Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon London 2023] REST in Peace: A Journey...

[Droidcon London 2023] REST in Peace: A Journey Through API Protection

Isn't Droidcon a Mobile Developer's conference? So, why would I care about protecting REST APIs? Well, think twice! API protection starts in the app, as the protection level of the API will be only as strong as the protection mechanisms built in the app. Join us for this entertaining talk were we will cover the typical mechanisms used to protect REST APIs and how they can be "exposed" if insufficient protection is put into the application. And, of course, guide you into putting the right measures inside the app so that both, app and backend, are sufficiently protected.

Marc Obrador

October 26, 2023
Tweet

More Decks by Marc Obrador

Other Decks in Programming

Transcript

  1. REST in Peace: A Journey Through API Protection Andreas Luca

    & Marc Obrador 26 October 2023 I Droidcon London
  2. *just for today Andreas Luca Head of Solution Engineering @

    Build38 Marc Obrador CTO & Co-Founder @Build38 Head of Sec @ findyourflight.co.uk* Tech Lead @ findyourflight.co.uk* whoami
  3. Hiding the API Token private val iv = sha256(BuildConfig.APPLICATION_ID +

    BuildConfig.VERSION_NAME) private val key = byteArrayOf(0x00, 0x01, 0x02, 0x03, … private val aad = byteArrayOf(0x0F, 0x0E, 0x0D, 0x0C, … private val tag = byteArrayOf(0x85, 0xb8, 0x75, 0x61, … private val ciphertext = byteArrayOf(0xa1, 0xd1, 0x75, … private fun decryptSecretToken(): String { return aes256Decrypt(iv, aad, key, ciphertext, tag) } private fun aes256Decrypt( iv: ByteArray, aad: ByteArray, keyBytes: ByteArray, ciphertext: ByteArray, tag: ByteArray): String { val cipher = Cipher.getInstance("AES/GCM/NoPadding") val spec = GCMParameterSpec(TAG_LENGTH * 8, iv) val key = SecretKeySpec(keyBytes, 0, keyBytes.size, "AES") cipher.init(Cipher.DECRYPT_MODE, key, spec) cipher.updateAAD(aad) return String(cipher.doFinal(ciphertext + tag)) }
  4. It is a bit more difficult, but… Java.perform(function () {

    console.log("Setting hooks..."); var aesd = Java.use("c1.c"); aesd.e.implementation = function(str) { console.log("Input intercepted data: " + str); var res = this.e(str) console.log("Ouput intercepted data: " + res); return res; } console.log("Setting hooks done."); });
  5. A Slightly Better Approach Idea: restrict validity of API token

    only for login request o Upon successful log in, a dynamic, short- lived token (e.g. a JWT) is issued to the app o All other API endpoints require the JWT (instead of the API key) To get full access to the API, both API token and valid user credentials are needed Cons: • Backend changes required • Enforces user log-in / sign-up
  6. Closing Thoughts Is there a 100% protection? No. What can

    I do? Protect against all kind of attacks: o Network level o Static Analysis o Dynamic Analysis How long will it take? It could be time consuming…
  7. Q&A Build38.com Munich I Barcelona I Singapore Find us at

    Booth 6! /build38/rest-in-peace-droidcon-london Andreas Luca Head of Solution Engineering Marc Obrador CTO & Co-Founder @theBIGGlucas @marcobrador