preventing and countering mobile api abuse...3 the dark api economy •in 2018, akamai observed:...
TRANSCRIPT
1 Photo by Aaron Lau on Unsplash
Preventing and Countering
Mobile API Abuse
Skip Hovsmith
8 October 2019
2
About Me
• Focus on API security, especially with mobile clients
• Chips -> HW/SW -> Embedded/Android/HSMs -> mobile/API security
medium.com/@skiph approov.io
3
The Dark API Economy
• In 2018, Akamai observed:
• Over 27B credential abuse attempts in 6 months
• 83% of CDN traffic was API content, not HTML.
• Gartner reports:
• By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.
4
Mobile Apps Rely on APIs
Traditional
Mobile
58% Mobile Desktop 42%
5
API Attacks Expose Everything
• Apps limit the range and speed an API manipulates user data.
• Without the usage constraints, a bot can rapidly manipulate and exfiltrate all your valuable data.
6
APIs Open New Business Opportunities and Vulnerabilities
APIs Open New Business Opportunities
• Public APIs are well documented
• Structured styles like REST are often easy to guess and extrapolate
• Leaky APIs disclose implementation details and error handling
• Hidden APIs are accidentally exposed by autodoc services
7
Single App, Single API?
Travel App API
Travel App
8
Many Apps, Many APIs
Multiple devices with multiple app and API versions for each
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Mapping API
Hotel Availability
API
Hire Car Availability
API
User Authentication
API
Weather API
Native Apps Hybrid Apps Legacy Versions Single Page Web Apps
9 Photo by Camila Quintero Franco on Unsplash
ShipFast
Package Delivery Service
10
ShipFast Shipper’s App
11
ShipFast Shipper’s App
12
ShipFast Shipper’s App
13
ShipFast Shipper’s App
14
ShipFast Shipper’s App
15
ShipFast Shipper’s App
16
ShipFast Shipper’s App
17
ShipFast API
<UserTok>
ShipFast App ShipFast Backend Auth Server
Starts app, logs in
Get any active delivery
See available shipment
Accept shipment
Pickup shipment
Deliver shipment
Collect gratuity!
<credentials>
GET /shipments/active, Authorization=<UserTok>
404 or current shipment
Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>}
POST /shipments/update_state/<x>, Authz..., state=Accept
POST /shipments/update_state/<x>, Authz..., state=Pickup
POST /shipments/update_state/<x>, Authz..., state=Deliver
GET /shipments/delivered, Authz…
Delivered shipment info
In Headers: Authorization: Bearer <access-token>
GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n>
18 Photo by Camila Quintero Franco on Unsplash
ShipRaider
Helping Shippers maximize their earnings!
19
ShipRaider Shipper’s Edge
20
ShipRaider Shipper’s Edge
21
ShipRaider Shipper’s Edge
22
ShipRaider Shipper’s Edge
23 Photo by Camila Quintero Franco on Unsplash
App Authentication
It’s not just who you know!
24
App Identity using API Keys
• “SF-API_KEY” identifies the client app with every API call
• API Backend verifies the API key along with user access token
• API Key is commonly an opaque KEY or an ID:SECRET pair
• Don’t reveal the API secret to anybody!
QXBwcm9...
ShipFast App
ShipFast API Backend
GET /shipments/… SF-API_KEY=QXBwcm9…
25
ShipFast API
<UserTok>
ShipFast App ShipFast Backend Auth Server
Starts app, logs in
Get any active delivery
See available shipment
Accept shipment
Pickup shipment
Deliver shipment
Collect gratuity!
<credentials>
GET /shipments/active, Authorization=<UserTok>
404 or current shipment
Shipment {id:<x>, desc:<y>, gratuity:<z>, <location>}
POST /shipments/update_state/<x>, Authz..., state=Accept
POST /shipments/update_state/<x>, Authz..., state=Pickup
POST /shipments/update_state/<x>, Authz..., state=Deliver
GET /shipments/delivered, Authz…
Delivered shipment info
In Headers: Authorization: Bearer <access-token> SF-API_KEY: <api-key>
GET /shipments/nearest_shipment, Authz.., Lat=<m>, Lon=<n>
26
Keeping Secrets: Attack Surfaces
Attack Surface 3 : In Transit
Attack Surface 2: At Rest and At Run
Time
API
Mobile App
QXBwcm9...
