Preventing Mobile App and API Abuse

Explore mobile app and API security strategies in this OWASP Foundation conference talk from AppSecCali 2019. Follow the fictional ShipFast courier service as it evolves its security approach to counter threats from the malicious ShipRaider. Dive into topics such as OAuth2 user authorization, TLS, certificate pinning, HMAC call signing, app hardening, and white box crypto. Learn about man-in-the-middle attacks, app decompilation, debugging, and reverse engineering techniques used by attackers. Gain insights into defense-in-depth techniques for protecting both mobile apps and API backends. Access fully worked open source examples and additional homework assignments for deeper exploration. Presented by Skip Hovsmith, Principal Engineer at CriticalBlue, this 53-minute talk covers a wide range of mobile security topics, including API keys, rate limiting, behavioral API security, app integrity measurement, and OAuth2 flow strengthening.

Intro
Explosion in Mobile Attacks
APIs Open New Business Opportunities and
Instagram API Attack
Ship Raider Shipper's Edge
App Identity using API keys
Keeping Secrets: Attack Surfaces
Don't Publish Your Keys
How Ship Raider Stole the API key
Detect and Block Abnormal Usage of APIs
Rate Limiting and Load Shedding
Behavioral API Security
Breaking TLS
Certificate Pinning
Pinning Upkeep
Remove Secret from the Channel
How ShipRaider Broke the HMAC
Calculate Secret at Runtime
Ship Raider Steals Runtime Secret
App Hardening Approaches
OAuth2 Overview
Abstract Protocol Flow
User's Outh2 Code Grant Flow
OAuth2 Refresh Tokens
OAuth2 Proof of Key Code Exchange (PKCE)
API Proxy Pattern
Secret as a Service
App Integrity Measurement
Strengthening OAuth2 Flow
ShipShape
Architecture Pattern
Conclusion