22
Mobile App Security Meet More Connections to more devices means more vulnerabilities. If you control the code you control the world Secure API Design

Secure API Design for Mobile Apps

Embed Size (px)

Citation preview

Page 1: Secure API Design for Mobile Apps

Mobile App Security Meet

More Connections to more devices means more vulnerabilities. If you control the code you control the world

Secure API Design

Page 2: Secure API Design for Mobile Apps

Mobile App Security Meet

Mobile first

”The future of mobile is the future of online. It is how people access online content now.

Page 3: Secure API Design for Mobile Apps

Mobile App Security Meet

Agenda

● API Threats

● Attributes of Secure API

● Realizing about the problem

● Authentication Schemes

● Best Practices

● Questions

Page 4: Secure API Design for Mobile Apps

Mobile App Security Meet

Threats to your APIs

● APIs are vulnerable to OWASP top 10 attacks

● Hackers reverse engineer apps to access private APIs

● Data thefts

● User account compromise

● Coding flaws

● Badly Implemented clients may leave your system vulnerable

Page 5: Secure API Design for Mobile Apps

Mobile App Security Meet

Realizing about the problem

● Unusual API requests

● Traffic spike

● Strange source addresses of requests

● Long service time

Page 6: Secure API Design for Mobile Apps

Mobile App Security Meet

Attributes of Secure API

● AuthenticationSystem should service only legitimate users

● AuthorizationSystem should allow users to perform only legitimate operations

● ConfidentialityConfidential data should be protected

● IntegrityIntegrity of transactions should be protected

Page 7: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - Basic

Resend RequestGET

Request:GET

Server ChallengeHTTP/1.1 401

Page 8: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - Digest

Hash username and password before sending it over network

RequestGET

Page 9: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - Oauth 1.0

GET

Page 10: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - Oauth 2.0

GET

Page 11: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - Oauth 2.0

Page 12: Secure API Design for Mobile Apps

Mobile App Security Meet

Authentication Schemes - 2 Way TLS

Page 13: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

TLS

● Use TLS for all API’s

● Plain HTTP is vulnerable to man in the middle attack● Once moved to TLS, do not support plain HTTP

● Use standard TLS implementations in clients

● Preferably use SSL pinning in mobile apps

○ Proper implementation of X509TrustManager in

Android Apps

○ Use additional unconventional checks like

hashing of public cert

● Use mutual TLS for trusting clients - private API’s or

apps not on playstore

Page 14: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

Access Tokens

● Long Strings

● Entropy

● Resistant to preimage attacks

● Resistant to collision attacks

● Strong cryptographic hash e.g. bcrypt

● Short TTL

● Avoid designing API’s which blindly return access

tokens for a given user id

Page 15: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

Scope access tokens

POST

Page 16: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

Validating Access Tokens

● All API calls must carry access tokens - Reject those which

have none.

● Build a framework which is invoked before the actual API call is

serviced - Spring Security in JAVA

● Map the access token to a valid User Entity for further

processing

● Validate the scope of token - Reject request which are trying to

perform unauthorized operations

Page 17: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

User Passwords

● Well defined password rules

● Mix of alphanumeric and special characters

● Avoid dictionary words - Dictionary Attack

● Extra care while designing API’s which reset password like

○ Forgot Password

○ Profile Edit

● Use additional security measures like OTP via email or text

● Badly implemented API’s will create a backdoor to your

system

Page 18: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

Session Cookies

● Avoid using session cookies - Consider Access

Tokens

● Stateless API’s are more easy to manage than stateful

● Access Tokens + Stateless API = No CSRF attacks

;

Page 19: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

ID’s

Request:GET

vs

Request:GET

Page 20: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

ID’s

● Don’t use serial numbers as primary identifiers of your

resources like accounts, transactions - Brute Force

Attack

● Use hashes instead

● Preferably use unique identifiers like UUID’s as

transaction id’s

○ universally unique

○ avoids contention

○ performance boost

Page 21: Secure API Design for Mobile Apps

Mobile App Security Meet

Best Practices

Treat Security as a first class citizen and not as an add-on

Consider it in the design phase of your product

Page 22: Secure API Design for Mobile Apps

Mobile App Security Meet

Thank you