Learn to protect React Native mobile applications from API exploitation in this 45-minute OWASP Foundation talk. Explore the dark API economy, mobile app vulnerabilities, and attack surfaces using the ShipFast Driver App as an example. Discover common API gateway defenses, including the API proxy pattern, code obfuscation, and certificate pinning. Address challenges like rooting and instrumentation, and implement app-level message protection. Examine strategies for removing secrets from app packages, improving run-time defenses, and authenticating apps off-device. Gain insights into API defense objectives and potential attacker pivots to less secure applications.
Overview
Syllabus
Intro
The Dark API Economy
Mobile Apps Rely on APIs
Abusing APIs in the Mobile Market
Mobile Attack Surfaces
The ShipFast Driver App
API Sequence for Pick Up and Delivery
The Ship Raider Bench and Driver App
ShipRaider's API Exploit
Initial Security Posture
User Authorization is not Service Authorization
Common API Gateway Defenses
API Proxy Pattern
Inspect the App Package
Obfuscate Code and Secrets in Code . Obfuscate calling logic and API & kay strings
Observe/Manipulate Communication Channel
Certificate Pinning
Unpin the Channel
Block Rooting and Instrumentation
Nervous Product Manager
a: Use App-Level Message Protection
Defense 4: Removing Secrets from App Package
Find Message Signing Secret
a: Improve Run-Time Defenses
Moving secrets and security decisions off device
Defense 5b: Authenticate the App Off Device
Defense 5c: Reintroduce the Pinning Service
API Defense Objectives
Attacker Pivots to a Less Secure App
Taught by
OWASP Foundation
