For zero trust mobile apps and APIs, credentials aren’t nearly enough.
As APIs become a critical part of almost every business, the need to build a robust API security strategy grows infinitely. API calls account for 83% of web traffic, according to the Akamai 2019 [state of the internet] / security: Retail Attacks and API Traffic report. The largest API directory now lists nearly 22,000 public APIs, up from 12,000 in 2015. A majority of companies now consider APIs to be critical to business strategy and imperative for developing partner ecosystems, enhancing customer value and creating new revenue opportunities. Cloud Elements, in its third annual State of API Integration report, recently found that businesses planned to deploy an average of 18 new APIs in 2019, compared to just 11.5 in 2018.
Cloudflare is famous among developers as a leading CDN to efficiently deliver customer facing Internet content for their applications, but Cloudflare can also be used to verify all incoming requests before they reach your API server, by leveraging Cloudflare workers.
In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack.
In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands.
In a previous article we saw how to protect the https communication channel between a mobile app and an API server with certificate pinning, and as promised at the end of that article we will now see how to bypass certificate pinning.
To demonstrate how to bypass certificate pinning we will use the same Currency Converter Demo mobile app that was used in the previous article.
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning.
In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.
In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.
This walk-through will show how simple it is to integrate Approov in a stateless API server using Java and the Spring framework.We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API.
We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.
We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.