Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon London 2023] REST in Peace: A Journey Through API Protection

Marc Obrador
October 26, 2023
Programming
0
63

[Droidcon London 2023] REST in Peace: A Journey Through API Protection

Isn't Droidcon a Mobile Developer's conference? So, why would I care about protecting REST APIs? Well, think twice! API protection starts in the app, as the protection level of the API will be only as strong as the protection mechanisms built in the app. Join us for this entertaining talk were we will cover the typical mechanisms used to protect REST APIs and how they can be "exposed" if insufficient protection is put into the application. And, of course, guide you into putting the right measures inside the app so that both, app and backend, are sufficiently protected.

Marc Obrador

October 26, 2023
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
540
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.6k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
760
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
860
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
400

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
新宿ダンジョンを可視化してみた
satoshi7190
2
270
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
960
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.1k
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
260
Tailwind CSSを本気でカスタマイズする方法
fsubal
14
5.3k
エンターテイメント業界で利用されるAWS
demuyan
0
210
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
950
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
840
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
130
PHPはいつから死んでいるかの調査
chiroruxx
1
400

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Designing with Data
zakiwarfel
96
4.8k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Bash Introduction
62gerente
604
210k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Faster Mobile Websites
deanohume
299
30k
Clear Off the Table
cherdarchuk
84
310k
Fireside Chat
paigeccino
21
2.6k
GitHub's CSS Performance
jonrohan
1025
450k
The Cult of Friendly URLs
andyhume
74
5.7k
Designing Experiences People Love
moore
136
23k
Why Our Code Smells
bkeepers
PRO
331
56k

Transcript

  1. REST in Peace: A Journey Through API Protection Andreas Luca

    & Marc Obrador 26 October 2023 I Droidcon London

  2. *just for today Andreas Luca Head of Solution Engineering @

    Build38 Marc Obrador CTO & Co-Founder @Build38 Head of Sec @ findyourflight.co.uk* Tech Lead @ findyourflight.co.uk* whoami

  3. One Day during the Daily Standup...

  4. Current Situation ü HTTPS is used ü API is protected

    with API Token

  5. Finding URL, Endpoint Info & API-Token https://www.charlesproxy.com/

  6. Certificate Pinning Source: https://developer.android.com/privacy-and-security/security-config#CertificatePinning In res/xml/network_security_config.xml:

  7. Certificate Pinning https://www.charlesproxy.com/

  8. Decompiling the APK $ brew install apktool $ apktool d

    MyApp.apk https://apktool.org/

  9. Hiding the API Token private val iv = sha256(BuildConfig.APPLICATION_ID +

    BuildConfig.VERSION_NAME) private val key = byteArrayOf(0x00, 0x01, 0x02, 0x03, … private val aad = byteArrayOf(0x0F, 0x0E, 0x0D, 0x0C, … private val tag = byteArrayOf(0x85, 0xb8, 0x75, 0x61, … private val ciphertext = byteArrayOf(0xa1, 0xd1, 0x75, … private fun decryptSecretToken(): String { return aes256Decrypt(iv, aad, key, ciphertext, tag) } private fun aes256Decrypt( iv: ByteArray, aad: ByteArray, keyBytes: ByteArray, ciphertext: ByteArray, tag: ByteArray): String { val cipher = Cipher.getInstance("AES/GCM/NoPadding") val spec = GCMParameterSpec(TAG_LENGTH * 8, iv) val key = SecretKeySpec(keyBytes, 0, keyBytes.size, "AES") cipher.init(Cipher.DECRYPT_MODE, key, spec) cipher.updateAAD(aad) return String(cipher.doFinal(ciphertext + tag)) }

  10. It is a bit more difficult, but…

  11. It is a bit more difficult, but… Java.perform(function () {

    console.log("Setting hooks..."); var aesd = Java.use("c1.c"); aesd.e.implementation = function(str) { console.log("Input intercepted data: " + str); var res = this.e(str) console.log("Ouput intercepted data: " + res); return res; } console.log("Setting hooks done."); });

  12. A Slightly Better Approach Idea: restrict validity of API token

    only for login request o Upon successful log in, a dynamic, short- lived token (e.g. a JWT) is issued to the app o All other API endpoints require the JWT (instead of the API key) To get full access to the API, both API token and valid user credentials are needed Cons: • Backend changes required • Enforces user log-in / sign-up

  13. Closing Thoughts Is there a 100% protection? No. What can

    I do? Protect against all kind of attacks: o Network level o Static Analysis o Dynamic Analysis How long will it take? It could be time consuming…

  14. Q&A Build38.com Munich I Barcelona I Singapore Find us at

    Booth 6! /build38/rest-in-peace-droidcon-london Andreas Luca Head of Solution Engineering Marc Obrador CTO & Co-Founder @theBIGGlucas @marcobrador