Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon London 2023] REST in Peace: A Journey...

Marc Obrador
October 26, 2023
Programming
0
88

[Droidcon London 2023] REST in Peace: A Journey Through API Protection

Isn't Droidcon a Mobile Developer's conference? So, why would I care about protecting REST APIs? Well, think twice! API protection starts in the app, as the protection level of the API will be only as strong as the protection mechanisms built in the app. Join us for this entertaining talk were we will cover the typical mechanisms used to protect REST APIs and how they can be "exposed" if insufficient protection is put into the application. And, of course, guide you into putting the right measures inside the app so that both, app and backend, are sufficiently protected.

Marc Obrador

October 26, 2023
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
590
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.7k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
770
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
870
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
440

Other Decks in Programming

See All in Programming
のびしろを広げる巻き込まれ力:偶然を活かすキャリアの作り方/oso2024
takahashiikki
1
410
外部システム連携先が10を超えるシステムでのアーキテクチャ設計・実装事例
kiwasaki
1
230
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
Tuning GraphQL on Rails
pyama86
2
1k
Identifying User Idenity
moro
6
7.9k
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
520
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
Vitest Browser Mode への期待 / Vitest Browser Mode
odanado
PRO
2
1.7k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
140
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
Writing Fast Ruby
sferik
626
61k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Visualization
eitanlees
144
15k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Faster Mobile Websites
deanohume
304
30k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Adopting Sorbet at Scale
ufuk
73
9k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k

Transcript

  1. REST in Peace: A Journey Through API Protection Andreas Luca

    & Marc Obrador 26 October 2023 I Droidcon London

  2. *just for today Andreas Luca Head of Solution Engineering @

    Build38 Marc Obrador CTO & Co-Founder @Build38 Head of Sec @ findyourflight.co.uk* Tech Lead @ findyourflight.co.uk* whoami

  3. One Day during the Daily Standup...

  4. Current Situation ü HTTPS is used ü API is protected

    with API Token

  5. Finding URL, Endpoint Info & API-Token https://www.charlesproxy.com/

  6. Certificate Pinning Source: https://developer.android.com/privacy-and-security/security-config#CertificatePinning In res/xml/network_security_config.xml:

  7. Certificate Pinning https://www.charlesproxy.com/

  8. Decompiling the APK $ brew install apktool $ apktool d

    MyApp.apk https://apktool.org/

  9. Hiding the API Token private val iv = sha256(BuildConfig.APPLICATION_ID +

    BuildConfig.VERSION_NAME) private val key = byteArrayOf(0x00, 0x01, 0x02, 0x03, … private val aad = byteArrayOf(0x0F, 0x0E, 0x0D, 0x0C, … private val tag = byteArrayOf(0x85, 0xb8, 0x75, 0x61, … private val ciphertext = byteArrayOf(0xa1, 0xd1, 0x75, … private fun decryptSecretToken(): String { return aes256Decrypt(iv, aad, key, ciphertext, tag) } private fun aes256Decrypt( iv: ByteArray, aad: ByteArray, keyBytes: ByteArray, ciphertext: ByteArray, tag: ByteArray): String { val cipher = Cipher.getInstance("AES/GCM/NoPadding") val spec = GCMParameterSpec(TAG_LENGTH * 8, iv) val key = SecretKeySpec(keyBytes, 0, keyBytes.size, "AES") cipher.init(Cipher.DECRYPT_MODE, key, spec) cipher.updateAAD(aad) return String(cipher.doFinal(ciphertext + tag)) }

  10. It is a bit more difficult, but…

  11. It is a bit more difficult, but… Java.perform(function () {

    console.log("Setting hooks..."); var aesd = Java.use("c1.c"); aesd.e.implementation = function(str) { console.log("Input intercepted data: " + str); var res = this.e(str) console.log("Ouput intercepted data: " + res); return res; } console.log("Setting hooks done."); });

  12. A Slightly Better Approach Idea: restrict validity of API token

    only for login request o Upon successful log in, a dynamic, short- lived token (e.g. a JWT) is issued to the app o All other API endpoints require the JWT (instead of the API key) To get full access to the API, both API token and valid user credentials are needed Cons: • Backend changes required • Enforces user log-in / sign-up

  13. Closing Thoughts Is there a 100% protection? No. What can

    I do? Protect against all kind of attacks: o Network level o Static Analysis o Dynamic Analysis How long will it take? It could be time consuming…

  14. Q&A Build38.com Munich I Barcelona I Singapore Find us at

    Booth 6! /build38/rest-in-peace-droidcon-london Andreas Luca Head of Solution Engineering Marc Obrador CTO & Co-Founder @theBIGGlucas @marcobrador