Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure API Design for Mobile Apps

Mobile APIs require a good amount of prerequisite knowledge and sufficient understanding in order to implement properly.

This slide will walk you through everything you need to know to properly design a secure API for consumption on mobile devices, whether you’re building a mobile app that needs to access a REST API, or writing a REST API and planning to have developers write mobile apps that work with your API service.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Secure API Design for Mobile Apps

  1. 1. Mobile App Security Meet More Connections to more devices means more vulnerabilities. If you control the code you control the world ” Secure API Design
  2. 2. Mobile App Security Meet Mobile first ”The future of mobile is the future of online. It is how people access online content now.
  3. 3. Mobile App Security Meet Agenda ● API Threats ● Attributes of Secure API ● Realizing about the problem ● Authentication Schemes ● Best Practices ● Questions
  4. 4. Mobile App Security Meet Threats to your APIs ● APIs are vulnerable to OWASP top 10 attacks ● Hackers reverse engineer apps to access private APIs ● Data thefts ● User account compromise ● Coding flaws ● Badly Implemented clients may leave your system vulnerable
  5. 5. Mobile App Security Meet Realizing about the problem ● Unusual API requests ● Traffic spike ● Strange source addresses of requests ● Long service time
  6. 6. Mobile App Security Meet Attributes of Secure API ● Authentication System should service only legitimate users ● Authorization System should allow users to perform only legitimate operations ● Confidentiality Confidential data should be protected ● Integrity Integrity of transactions should be protected
  7. 7. Mobile App Security Meet Authentication Schemes - Basic Resend Request GET Request: GET Server Challenge HTTP/1.1 401
  8. 8. Mobile App Security Meet Authentication Schemes - Digest Hash username and password before sending it over network Request GET
  9. 9. Mobile App Security Meet Authentication Schemes - Oauth 1.0 GET
  10. 10. Mobile App Security Meet Authentication Schemes - Oauth 2.0 GET
  11. 11. Mobile App Security Meet Authentication Schemes - Oauth 2.0
  12. 12. Mobile App Security Meet Authentication Schemes - 2 Way TLS
  13. 13. Mobile App Security Meet Best Practices TLS ● Use TLS for all API’s ● Plain HTTP is vulnerable to man in the middle attack ● Once moved to TLS, do not support plain HTTP ● Use standard TLS implementations in clients ● Preferably use SSL pinning in mobile apps ○ Proper implementation of X509TrustManager in Android Apps ○ Use additional unconventional checks like hashing of public cert ● Use mutual TLS for trusting clients - private API’s or apps not on playstore
  14. 14. Mobile App Security Meet Best Practices Access Tokens ● Long Strings ● Entropy ● Resistant to preimage attacks ● Resistant to collision attacks ● Strong cryptographic hash e.g. bcrypt ● Short TTL ● Avoid designing API’s which blindly return access tokens for a given user id
  15. 15. Mobile App Security Meet Best Practices Scope access tokens POST
  16. 16. Mobile App Security Meet Best Practices Validating Access Tokens ● All API calls must carry access tokens - Reject those which have none. ● Build a framework which is invoked before the actual API call is serviced - Spring Security in JAVA ● Map the access token to a valid User Entity for further processing ● Validate the scope of token - Reject request which are trying to perform unauthorized operations
  17. 17. Mobile App Security Meet Best Practices User Passwords ● Well defined password rules ● Mix of alphanumeric and special characters ● Avoid dictionary words - Dictionary Attack ● Extra care while designing API’s which reset password like ○ Forgot Password ○ Profile Edit ● Use additional security measures like OTP via email or text ● Badly implemented API’s will create a backdoor to your system
  18. 18. Mobile App Security Meet Best Practices Session Cookies ● Avoid using session cookies - Consider Access Tokens ● Stateless API’s are more easy to manage than stateful ● Access Tokens + Stateless API = No CSRF attacks ● ;
  19. 19. Mobile App Security Meet Best Practices ID’s Request: GET vs Request: GET
  20. 20. Mobile App Security Meet Best Practices ID’s ● Don’t use serial numbers as primary identifiers of your resources like accounts, transactions - Brute Force Attack ● Use hashes instead ● Preferably use unique identifiers like UUID’s as transaction id’s ○ universally unique ○ avoids contention ○ performance boost
  21. 21. Mobile App Security Meet Best Practices Treat Security as a first class citizen and not as an add-on Consider it in the design phase of your product
  22. 22. Mobile App Security Meet Thank you

    Be the first to comment

    Login to see the comments

Mobile APIs require a good amount of prerequisite knowledge and sufficient understanding in order to implement properly. This slide will walk you through everything you need to know to properly design a secure API for consumption on mobile devices, whether you’re building a mobile app that needs to access a REST API, or writing a REST API and planning to have developers write mobile apps that work with your API service.

Views

Total views

1,395

On Slideshare

0

From embeds

0

Number of embeds

32

Actions

Downloads

13

Shares

0

Comments

0

Likes

0

×