Many businesses require reliable and secure mobile transactions to operate successfully in today's markets. Fully mobile-first services such as ride hailing and on-demand food delivery come to mind, but other activities, such as retail shopping and consumer banking, are growing fastest through their mobile channels.
In the mobile channel, all transactions are made using APIs, and a vulnerable API is a threat to profits, reputation, and viability.
Uber rightfully received a lot of negative attention for its 2016 data breach, but a vulnerability in 2019 is more representative of a typical breach. In the more recent case, a security researcher reported and demonstrated an API exposure that could be used to track a user's location, request rides, get payment, and view other personal information.
This type of API vulnerability could have been rapidly exploited in a highly public way or quietly exploited over an extended period of time. To Uber's credit, once notified, it promptly closed the vulnerability.
Here's why API abuse is rife and what you can do about it.
APIs enable friend and foe alike
A traditional HTML-driven browser session focuses on presenting information in a view tailored specifically for the user's next step. Most business logic is handled on the server.
But in an API-driven application, more business logic shifts to the client.
API calls are used to read and write raw data and, since good APIs are well structured, you can observe one call and then often use that to guess related API calls. This lets bad actors efficiently extract lots of data from a poorly protected back-end service.
And there's plenty of API-accessible data out there. In a six-month study in 2018, Akamai reported a big shift in API traffic. In 2014, some 47% of traffic through its secure content delivery network was API packets; in 2018, those API packets had grown to 83% of the traffic.
By 2022, Gartner predicts, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.
[ See TechBeacon's special coverage of RSA Conference 2020. Plus: Don't miss the post-conference highlights from RSAC 2020. ]
How hackers get API info
API calls are typically protected by a simple API key and user credentials, most often in the form of an access token. These tokens are like cash, so if you can get one, by registering for your own account or stealing someone else's, you can spend it however you wish.
You are not constrained by the business logic of an application, and you can use bots to make high-volume API calls to harvest and manipulate valuable data and business operations.
Mobile applications are often less secure than they need to be. Unlike web pages, mobile apps are installed on a device, and an attacker can install an application on a device he controls to study and manipulate the app, searching for weaknesses.
Often when a simple request is made, say for a user's phone number, an API call will return an entire customer record, relying on the app's business logic to show only the phone number to the requestor.
A hacker can exploit the API call to easily extract personal information. In apps that are meant for intermittent service or off-line operation, even more data is pre-fetched and available through speculative API calls.
Prevent API reverse engineering
Before an API can be abused, an attacker must first discover it and then understand its capabilities and calling structure. To prevent reverse engineering of an API, a developer must make it difficult for an attacker to study the installed application and prevent observation of active API calls.
Here are some tips for how to do this:
- Application hardening protects an installed application from decompilation and manipulation.
- Obfuscation techniques can make code comprehension very difficult.
- Anti-tamper techniques detect or block manipulated apps from running.
- Persistent data should always be written to secure storage.
- Protect the runtime environment through detection of device rooting, debugger/emulator usage, or instrumentation frameworks; this is a constant cat-and-mouse game with hackers.
All these techniques involve some tradeoff between security comprehensiveness and performance.
However, investing in a well-secured application is worthless if the communication channel is easily compromised. All API calls should be made using HTTPS, which encrypts the channel using TLS certificates.
Unfortunately, an attacker can easily add fake trusted certificates to his device and decrypt and manipulate API calls using man-in-the-middle attacks. For mobile applications, certificate pinning should be used to strengthen communication security against these attacks.
Block API abuse
It is difficult to completely protect APIs from reverse engineering, and many public APIs are well documented. So, what should you do if your API is well understood? Your best defense is to make it as difficult as possible for an attacker to create a valid API request, and this means having a very strong authentication scheme.
Popular techniques such as OAuth2 and OpenID Connect are well understood for user authorization of API calls. These services authenticate user credentials outside an application and return access tokens, which in turn authorize API calls.
As mentioned earlier, applications constrain how APIs are called, so restricting API calling to only authentic applications is just as important as knowing a user's identity. Static API keys are typically used to identify an application, but they are notoriously hard to secure inside an application and are frequently published.
It makes sense to require an app to present credentials to an external app-authentication service. These services can enable secretless authentication, which is secure and non-replayable.
Runtime techniques—used to protect the application environment and communications against reverse engineering—can also prevent credential harvesting and API call manipulation.
Additional, less definitive signals are available to identify authentic traffic:
- Detecting anomalous API calling sequences, often built around adaptive AI techniques; this is a popular technique that yields a probability of authenticity
- Using additional contextual information—such as time of day, user/device matching, and GPS location; but keep in mind that this may raise privacy concerns
A defense-in-depth strategy using a mix of contextual signals is valuable, but may be difficult to tune to never reject valid traffic.
Take action now
To protect your business from API abuse, you don't need perfect security, but your security must cost more to breach than it yields value to the attacker.
Attackers seek out high value and easy targets, and API calls and mobile applications are ever more attractive targets. Limited app authentication and failure to pin TLS certificates are today's weakest links.
All can be improved using off-device app attestation techniques. Your best defense will always use a variety of techniques, and, as with most security challenges, preventing mobile API abuse needs to continuously evolve to keep pace with attackers.
Skip Hovsmith will present on this topic at RSA Conference 2020 on Feb 28. Don't miss "API Abuse through Mobile Apps: New Attacks, New Defenses".
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.