Overview
Syllabus
RSAConference 2020 San Francisco February 24-28 Moscone Center
The Dark API Economy
Mobile Apps Rely on APIs
Mobile Attack Surfaces
OWASP Security Risks
API Defense Objectives
The ShipFast Driver App
API Sequence for Pick Up and Delivery
The Ship Raider Bench and Driver App
ShipRaider's API Exploit
Initial Security Posture
User Authorization is not Service Authorization
Common API Gateway Defenses
API Proxy Pattern
Inspect the App Package
Obfuscate Code and Secrets in Code
Observe/Manipulate Communication Channel
Certificate Pinning
Pin the Channel • Generate public key fingerprint
Unpin the Channel
Block Rooting and Instrumentation
Nervous Product Manager
a: Use App-Level Message Protection
Defense 4b: Removing Secrets from App Package
Find Message Signing Secret
a: Improve Run-Time Defenses
Moving secrets and security decisions off device
Defense 5b: Authenticate the App Off Device
Attacker Pivots to a Less Secure App
OAuth2 Authorization Flow
Mobile Authorization Flow with PKCE
Strengthen OAuth2 with Attested App ID
Authorization in Context
Apply What You Learn Today
Taught by
RSA Conference