How to Protect Against Certificate Pinning Bypassing

Tue 15 October 2019 By Paulo Renato

Category: Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, API, MitM Attack, Certificate Pinning

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack.

In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands.

Read More

Improve the Security of API Keys

Wed 24 July 2019 By Skip Hovsmith

Category: API Keys, Mobile App Authentication, Reverse Engineering, API, Mobile App Development, MitM Attack

Securely identify your API Caller

Read More

SECURING HTTPS WITH CERTIFICATE PINNING ON ANDROID

Wed 26 June 2019 By Paulo Renato

Category: Android, API, Mobile App Development, MitM Attack, Certificate Pinning

 

In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning.

In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.

In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.

Read More

APPROOV INTEGRATION IN A JAVA SPRING STATELESS API

Thu 09 May 2019 By Paulo Renato

Category: Integration, Mobile App Authentication, API

This walk-through will show how simple it is to integrate Approov in a stateless API server using Java and the Spring framework.

We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API.
Read More

Preventing Mobile App and API Abuse

Thu 21 March 2019 By Skip Hovsmith

Category: TLS, Android, iOS, Mobile App Authentication, OAuth2, API, Mobile App Development

 
Read More

How to Pin Mobile gRPC Channels

Mon 04 March 2019 By Skip Hovsmith

Category: TLS, Android, API, Mobile App Development, gRPC

Last-mile Security for gRPC-connected mobile APIs

Read More

Consider gRPC for Mobile APIs

Tue 05 February 2019 By Skip Hovsmith

Category: Android, API, Mobile App Development, gRPC

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING

gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems.

Read More

Page 1 of 1