Attack Surface 1: User Credentials
Attack Surface 4: Accidental Leakage
27 Photo by Camila Quintero Franco on Unsplash
Basic Mistakes
Don’t make it too easy!
28
Don’t Publish Your Keys
Ryan Hellyer had always wanted to open source his website.
Satisfied that he had taken all the necessary security precautions, Hellyer pushed all the contents of his site to a new GitHub repository.
Not four hours later, Hellyer received an urgent message from Amazon...
Don’t print it in your logs either!
https://wptavern.com/ryan-hellyers-aws-nightmare-
leaked-access-keys-result-in-a-6000-bill-overnight
29
How ShipRaider Stole the API Key
● The API key is stored in the manifest!
● Manifest is easy to obtain from the published app – just unzip!
30 Photo by Camila Quintero Franco on Unsplash
Basic Plan
Mitigate after a breach
31
Detect and Block Abnormal Usage of APIs
• API Probing
• App layer DDOS attacks
• Data Scraping / Exfiltration
• Credential Stuffing
32
Rate Limiting and Load Shedding
• Quotas, spike arrests, concurrency limits
• Vary by expense of call (DB access)
• For ShipFast, a shipper is making too many shipment request calls
• Fixed or load adaptive
• Tend to be very lenient - don't risk rejecting legitimate customer usage
“Leaky Bucket” Rate Limiting
Filled by Maximum API Request Rate
Drained by Actual API Request Rate
Overflow Discarded
Practical Intro: https://stripe.com/blog/rate-limiters
33
Behavioral API Security
• Detect malicious API usage patterns
• For ShipFast, a shipper appears to be moving too fast
• Employ big data with machine learning
• May emit false positives
34 Photo by Camila Quintero Franco on Unsplash
Secure Communication
Protect secrets in transit
35
Don’t Call APIs in the Clear
• Use TLS (https) to ensure
message integrity and
confidentiality between client
and server...
• ...if you trust the certification
IBM
36
Breaking TLS
• ShipRaider controls the client
• Installs fake server certificate on client device
• Enables Man in the Middle snooping and tampering
API
Mobile App
Intended Communication Channel
37
Certificate Pinning
• ShipFast counters with certificate pinning…
• Client keeps whitelist of trusted certificates
• Only accepts connections from a whitelisted certificate
• Attacker cannot match a whitelisted certificate or know the certificate’s private key
• ShipRaider hooks the pinning check (e.g SSL-TrustKiller) …
38
Pinning Upkeep
• Server certificates, their public keys or fingerprints are client secrets
• Certificates may expire or be revoked
• Updating the certificates on the client is a maintenance challenge and a possible attack vector
• Depends on app integrity to prevent attacker bypassing pinning logic (e.g SSL-TrustKiller)
Mobile App
e54499be5aed
39
Remove Secret from the Channel
• Assume secret hidden somehow inside app
• Signing proves client possesses secret and request is untampered
• Secret not transmitted; only run time signature
• Responses can be signed; can use full encryption
ShipFast App
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…
Original Message
HMAC
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…, SF-HMAC=GXbgtwg…
+ APP_SECRET 4ymoofRe0l87Q…
Signature=GXbgtwg…
ShipFast API
GET /shipments/active, Authorization=YXdlc29…, SF-APP_ID=QXBwcm9…, SF-HMAC=GXbgtwg…
Received Message
HMAC
+ APP_SECRET 4ymoofRe0l87Q…
== ?
API Key: APP_ID APP_SECRET
40
How ShipRaider Broke the HMAC
● Download the APK, unzip it and run dex2jar…
● Immediately reveals the HMAC secret
● No matter how hard you hide the secret, if it’s valuable enough, it will be found eventually.
