Paulo Renato

Paulo Renato

Securing Your API server with Approov and Cloudflare

Tue 19 November 2019 By Paulo Renato

Category: Integration, Mobile App Authentication, API

Cloudflare is famous among developers as a leading CDN to efficiently deliver customer facing Internet content for their applications, but Cloudflare can also be used to verify all incoming requests before they reach your API server, by leveraging Cloudflare workers.

Read More

How to Protect Against Certificate Pinning Bypassing

Tue 15 October 2019 By Paulo Renato

Category: Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, API, MitM Attack, Certificate Pinning

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack.

In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands.

Read More

Bypassing Certificate Pinning

Sun 18 August 2019 By Paulo Renato

Category: Android, Mobile App Development, MitM Attack, Certificate Pinning

In a previous article we saw how to protect the https communication channel between a mobile app and an API server with certificate pinning, and as promised at the end of that article we will now see how to bypass certificate pinning.

To demonstrate how to bypass certificate pinning we will use the same Currency Converter Demo mobile app that was used in the previous article.

In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.

Read More

SECURING HTTPS WITH CERTIFICATE PINNING ON ANDROID

Wed 26 June 2019 By Paulo Renato

Category: Android, API, Mobile App Development, MitM Attack, Certificate Pinning

 

In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning.

In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.

In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.

Read More

APPROOV INTEGRATION IN A JAVA SPRING STATELESS API

Thu 09 May 2019 By Paulo Renato

Category: Integration, Mobile App Authentication, API

This walk-through will show how simple it is to integrate Approov in a stateless API server using Java and the Spring framework.

We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API.
Read More

STEAL THAT API KEY WITH A MAN IN THE MIDDLE ATTACK

Thu 04 April 2019 By Paulo Renato

Category: API Keys, Mobile App Authentication, Reverse Engineering, Third Party APIs, Mobile App Development

As I promised in my previous article, here it is the follow up article about performing a man in the middle (MitM) attack to steal an API key, and to follow this article you will need to become the man sitting in the middle of the actual channel, using mitmproxy to help you with the task of stealing the API key. Now it should be clear why MitM stands for man in the middle!

Read More

HOW TO EXTRACT AN API KEY FROM A MOBILE APP BY STATIC BINARY ANALYSIS

Thu 14 March 2019 By Paulo Renato

Category: API Keys, Reverse Engineering



An API key is probably the most common method used by developers to identify what is making the request to an API server, but most developers are not aware how trivial it is for a hacker or even a script kiddie to steal and reuse an API key in order to gain unauthorized access to their APIs.

In the previous article we saw why your mobile app needs an API key, and now we will see how to grab that API key from your mobile app by reverse engineering the binary in an effective and quick way with an open source tool. Once we see how easy it can be done, we will realize that it is even achievable by non-developers.

 

Read More

WHY DOES YOUR MOBILE APP NEED AN API KEY?

Fri 01 March 2019 By Paulo Renato

Category: API Keys, Mobile App Authentication, Mobile App Development

Mobile apps are becoming increasingly important in the strategy of any company. As a result, companies need to release new application versions at a fast pace, and this puts developers under pressure with tight deadlines to complete and release new features very quickly.

Read More

APPROOV INTEGRATION IN A NODEJS EXPRESS API

Tue 05 February 2019 By Paulo Renato

Category: Integration, Mobile App Authentication

 

This walk-though will show us how simple it is to integrate Approov in a current API server using NodeJS and the Express framework.

We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a NodeJS Express API.
Read More

APPROOV INTEGRATION IN A PYTHON FLASK API

Mon 04 February 2019 By Paulo Renato

Category: Integration, Mobile App Authentication

This walk-though will show us how simple it is to integrate Approov in a current API server using Python and the Flask framework.

We will see the requirements, dependencies and a step by step walk-through over the code necessary to implement Approov in a Python Flask API.

Before we tackle the integration of Approov we need first to know how Approov validation is processed in the server and how to setup the environment to follow this walk-through.

Note that this article assumes a basic understanding of the Approov mechanics. If you need an overview of that, please read first the Approov in Detail page.

 

Read More

Page 1 of 2