Overview
Explore the critical issue of API underprotection in this 37-minute conference talk from AppSecUSA 2017. Delve into the challenges posed by RESTful Web APIs becoming the backbone of modern web communication and the security risks they present. Learn about potential threats from insufficient API security, emerging security technologies, and the complexities of API-consuming clients. Examine the differences between software authorization via static API keys and user authorization through OAuth2. Gain practical advice on improving mobile app security when accessing APIs, including code examples for concealing access credentials and implementing TLS pinning. Discover advanced techniques like app hardening, white box cryptography, and software attestation for crucial mobile application security. Walk away with a comprehensive understanding of the underprotected API problem, practical tips for enhancing API security, and knowledge of emerging tools and technologies for significant security improvements.
Syllabus
Intro
API Transformation
Security Landscape
The Journey of Complexity
Examples of Attacks
Pokemon Go
Reverse Engineering
Potential Risks
Traditional Defenses
Rate Limiting
OAuth2 Flow
User Agent Flow
API Permissions
API Keys Software Identity
Simple API Keys
Attack Surfaces
Trust Store
Pinning
Whitebox Cryptography
Remote attestation
Summary
Taught by
OWASP Foundation