Download to read offline
2017 API Abuse Report - APIDays Paris 2018
- 1. Mobile API AbuseReport 2017 David Stewart
- 2. ©2018 CriticalBlue Hi ! Whoare we? What I’m going to talk about Business Level Attacks A Bestiary of Mobile API Abuse How do we know this stuff anyway? 2
- 3. ©2018 CriticalBlue Mobile APIsAre a Bit Different Mobile API typically closer to the backend services More business logic distributed to end user Simplified UI restricts authentication options 3 https://www.pingidentity.com/developer/en/resources/application-integration-overview.html
- 4. ©2018 CriticalBlue APIs arewindows into business operations. Anyone can download your app and reverse how your API works. If a system can be exploited for gain - someone will! Your WAF cannot help you. Attacks by Authenticated Users! Business Level Attacks 4
- 5.
- 6. ©2018 CriticalBlue Exhibit 1- Data Scraping Need to control data distribution to monetize. Scrapers profit from direct use or resale of data. Access control unpopular & ineffective. Good APIs make this easier to do. 6 https://www.linkedin.com/pulse/scrapping-data-e-commerce-sites-legal-illegal-alok-singh/
- 7. ©2018 CriticalBlue Data Scraping- 7 Scraper Script/Bot CSV Racing Analysis Spreadsheet API Requests using same user credentials as app API Requests Scrapers copy of app Reverse API Requests
- 8. ©2018 CriticalBlue Exhibit 2- Account Hijack Any service with user accounts is at risk. Playback of password lists from other breaches. Increasing sophisticated bots avoid behavioural detection. Erodes trust in service. Loss recovery difficult. 8
- 9. ©2018 CriticalBlue Account Hijack- North American Retailer 9 Bot Farm Public Username & Password Dumps Retailer Mobile API Reverse Engineered Requests
- 10. ©2018 CriticalBlue Exhibit 3- Fake Account Factories Any service with a social network. Subversion of account verification processes at scale. Accounts sold on to spammers etc. Erodes brand reputation. Bad for user experience. 10
- 11. ©2018 CriticalBlue Fake AccountFactories - 11 Device / Bot FarmSpammers Fake Account Factory (ab)Users Transfer Nims to real account Nimses Backend Account Creation Spam Posts
- 12. ©2018 CriticalBlue Exhibit 4- Aggregation App is storefront for your product/service Aggregators often well funded companies Loss of control of user experience Brand dilution Potentially unfair competition Sales overhead Loss of customer journey control 12
- 13. ©2018 CriticalBlue Aggregation -European Car Share Providers 13 Aggregator App Aggregator Backend Device Farm Cloud Proxy Mobility Provider APIs Launch Provider App for unsupported operations Unlock & start car
- 14. ©2018 CriticalBlue Exhibit 5- Cheating as a Service Users interact with app to earn rewards. Automation and fake accounts accelerate earnings. Undermines business model if users can avoid doing “work”. Unfair for other users - may leave service. 14
- 15. ©2018 CriticalBlue CaaS -U.S Location Based Marketing 15 Fake Account Factory Application Backend Fake Account Creation Reward Generator Web AppAccount Details User Faked Activity Reward Points Redeem Points Sensor Spoofing
- 16.
- 17. ©2018 CriticalBlue Attackers Havea Sophisticated Tool Kit Scripts / Bots. APK Unpackers. Network Analyzers. Debuggers and Frameworks. Emulators. Device ID rotation, IP Spoofing / Proxies, VPNs etc etc. 17
- 18. ©2018 CriticalBlue Defensive Approaches Businesslevel attacks look like normal users: Do not rely on User Authentication alone. Hard to know if you have this issue without looking for it. Consider business model in terms of API abuse: Imagine what can be seen through the window of your API. Cure is ideal, but prevention is also good. Technical Solutions: Authenticate app, lockdown device and API connection. Monitor for suspicious patterns in user accounts. 18
- 19.