All Our APIs Are Belong to Us

Explore Snapchat's defensive strategies against unauthorized third-party API access in this 53-minute conference talk from AppSec California 2016. Delve into the challenges faced by Snapchat in protecting user data from potential breaches and account compromises. Learn about the various client-side and server-side defenses implemented by the company in response to determined third-party attempts to reverse-engineer their protocol. Gain insights into the successes, failures, and lessons learned from Snapchat's unique approach to user protection in the social networking space. Discover the ongoing cat-and-mouse game between Snapchat and third-party developers, and understand the complexities of maintaining user security in a landscape of evolving threats. Presented by Jad Boutros, Director of Information Security at Snapchat, this talk covers topics such as establishing baselines, handling abuse, implementing Android ID tokens and Safety Net, and the pitfalls of code obfuscation.

Intro
Overview
Snapchat
HackerOne
What is the problem
Thirdparty apps
Example
Risks
Spam and Abuse
ThirdParty App Abuse
Solution 1 Server Side Only
Establish a Baseline
Press
Mobile notifications
iOS notifications
Serverside analysis
Handling abuse
Android ID token
Android ID token abuse
Android Safety Net
pitfalls of code obfuscation
Current challenge
New twist
More abuse
Hiring