Wake up and smell the API

Wake up and smell the API

Mobile has spawned the growth of APIs, but many companies don’t make their APIs public and instead choose to take a private API approach often with disastrous outcomes. By working on an API in private you don’t get the mass feedback or input you get with a public API.Using mitmproxy or charlesproxy makes it a simple task to expose a mobile apps API calls, and with companies not using strong enough security or auto incrementing IDs it is a trivial task to hack these APIs. Why not just open your API up from the start and empower others to give you valuable feedback but also innovate on top of your platform in ways you may not have considered?

39bb8762f3a25ebc00ebd75bc4f363af?s=128

Simon Wood

July 14, 2015
Tweet

Transcript

  1. @hpoom Wake up and smell the API By Simon Wood

    1 Untangling the Web London - July 2015
  2. / @hpoom About me Technology Director Shortbreaks ! Holiday Extras

    Simon Wood 2
  3. / @hpoom 3 Holiday Extras

  4. / @hpoom API Growth 4 Private APIs Public APIs What

    I am going to cover
  5. @hpoom APIs Are Eating The World 5

  6. @hpoom 6 APIs Mobile Social Cloud Diagram by Sam Ramji

    - http://bit.ly/biz-apis
  7. @hpoom APIs 7 Private

  8. @hpoom What is a Private API? 8

  9. ” @hpoom When it comes to modern devices and cloud

    services, there’s no such thing as a private API.  George Reese ! bit.ly/private-API "Vintage Bank Vault" by Brook Ward. Licensed under Creative Commons.- https://flic.kr/p/dTo7wU
  10. ” @hpoom If You Have A Publicly Available Mobile App

    You Have a Public API.  Kin Lane ! bit.ly/public-API
  11. @hpoom intercept API Calls 11

  12. / @hpoom mitmproxy mitmproxy.org Proxy Tools 12 Charles charlesproxy.com

  13. / @hpoom How proxy works 13 Client Server Proxy Request

    Response Request Response
  14. @hpoom 14 Private API vulnerability

  15. ” @hpoom we’re excited by the interest in developing for

    the Snapchat platform but we prohibit access to the private API we use to provide our service  ! bit.ly/snapchat-api
  16. / @hpoom 16

  17. ” @hpoom If it has an http:// in front of

    the address, it is a public API.  Kin Lane ! bit.ly/http-public
  18. / @hpoom Moonpig

  19. ” @hpoom I've seen some half-arsed security messures in my

    time but this just takes the biscuit. Whoever architected this system needs to be water-boarded.  Paul Price ! bit.ly/moonpig-api
  20. @hpoom 20 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw

    ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !
  21. @hpoom 21 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw

    ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !
  22. @hpoom 22 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw

    ! Host: api.moonpig.com ! Connection: Keep-Alive! ! *string*:*string*!
  23. @hpoom 23 GET /rest/MoonpigRestWebservice.svc/addresses? &customerId=5379382&countryCode=9424 HTTP/1.1! ! Authorization: Basic aXBjiS5lOk1vb25QHjimvF58DEw

    ! Host: api.moonpig.com ! Connection: Keep-Alive! ! !
  24. @hpoom 24 {! "Address": "xxxxxx\r\nxxxxxxx\r\nxxxxxxx",! "AddressBookId": 414628930,! "AddressType": "CustomerAddress",! "AddressTypeId":

    1,! "Company": "Test",! "Country": "United Kingdom",! "County": "London",! "Firstname": "Test",! "Greeting": null,! "Lastname": "Test",! "Postcode": " LN1 3FN",! "PostcodeSystemUpdated": null,! "SortByLastName": false,! "Suffix": null,!
  25. @hpoom 25 <ArrayOfCustomerCreditCard ! xmlns=“http://schemas.datacontract.org/2004/07/! Moonpig.Model.CustomerAttributes.Accounting"! xmlns:i="http://www.w3.org/2001/XMLSchema-instance">! <CustomerCreditCard>! <CardType>Credit Card

    (Unspeci</CardType>! <CustomerId>11466749</CustomerId>! <ExpiryDate>12/18</ExpiryDate>! <LastFourDigits>5993</LastFourDigits>! <NameOnCard>Mr X XXX</NameOnCard>! <TransactionId>5983632541-1/TransactionId>! </CustomerCreditCard>! </ArrayOfCustomerCreditCard>
  26. / @hpoom Responsible Disclosure 26

  27. / @hpoom Ola Cabs bit.ly/olacarbs-api

  28. / @hpoom Teller.io

  29. ” @hpoom The government is determined to support a more

    competitive banking sector where banks and financial technology firms can thrive alongside the established players, competing to offer new and improved services to customers  George Osborne ! autumn-statement-2014
  30. @hpoom Reverse Engineer the banks 30

  31. / @hpoom How teller works 31 Request Response Request Response

  32. / @hpoom 32

  33. @hpoom APIs 33 Public

  34. @hpoom What is a Public API? 34

  35. @hpoom Innovation encouraged 35

  36. / @hpoom Pillow

  37. / @hpoom ESPN

  38. @hpoom Community Feedback 38

  39. @hpoom Developer Portal 39

  40. / @hpoom GitHub

  41. / @hpoom Twilio

  42. / @hpoom Share API payloads 42 apicommons.org

  43. @hpoom 43 Future is public APIs

  44. @hpoom Thank you please contact me if you have any

    questions! ! Twitter: @hpoom logo 44 By Simon Wood Untangling the Web London - July 2015