a valid API call Make it hard enough that it's not worth it #RSAC Mobile Attack Surfaces Attack Surface 1: User Credentials Mobile App QXBwcm9... Attack Surface 3 : In Transit API Attack Surface 2: At Rest and At Run Time Attack Surface 4: Accidental Leakage #RSAC OWASP Security Risks Mobile Top Ten M1: Improper Platform Usage M2:Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality Enable API Top Ten A1: Broken Object Level Access Control A2: Broken Authentication A3: Improper Data Filtering A4: Lack of Resources and Rate Limiting A5: Missing Fun/Resource Access Control A6: Mass Assignment A7: Security Misconfiguration A8: Injection A9: Improper Assets Management A10: Insufficient Logging and Monitoring #RSAC ShipFast and ShipRaider A Hypothetical Package Delivery Service The ShipFast Platform ShipFast Driver’s App (React Native) ShipFast REST API API Gateway ShipFast API Services Authentication Services Public Repo: tbd #RSAC The ShipFast Driver’s App #RSAC Driver assigned nearest shipment Driver paid by distance driven and preestablished gratuity #RSAC API Sequence for Typical Package Delivery ShipFast App Starts app, logs in Auth Server <credentials> <UserTok> Get any active delivery GET /shipments/active, Authorization=<UserTok> 404 or current shipment See available shipment GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n> Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>} Accept shipment POST /shipments/update_state/<x>, Authz..., state=Accept Pickup shipment POST /shipments/update_state/<x>, Authz..., state=Pickup Deliver shipment POST /shipments/update_state/<x>, Authz..., state=Deliver Collect gratuity! GET /shipments/delivered, Authz… Delivered shipment info In Headers: Authorization: Bearer <access-token> SF_API_Key: <api-key> ShipFast Backend #RSAC The ShipRaider Driver’s Assistant Raider selects highest gratuity from nearby deliveries #RSAC API Sequence for Driver’s Exploit ShipFast App Starts app, logs in Auth Server <credentials> <UserTok> Get any active delivery GET /shipments/active, Authorization=<UserTok> 404 or current shipment See available shipment GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n> Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>} Accept shipment POST /shipments/update_state/<x>, Authz..., state=Accept Pickup shipment POST /shipments/update_state/<x>, Authz..., state=Pickup Deliver shipment POST /shipments/update_state/<x>, Authz..., state=Deliver Collect gratuity! GET /shipments/delivered, Authz… Delivered shipment info In Headers: Authorization: Bearer <access-token> SF_API_Key: <api-key> ShipFast Backend #RSAC ShipFast Security Evolution #RSAC Initial Security Posture OAuth2 Authorization Flow Static API Key in Code Bundle API calls over HTTPS 16 Common Back-End Defenses Rate limiting #RSAC Filled by Maximum API Request Rate Overflow Di