Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[Droidcon London 2023] REST in Peace: A Journey...

Marc Obrador
October 26, 2023
Programming
0
88

[Droidcon London 2023] REST in Peace: A Journey Through API Protection

Isn't Droidcon a Mobile Developer's conference? So, why would I care about protecting REST APIs? Well, think twice! API protection starts in the app, as the protection level of the API will be only as strong as the protection mechanisms built in the app. Join us for this entertaining talk were we will cover the typical mechanisms used to protect REST APIs and how they can be "exposed" if insufficient protection is put into the application. And, of course, guide you into putting the right measures inside the app so that both, app and backend, are sufficiently protected.

Marc Obrador

October 26, 2023
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
590
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.7k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
770
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
870
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
440

Other Decks in Programming

See All in Programming
Macとオーディオ再生 2024/11/02
yusukeito
0
370
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
140
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
230
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
340
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Jakarta EE meets AI
ivargrimstad
0
590
Remix on Hono on Cloudflare Workers
yusukebe
1
300
flutterkaigi_2024.pdf
kyoheig3
0
150
イベント駆動で成長して委員会
happymana
1
330
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k

Featured

See All Featured
Teambox: Starting and Learning
jrom
133
8.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Visualization
eitanlees
145
15k
Happy Clients
brianwarren
98
6.7k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Docker and Python
trallard
40
3.1k
How GitHub (no longer) Works
holman
310
140k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k

Transcript

  1. REST in Peace: A Journey Through API Protection Andreas Luca

    & Marc Obrador 26 October 2023 I Droidcon London

  2. *just for today Andreas Luca Head of Solution Engineering @

    Build38 Marc Obrador CTO & Co-Founder @Build38 Head of Sec @ findyourflight.co.uk* Tech Lead @ findyourflight.co.uk* whoami

  3. One Day during the Daily Standup...

  4. Current Situation ü HTTPS is used ü API is protected

    with API Token

  5. Finding URL, Endpoint Info & API-Token https://www.charlesproxy.com/

  6. Certificate Pinning Source: https://developer.android.com/privacy-and-security/security-config#CertificatePinning In res/xml/network_security_config.xml:

  7. Certificate Pinning https://www.charlesproxy.com/

  8. Decompiling the APK $ brew install apktool $ apktool d

    MyApp.apk https://apktool.org/

  9. Hiding the API Token private val iv = sha256(BuildConfig.APPLICATION_ID +

    BuildConfig.VERSION_NAME) private val key = byteArrayOf(0x00, 0x01, 0x02, 0x03, … private val aad = byteArrayOf(0x0F, 0x0E, 0x0D, 0x0C, … private val tag = byteArrayOf(0x85, 0xb8, 0x75, 0x61, … private val ciphertext = byteArrayOf(0xa1, 0xd1, 0x75, … private fun decryptSecretToken(): String { return aes256Decrypt(iv, aad, key, ciphertext, tag) } private fun aes256Decrypt( iv: ByteArray, aad: ByteArray, keyBytes: ByteArray, ciphertext: ByteArray, tag: ByteArray): String { val cipher = Cipher.getInstance("AES/GCM/NoPadding") val spec = GCMParameterSpec(TAG_LENGTH * 8, iv) val key = SecretKeySpec(keyBytes, 0, keyBytes.size, "AES") cipher.init(Cipher.DECRYPT_MODE, key, spec) cipher.updateAAD(aad) return String(cipher.doFinal(ciphertext + tag)) }

  10. It is a bit more difficult, but…

  11. It is a bit more difficult, but… Java.perform(function () {

    console.log("Setting hooks..."); var aesd = Java.use("c1.c"); aesd.e.implementation = function(str) { console.log("Input intercepted data: " + str); var res = this.e(str) console.log("Ouput intercepted data: " + res); return res; } console.log("Setting hooks done."); });

  12. A Slightly Better Approach Idea: restrict validity of API token

    only for login request o Upon successful log in, a dynamic, short- lived token (e.g. a JWT) is issued to the app o All other API endpoints require the JWT (instead of the API key) To get full access to the API, both API token and valid user credentials are needed Cons: • Backend changes required • Enforces user log-in / sign-up

  13. Closing Thoughts Is there a 100% protection? No. What can

    I do? Protect against all kind of attacks: o Network level o Static Analysis o Dynamic Analysis How long will it take? It could be time consuming…

  14. Q&A Build38.com Munich I Barcelona I Singapore Find us at

    Booth 6! /build38/rest-in-peace-droidcon-london Andreas Luca Head of Solution Engineering Marc Obrador CTO & Co-Founder @theBIGGlucas @marcobrador