Posts about

API

Using a Reverse Proxy to Protect Third Party APIs

February 12, 2020

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app. Read Full Story

Addressing Vulnerabilities and Abuse for Comprehensive API Security

January 17, 2020

  As APIs become a critical part of almost every business, the need to build a robust API security strategy grows infinitely. API calls account for 83% of web traffic, according to the Akamai 2019 [state of the internet] / security: Retail Attacks and API Traffic report. The largest API directory now lists nearly 22,000 public APIs, up from 12,000 in 2015. A majority of companies now consider APIs to be critical to business strategy and imperative for developing partner ecosystems, enhancing customer value and creating new revenue opportunities. Cloud Elements, in its third annual State of API Integration report, recently found that businesses planned to deploy an average of 18 new APIs in 2019, compared to just 11.5 in 2018. Read Full Story

Securing Your API server with Approov and Cloudflare

November 19, 2019

Cloudflare is famous among developers as a leading CDN to efficiently deliver customer facing Internet content for their applications, but Cloudflare can also be used to verify all incoming requests before they reach your API server, by leveraging Cloudflare workers. Read Full Story

How to Protect Against Certificate Pinning Bypassing

October 15, 2019

In my previous article, we saw how to bypass certificate pinning within a device you control and, as promised, we will now see how you can protect yourself against such an attack. In this article you will learn how to use a mobile app attestation service to protect your API server from accepting requests that come from a mobile app where certificate pinning has been bypassed. This means that even though the attacker has bypassed the certificate pinning, he will not be able to receive successful responses from the API server. Instead, the server will always return 401 responses, thus protecting your valuable data from getting into the wrong hands. Read Full Story

Improve the Security of API Keys

July 24, 2019

Securely identify your API Caller Read Full Story

Securing HTTPS with Certificate Pinning on Android

June 26, 2019

  In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning. In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article. In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack. Read Full Story

Approov Integration in a Java Spring Stateless API

May 9, 2019

This walk-through will show how simple it is to integrate Approov in a stateless API server using Java and the Spring framework. We will see the requirements, dependencies and a step by step walk-through of the code necessary to implement Approov in a Java Spring stateless API. Read Full Story

Preventing Mobile App and API Abuse

March 21, 2019

This post includes a video of SKip Hovsmith's talk on preventing mobile app and API abuse at the 2019 AppSec California Conference.   Read Full Story

How to Pin Mobile gRPC Channels

March 4, 2019

Last-mile Security for gRPC-connected mobile APIs Read Full Story

Consider gRPC for Mobile APIs

February 5, 2019

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems. Read Full Story