PRACTICAL API SECURITY WALKTHROUGH — PART 4

Thu 18 January 2018 By Simon Rigg

Category: Integration, TLS, Mobile App Authentication, Repackaged Apps, A Series - ShipFast

Welcome back! This is the fourth and final part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company.

Read More

PRACTICAL API SECURITY WALKTHROUGH — PART 3

Wed 17 January 2018 By Simon Rigg

Category: Integration, TLS, Mobile App Authentication, Repackaged Apps, A Series - ShipFast

Welcome back! This is the third part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company.

Read More

PRACTICAL API SECURITY WALKTHROUGH — PART 2

Tue 16 January 2018 By Simon Rigg

Category: Integration, TLS, Mobile App Authentication, Repackaged Apps, A Series - ShipFast

Welcome back! This is the second part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various API security exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company.

Read More

PRACTICAL API SECURITY WALKTHROUGH — PART 1

Fri 12 January 2018 By Simon Rigg

Category: Integration, TLS, Mobile App Authentication, Repackaged Apps, A Series - ShipFast

Welcome! A quick question: Do you know what’s using your API? Really?

Read More

CHECKING APPROOV TOKENS IN ASP.NET CORE 2.0

Wed 10 January 2018 By Jae Hossell

Category: Integration

We’ve had some requests recently from customers for some examples to show how to use Approov tokens with an ASP.Net Core 2.0 back end. In this blog I’ll walk you through adding the check to a basic API. It’s really straight forward! Thanks to Jon Hilton for this great blog which formed the basis for this example.

Read More

TOUGHEN UP SOFT CERTIFICATE PINNING WITH APPROOV

Thu 14 December 2017 By Barry O'Rourke

Category: Integration, TLS

Devops just mailed to say they will rotate the certificates on all of the endpoints today, mentioned the Engineering Manager at one of our customers, that’s unexpected, I wonder what happened.

Read More

ARE YOU HUMAN, ROBOT OR JUST IMPATIENT?

Tue 28 November 2017 By Richard Taylor

Category: Integration, Business

Recently I was doing some API analysis on a video sharing app aimed at the teenage market. As is typical in these types of apps, before you can do anything you need to sign up with an account. You’d think that would be straightforward enough, right?

Read More

UNINTENTIONAL UNPINNING WITH FIREBASE

Mon 28 August 2017 By Barry O'Rourke

Category: Integration, Mobile App Authentication, Threats

Google's Firebase provides comprehensive set of analytics services for developers to integrate with their apps. On Android the basic functionality is enabled simply by integrating the desired plugins. No code changes required.

Read More

THE PROBLEM WITH PINNING

Thu 13 July 2017 By Barry O'Rourke

Category: Integration, TLS, Mobile App Authentication

Certificate or Public Key Pinning is an extension to TLS that is highly effective for bot mitigation by protecting the HTTPS connection between your app and API from snooping by third parties (otherwise known as a Man in the Middle attack). The technique makes use of the TLS protocol which requires the server to provide a certificate containing its public key. If the client has a copy of the expected certificate (or just the public key) and checks for a match before completing the TLS handshake then the client is considered pinned to the server.

Read More

HELP YOUR MOBILE API ECOSYSTEM TO FLOURISH

Wed 05 July 2017 By Barry O'Rourke

Category: API Keys, Integration, Mobile App Authentication, Third Party APIs

(Image via http://maxpixel.freegreatpicture.com)

Read More

Page 2 of 3