API Abuse through Mobile Apps - New Attacks, New Defenses

API Abuse through Mobile Apps - New Attacks, New Defenses

RSA Conference via YouTube Direct link

The ShipFast Driver App

7 of 34

7 of 34

The ShipFast Driver App

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

API Abuse through Mobile Apps - New Attacks, New Defenses

Automatically move to the next video in the Classroom when playback concludes

  1. 1 RSAConference 2020 San Francisco February 24-28 Moscone Center
  2. 2 The Dark API Economy
  3. 3 Mobile Apps Rely on APIs
  4. 4 Mobile Attack Surfaces
  5. 5 OWASP Security Risks
  6. 6 API Defense Objectives
  7. 7 The ShipFast Driver App
  8. 8 API Sequence for Pick Up and Delivery
  9. 9 The Ship Raider Bench and Driver App
  10. 10 ShipRaider's API Exploit
  11. 11 Initial Security Posture
  12. 12 User Authorization is not Service Authorization
  13. 13 Common API Gateway Defenses
  14. 14 API Proxy Pattern
  15. 15 Inspect the App Package
  16. 16 Obfuscate Code and Secrets in Code
  17. 17 Observe/Manipulate Communication Channel
  18. 18 Certificate Pinning
  19. 19 Pin the Channel • Generate public key fingerprint
  20. 20 Unpin the Channel
  21. 21 Block Rooting and Instrumentation
  22. 22 Nervous Product Manager
  23. 23 a: Use App-Level Message Protection
  24. 24 Defense 4b: Removing Secrets from App Package
  25. 25 Find Message Signing Secret
  26. 26 a: Improve Run-Time Defenses
  27. 27 Moving secrets and security decisions off device
  28. 28 Defense 5b: Authenticate the App Off Device
  29. 29 Attacker Pivots to a Less Secure App
  30. 30 OAuth2 Authorization Flow
  31. 31 Mobile Authorization Flow with PKCE
  32. 32 Strengthen OAuth2 with Attested App ID
  33. 33 Authorization in Context
  34. 34 Apply What You Learn Today

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.