apidays New York 2025 - Why an SDK is Needed to Protect APIs from Mobile Apps by Pearce Erensel (Approov)

Transcript

1. Why A Mobile SDK is Needed to Protect APIs Pearce

   Erensel - Approov apidays New York May 15 2025

2. 2 Adoption of APIs and API Security Firewalls IP Whitelists

   Limited API Visibility WAFs API Gateways Rate Limiting WAF Integration Bot Mitigation Web API Security DDos Mobile First Focus Mobile SDK Deployment Mobile RASP Multi-Channel API Security

3. 3 Large App Sec Vendors Focus • Gartner WAAP Vision

   - Web Application and API Protection • Web and browser focus • Large vendors have built out web app and API protection ◦ F5 bought Volterra (API Security) and Shape (Bots). ◦ Akamai bought Noname and Neossec (API Security). ◦ Imperva bought Prevoty (RASP), Distil Networks (Bots) and Cloudvector (API Security). ◦ RADware bought ShieldSquare (Bots). • Continued their focus on perimeter • False positives from backend-only bot detection • Mobile threats pass unnoticed.

4. 4 The Mobile Issue The threat is real: Common Mobile

   to API Attacks • Repackaged apps bypass restrictions • Emulators to scale attacks • Man-in-the -Middle to extract API keys and secrets • Automation tools for script-based abuse • Credential Stuffing via the API

5. 5 The Mobile Issue The threat is real: Kahoot!, Starbucks,

   T-Mobile,... Common Mobile to API Attacks • Repackaged apps bypass restrictions • Emulators to scale attacks • Man-in-the -Middle to extract API keys and secrets • Automation tools for script-based abuse • Credential Stuffing via the API

6. 6 Why Mobile SDKs are Critical for API Security •

   Mobile apps are easily modified, run in hostile environments. • Automated tools can mimic valid traffic. • Backend API security has no visibility into mobile threats. No amount of backend analysis can detect if the device was rooted, if the app has been modified, or if sensitive secrets are being exfiltrated. A Mobile SDK Can Add the Missing Context • Verify that the app has not been modified or repackaged. • Ensure the device is not rooted/jailbroken, running on an emulator, or tampered with. • Continuously attest the runtime environment using trusted hardware or integrity checks. • Bind requests to the genuine app using cryptographically signed tokens (e.g., JWTs). • Block automated tools like Frida, Magisk, Xposed before they even touch the API.

7. 7 Types of Mobile SDKs 1. User Behavior Signals –

   CAPTCHA, gesture tracking 2. Software and Device Identity Signals

8. 8 Behavioural Signals How It Works 📦 Based on browser

   techniques 🖱 Tracks key clicks, touch events, movements and timing 🧠 Tries to differentiate humans from bots using behaviours Behavioural signals are helpful- but unreliable on their own. Mobile attestation offers deterministic verification. Challenges & Limitations 📊 Large volumes of data 🤷 Ambiguous results 🧮 ML/AI decisions lack transparency 🚫 Frequent false positives/ negatives 😡 User friction damages experience

9. 9 Software and Device Signals What They Detect 🔓 Rooted/Jailbroken

   device 🐞 Presence of problematic software 🎯 Consistent and deterministic identification of threats How to Evaluate 🧩 Platform coverage – Supports iOS, Android, HarmonyOS 🔍 Breadth of environment checks carried out 🎛 Fine-grained OTA policy setting 🚀 Addresses emerging issues Understanding Mobile Threat Signals and What to Look for in a Solution

10. 10 Concerns About Mobile SDKs Concern Best Practice SDK Complexity

    Frustrates Developers Choose an SDK that's easy to integrate and test SDK Security Choose a hardened, tested, SDK from a reputable vendor SDK Impacts App Size and Performance Choose a lightweight SDK that's easy to integrate one time in your app New versions of apps needed when something changes Ensure dynamic cloud updates of policies, pins and keys SDK can be manipulated Ensure validation takes place safely off-device More security team overhead to manage false positives Choose deterministic measurements Isn't Firebase App Check or Safety Net good enough Multi-platform SDK provides consistent best-in-class protection across all devices

11. 11 Effective App and Device Attestation 1 2 3 4

    Register new app releases SDK collects and sends app and device integrity measurements Cloud service checks measurements and sends JWT to app Signed short-lived JWT token indicates if app and device validly attested APIs Cloud Validation SDK

12. 12 Extending Attestation to Secret Protection 1 2 3 4

    5 Backend verifies API key Management of API Keys SDK collects and sends app and device integrity measurements Cloud service checks measurements and delivers API Key to app Just-in-time delivery of API keys from validated apps • Just-in-time delivery of secrets to mobile apps, only when needed and only if app is safe • Dynamic and secure cloud management of secrets • Prevents abuse of secrets stolen from any source • Must works with owned and 3rd party APIs APIs SDK Cloud Validation

13. 13 Backend Integration

14. 14 Conclusion - API Protection Including the Mobile Channel •

    Use WAAP for web, Integrate SDK for mobile protection. • Choose an SDK that continuously collects comprehensive deterministic context about the app and device • Easy to integrate mobile contextual signals into any backend API security solution • Quickly and effectively block mobile attacks • Stop bots that shift from web to mobile

15. Thank You [email protected]

16. 16 Presentation Flow • Intro - Backend Security Focus •

    The Mobile Threat to APIs • The Need for Contextual Info from Mobile Apps and Devices • Types of SDK ◦ Behavioral Signals ◦ Software and Device Signals • Mitigating the Perceived Downsides ◦ Deterministic vs Vague ◦ SDK Security ◦ Securing the Validation Process (Approov example) ◦ Dynamic updating of policies and secrets • Integration with Backend API Security • Evaluation of Mobile Security Options • Conclusion