Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

API Abuse through Mobile Apps - New Attacks, New Defenses

RSA Conference via YouTube

Overview

Explore the world of API security in mobile applications through an engaging conference talk that pits Shipfast against ShipRaider in a battle for control over a driver delivery app. Dive into various attack vectors and defense mechanisms, including API key exploitation, OAuth2 user authorization, TLS certificate pinning, HMAC call signing, app shielding/hardening, and app attestation. Gain insights into the unique challenges of securing APIs with mobile clients, covering topics such as mobile attack surfaces, OWASP security risks, and API defense objectives. Learn about common API gateway defenses, the API proxy pattern, and techniques for protecting app packages and communication channels. Discover how to implement app-level message protection, improve run-time defenses, and authenticate apps off-device. Examine the OAuth2 authorization flow, including mobile authorization with PKCE, and understand how to strengthen it with attested app IDs. No detailed knowledge of Android, iOS, or backend server programming is required, but a basic understanding of API operations and security concepts will be beneficial.

Syllabus

RSAConference 2020 San Francisco February 24-28 Moscone Center
The Dark API Economy
Mobile Apps Rely on APIs
Mobile Attack Surfaces
OWASP Security Risks
API Defense Objectives
The ShipFast Driver App
API Sequence for Pick Up and Delivery
The Ship Raider Bench and Driver App
ShipRaider's API Exploit
Initial Security Posture
User Authorization is not Service Authorization
Common API Gateway Defenses
API Proxy Pattern
Inspect the App Package
Obfuscate Code and Secrets in Code
Observe/Manipulate Communication Channel
Certificate Pinning
Pin the Channel • Generate public key fingerprint
Unpin the Channel
Block Rooting and Instrumentation
Nervous Product Manager
a: Use App-Level Message Protection
Defense 4b: Removing Secrets from App Package
Find Message Signing Secret
a: Improve Run-Time Defenses
Moving secrets and security decisions off device
Defense 5b: Authenticate the App Off Device
Attacker Pivots to a Less Secure App
OAuth2 Authorization Flow
Mobile Authorization Flow with PKCE
Strengthen OAuth2 with Attested App ID
Authorization in Context
Apply What You Learn Today

Taught by

RSA Conference

Reviews

Start your review of API Abuse through Mobile Apps - New Attacks, New Defenses

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.