Posts about

TLS

Securing APIs in React Native

May 14, 2020

ShipFast and ShipRaider made a fresh appearance at the RSA Conference in late February 2020 in San Francisco. This time the focus was on API security for React Native Apps:   Read Full Story

Preventing Mobile App and API Abuse

March 21, 2019

This post includes a video of SKip Hovsmith's talk on preventing mobile app and API abuse at the 2019 AppSec California Conference.   Read Full Story

How to Pin Mobile gRPC Channels

March 4, 2019

Last-mile Security for gRPC-connected mobile APIs Read Full Story

Strengthen TLS in React Native Through Certificate Pinning - iOS Edition

November 30, 2018

Enhance React Native’s networking API protection on Android and iOS without touching your Javascript code or manually editing the native code projects. The first edition of this article implemented TLS certificate pinning for React Native apps on Android. Since then, the react-native-cert-pinner package has been enhanced to support pinning on iOS devices, and this edition of the post walks through the previous example for iOS.  Read Full Story

A Tour of API Underprotection

April 3, 2018

An OWASP AppSec California 2018 Talk The fifth annual OWASP AppSec California was held in late January 2018 on the beach in Santa Monica. AppSec California is organized and run by an all-volunteer staff, and they put on a great conference — highly recommended. Besides excellent content and a chance to interact with many interesting colleagues, who wouldn’t want to hang out on the beach for a few days? Read Full Story

PRACTICAL API SECURITY WALKTHROUGH — PART 4

January 18, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome back! This is the fourth and final part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. In this post, I'll dive into the third API security attack scenario and what is required to effectively defend against it. Read Full Story

Practical API Security Walkthrough — Part 3

January 17, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome back! This is the third part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. Read Full Story

Practical API Security Walkthrough — Part 2

January 16, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome back! This is the second part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various API security exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company. Read Full Story

Practical API Security Walkthrough — Part 1

January 12, 2018

Editor's note: This post was originally published in January 2018 and has been revamped and updated for accuracy and comprehensiveness. The latest update was in September 2020. Welcome! A quick question: Do you know what’s using your API? Really? Read Full Story

Strengthening OAuth2 for Mobile

January 3, 2018

Photo by Patrick Metzdorf on Unsplash Read Full Story