41
Calculate Secret at Runtime
● Avoid a static secret value that can be easily extracted
● Calculate a secret value at runtime instead:
● Must be deterministic so it can be known by server
● ObfuscatedSecret used for Request HMAC
42
ShipRaider Steals Runtime Secret
• HMAC secret id obfuscated but still a run time constant
• Repackage app for debugging
• Break at HMAC calculation
• Read the secret!
• ShipFast adds run-time anti-debug protection
43
App Hardening Approaches
• Custom Secret Computation
• Split static secret into pieces
• Functionally recompute secret at runtime
• Obfuscation and Anti-Tamper
• Obfuscate app code and make tamper resistant
• Protects secrets and code comprehension
• White-Box Cryptography
• Represent a secret by its obfuscated operations
• Mathematically obfuscated operations
• Software and Hardware Backed KeyStores
• Operations performed without exposing keys
• Complexities in secure hardware usage
44 Photo by Camila Quintero Franco on Unsplash
User Authentication
It’s really about app authorization
45
OAuth2 Overview
• Authorization protocol
• Resource owner requests resource access for a client app
• Not authentication, but uses authentication services
• Resource owner authenticates with auth server
• Client authenticates with auth server
• Often extended with OpenID-Connect (OIDC)
• Different authorization grant types
• Client credentials grant
• Code grant
• Others
46
Abstract Protocol Flow
Client
Resource
Owner
Authorization
Server
Resource
Server
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
- Resource Owner is typically the user
- Consents to authorization scope
Software App on
User’s Device
- Verifies Resource Owner identity
- Issues tokens for access
- Holds the protected user resources
- The API backend that provides content
47
User’s Outh2 Code Grant Flow
• User authorizes client to access backend resources
• Client doesn’t see user credentials
• User authorizes client using yet another ID:SECRET
48
OAuth2 Refresh Tokens
49
OAuth2 Proof of Key Code Exchange (PKCE)
• Code challenge is hash of random value
• Mitigates against leaky client_secret
• Server compares with hash of code_verifier
50 Photo by Camila Quintero Franco on Unsplash
Further Reduce the Attack Surface
The fewer secrets the better
51
Multiple APIs, Multiple API Keys
The more secrets in the App, the harder to keep all safe
52
API Proxy Pattern
• Protect just one secret in the App
• Any way to remove that last secret from the App?
53
Secret as a Service
• Remove secret from the app?
• Signed, short-lived JWT token retrieved on request
• Secret can be revoked or updated without touching app
Shared Secret
54
App Integrity Measurement
• Reliably perform non-replayable dynamic app integrity measurements
• The app does not make or know the integrity decision
• Use best practice SDK and communication hardening practices
• Can also do dynamic MitM protection by comparing server certs
55
Strengthening OAuth2 Flow
•C
lien
t se
cre
t re
pla
ced
wit
h a
pp
rova
l to
ken
•O
Au
th2
to
ken
iss
ue
d o
nly
to
le
git
ima
te a
pp
56
ShipShape
• No secrets in app
• Secure communication
57 Photo by Camila Quintero Franco on Unsplash
Where We Stand
58
Architecture Pattern
• Authorize both who (user) and what (app)
• Only time-limited, run time tokens
• Easy secret maintenance – not on device
• API Server can provide rate limiting and auth services
• Are we done?
59
Conclusion
• Authenticating app identity just as important as user identity
• Keep secrets off the app and out of the channel
• Limit the Attack Surfaces:
• User and App Auth
• Channel and Run Time Protection
• Behavioral Analysis
• ShipRaider will return!
60
Additional References
• ShipFast
• https://github.com/approov/shipfast-api-protection
• https://medium.com/approov/shipfast-api-protection-walkthrough-part-1-d00810b4138dgithub
• Mobile API Security
• https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10
• https://approov.io/blog
• All things OAuth2
• OAuth2 in Action by Justin Richer and Antonio Sanso
• https://hackernoon.com/strengthening-oauth2-for-mobile-f4f3925dbf18