API Abuse through Mobile Apps - New Attacks, New Defenses

Explore the world of API security in mobile applications through an engaging conference talk that pits Shipfast against ShipRaider in a battle for control over a driver delivery app. Dive into various attack vectors and defense mechanisms, including API key exploitation, OAuth2 user authorization, TLS certificate pinning, HMAC call signing, app shielding/hardening, and app attestation. Gain insights into the unique challenges of securing APIs with mobile clients, covering topics such as mobile attack surfaces, OWASP security risks, and API defense objectives. Learn about common API gateway defenses, the API proxy pattern, and techniques for protecting app packages and communication channels. Discover how to implement app-level message protection, improve run-time defenses, and authenticate apps off-device. Examine the OAuth2 authorization flow, including mobile authorization with PKCE, and understand how to strengthen it with attested app IDs. No detailed knowledge of Android, iOS, or backend server programming is required, but a basic understanding of API operations and security concepts will be beneficial.