Editor's note: This post was originally published in July 2021 in Cyber Defense Magazine.
A regular pyramid has 5 surfaces, 4 sloping ones and another as its base. In this article we will walk through the mobile attack pyramid, discussing each of the 5 attack surfaces and recommending best practice for protecting them.
An attack surface is the sum of all points that an unauthorized actor targets to access a mobile application's backend. A hacker's primary goal is to automate an invasion on the app's API by scanning all attack surfaces to explore vulnerabilities and collect data such as the API's keys and business logic. With this information, the attacker designs a programmed attack on the application.
There are five interlinked attack surfaces that cybercriminals target, which we outline below.
Hackers steal credentials such as emails, usernames, phone numbers, IP addresses, and passwords through spoofing, phishing, and large-scale data breaches. Spoofing is where someone disguises themselves as a legitimate source to collect personal information for malicious reasons. Phishing involves sending an email that contains a harmful link or attachment that contains malware.
Despite the best efforts to protect the login process, hackers still bypass security measures such as biometrics and 2-factor authentication using social engineering tricks to access devices and receive authentication codes.
Another way cyber criminals steal credentials is when users log into fake applications. These apps target popular activities such as betting and gaming.
A critical mobile application characteristic is the integrity of its code. Hackers attacking the integrity of a mobile app seek to do three things:
To protect an application’s integrity, developers need to determine the validity of requests received at the API’s server. Such requests come from various sources such as bots, automated scripts, or manual access through your API's backend.
Rooting/jailbreaking is a common technique used by bad actors to bypass a gadget's pre-installed security features in the original version of the operating system. Some mobile device users root or jailbreak their devices for legitimate reasons. For example, a user might want to install customized applications, while others may want to load apps unavailable in the manufacturer's app store. Despite these legitimate reasons, tampering with a device's integrity exposes it to attackers because the in-built security is compromised. This weakness extends to your mobile apps now that they're running in an unprotected environment.
Another method hackers use to attack your device's integrity is tampering with your code. During run time, they inject harmful code into the app using an instrumentation framework. These frameworks are linked to critical functions to manipulate input data, output results, modify user interactions or produce different app behavior.
In most cases, channel integrity is compromised when the communication channel between the mobile app and API is exposed through public Wi-Fi connections. This channel is the primary attack surface that bad actors target. Despite applying TLS/SSL protocols to encrypt internet traffic for secure connections, bad actors can still use Man-in-the-Middle (MitM) attacks between the mobile app and the API server to steal data and read API queries/responses.
The primary purpose of MitM assaults is to hoodwink clients and the server that they're communicating with – in reality, a third actor is impersonating both ends of the channel. Hackers apply MitM tactics to research the communication channel between a client and the API's server to determine which attack strategy applies. Channel avenues that hackers research to apply MitM attacks include:
To protect your channel's integrity, certificate pinning is best practice because it makes traffic interdiction much more difficult. A step beyond TLS, certificate pinning is used to further lock down the connection.
Part of the TLS protocol requires the presentation and checking of public keys between the mobile app and the backend server or endpoint. These keys or certificates are accepted by the mobile device if signed by a recognized Certificate Authority (CA) and if that authority exists within the device's CA trust store. Any MitM tool, such as mitmproxy, will present its own key to the mobile app which will not be accepted since it is not signed by a CA which is contained in the mobile device’s trust store.
With pinning in place, the supplied key needs to be signed by a CA in the mobile device’s trust store AND it needs to match one of the set of certificates which are encoded into the app itself. For the hacker, this means that the app needs to be modified to change the stored certificate set.
There are three common goals a hacker looks to achieve when they target an API with an automated tool:
Approov is a leading API protection service that helps organizations establish safe interactions for their mobile applications. To find out how we can help you protect your customers and build trusted business channels, contact us today or sign up for a free demo.