Effective Mobile API Protection, a Cat and Mouse Game

Presenter: Skip Hovsmith

api, api security, apis and sdks, api best practices, api design

Effective Mobile API protection stresses typical API security and access authorization approaches. In this workshop, follow the evolution of the ShipFast courier service API, its branded backend service and mobile Android client, and its attacker, ShipRaider, used by malicious and even legitimate couriers to exploit the API for their own ill-gotten gains.

We start with static API keys and OAuth2 user authorization, discussing API security threats and how to counter them. Along the way, TLS, certificate pinning, HMAC call signing, app hardening, white box crypto, and app attestation are considered to strengthen your API security posture, but ShipRaider will be working hard trying man in the middle attacks, app decompilation and debugging, exploit frameworks, and other reverse engineering techniques to keep stalking you. It’s a quick overview of the cat and mouse API protection problem and gives a sense of emerging tools and techniques which enable a significant step change in API security.

ShipFast and ShipRaider are open-sourced applications available on github. You’ll walk away with access to a fully worked open source example and some additional homework assignments if you want to go deeper.