Overview
Syllabus
Intro
The Dark API Economy
Mobile Apps Rely on APIs
Abusing APIs in the Mobile Market
Mobile Attack Surfaces
The ShipFast Driver App
API Sequence for Pick Up and Delivery
The Ship Raider Bench and Driver App
ShipRaider's API Exploit
Initial Security Posture
User Authorization is not Service Authorization
Common API Gateway Defenses
API Proxy Pattern
Inspect the App Package
Obfuscate Code and Secrets in Code . Obfuscate calling logic and API & kay strings
Observe/Manipulate Communication Channel
Certificate Pinning
Unpin the Channel
Block Rooting and Instrumentation
Nervous Product Manager
a: Use App-Level Message Protection
Defense 4: Removing Secrets from App Package
Find Message Signing Secret
a: Improve Run-Time Defenses
Moving secrets and security decisions off device
Defense 5b: Authenticate the App Off Device
Defense 5c: Reintroduce the Pinning Service
API Defense Objectives
Attacker Pivots to a Less Secure App
Taught by
OWASP Foundation