secure api design for mobile apps
TRANSCRIPT
Mobile App Security Meet
More Connections to more devices means more vulnerabilities. If you control the code you control the world
”
Secure API Design
Mobile App Security Meet
Mobile first
”The future of mobile is the future of online. It is how people access online content now.
Mobile App Security Meet
Agenda
● API Threats
● Attributes of Secure API
● Realizing about the problem
● Authentication Schemes
● Best Practices
● Questions
Mobile App Security Meet
Threats to your APIs
● APIs are vulnerable to OWASP top 10 attacks
● Hackers reverse engineer apps to access private APIs
● Data thefts
● User account compromise
● Coding flaws
● Badly Implemented clients may leave your system vulnerable
Mobile App Security Meet
Realizing about the problem
● Unusual API requests
● Traffic spike
● Strange source addresses of requests
● Long service time
Mobile App Security Meet
Attributes of Secure API
● AuthenticationSystem should service only legitimate users
● AuthorizationSystem should allow users to perform only legitimate operations
● ConfidentialityConfidential data should be protected
● IntegrityIntegrity of transactions should be protected
Mobile App Security Meet
Authentication Schemes - Basic
Resend RequestGET
Request:GET
Server ChallengeHTTP/1.1 401
Mobile App Security Meet
Authentication Schemes - Digest
Hash username and password before sending it over network
RequestGET
Mobile App Security Meet
Authentication Schemes - Oauth 1.0
GET
Mobile App Security Meet
Authentication Schemes - Oauth 2.0
GET
Mobile App Security Meet
Authentication Schemes - Oauth 2.0
Mobile App Security Meet
Authentication Schemes - 2 Way TLS
Mobile App Security Meet
Best Practices
TLS
● Use TLS for all API’s
● Plain HTTP is vulnerable to man in the middle attack● Once moved to TLS, do not support plain HTTP
● Use standard TLS implementations in clients
● Preferably use SSL pinning in mobile apps
○ Proper implementation of X509TrustManager in
Android Apps
○ Use additional unconventional checks like
hashing of public cert
● Use mutual TLS for trusting clients - private API’s or
apps not on playstore
Mobile App Security Meet
Best Practices
Access Tokens
● Long Strings
● Entropy
● Resistant to preimage attacks
● Resistant to collision attacks
● Strong cryptographic hash e.g. bcrypt
● Short TTL
● Avoid designing API’s which blindly return access
tokens for a given user id
Mobile App Security Meet
Best Practices
Scope access tokens
POST
Mobile App Security Meet
Best Practices
Validating Access Tokens
● All API calls must carry access tokens - Reject those which
have none.
● Build a framework which is invoked before the actual API call is
serviced - Spring Security in JAVA
● Map the access token to a valid User Entity for further
processing
● Validate the scope of token - Reject request which are trying to
perform unauthorized operations
Mobile App Security Meet
Best Practices
User Passwords
● Well defined password rules
● Mix of alphanumeric and special characters
● Avoid dictionary words - Dictionary Attack
● Extra care while designing API’s which reset password like
○ Forgot Password
○ Profile Edit
● Use additional security measures like OTP via email or text
● Badly implemented API’s will create a backdoor to your
system
Mobile App Security Meet
Best Practices
Session Cookies
● Avoid using session cookies - Consider Access
Tokens
● Stateless API’s are more easy to manage than stateful
● Access Tokens + Stateless API = No CSRF attacks
●
;
Mobile App Security Meet
Best Practices
ID’s
Request:GET
vs
Request:GET
Mobile App Security Meet
Best Practices
ID’s
● Don’t use serial numbers as primary identifiers of your
resources like accounts, transactions - Brute Force
Attack
● Use hashes instead
● Preferably use unique identifiers like UUID’s as
transaction id’s
○ universally unique
○ avoids contention
○ performance boost
Mobile App Security Meet
Best Practices
Treat Security as a first class citizen and not as an add-on
Consider it in the design phase of your product
Mobile App Security Meet
Thank you