Overview
Syllabus
Intro
Explosion in Mobile Attacks
APIs Open New Business Opportunities and
Instagram API Attack
Ship Raider Shipper's Edge
App Identity using API keys
Keeping Secrets: Attack Surfaces
Don't Publish Your Keys
How Ship Raider Stole the API key
Detect and Block Abnormal Usage of APIs
Rate Limiting and Load Shedding
Behavioral API Security
Breaking TLS
Certificate Pinning
Pinning Upkeep
Remove Secret from the Channel
How ShipRaider Broke the HMAC
Calculate Secret at Runtime
Ship Raider Steals Runtime Secret
App Hardening Approaches
OAuth2 Overview
Abstract Protocol Flow
User's Outh2 Code Grant Flow
OAuth2 Refresh Tokens
OAuth2 Proof of Key Code Exchange (PKCE)
API Proxy Pattern
Secret as a Service
App Integrity Measurement
Strengthening OAuth2 Flow
ShipShape
Architecture Pattern
Conclusion
Taught by
OWASP Foundation