Is the API in Your App a Trojan Horse?

Security industry spending trends continue to focus on the network layer, primarily with perimeter-based protection, but attackers always look for other avenues to access your systems. One route they target often is through an application's APIs, and by extension, your backend data center. Without a complete picture of what the callers of your API are doing, you expose your business to serious risk. Attackers know that API calls originating from inside an app are a blueprint for the infrastructure inside your data center. Further, they can use those same API calls to hide their malicious purposes — like a Trojan horse ready to slip through the front door (see ProgrammableWeb's "Understanding the Realities of API Security"). They can use these attacks to probe defenses or enumerate and exfiltrate data right through your perimeter defenses. Ground zero for these types of attacks are mobile apps operating "in the wild," outside secure corporate perimeters. Apps are the new emerging threat vector.

The API as a Gateway

APIs provide the gateway to reach all backend infrastructure. These gateways are accessed by every mobile app a consumer uses to transact with an organization. Each mobile app contains the message formats, access tokens, and URLs inside its code and data that are necessary to access these gateways. In many cases, an attacker doesn't have to instrument the app itself to make malicious requests. Depending on what's been done to secure the API itself, sometimes a malicious request made directly to the API is all that's needed.

Apps designed to perform client-side input validation provide the right environment for attackers to trace user data flow, from the app to the backend. For example, apps commonly validate inputs like names, addresses, and password policies, so they can notify users quickly if their inputs are invalid, saving time and reducing repetition. Created to improve User Experience and streamline interactions with the backend, these apps often unintentionally expose vulnerabilities. One reason why these apps expose information is that their designs are often developed independently with a focus on usability, and rarely are they created and maintained in lockstep with API security best practices.

Security out of Sync

One way less sophisticated attackers try to compromise app APIs is by simply injecting malicious content into API Request fields. This is a relatively low-effort method to uncover vulnerabilities in the processing of requests.

This basic technique was implemented by researchers at Texas A&M University in a tool they released called WARDroid. This tool analyzes mobile apps retrieved from the Google Play store and creates a data model of the API as represented by the client-side app code identifying how an app communicates with a server. Then they tested the communication model is against the backend server to find behavioral inconsistencies between the client and server, exposing server-side vulnerabilities. In fact, researchers found 926 of the 10,000 apps analyzed contained API hijacking vulnerabilities, putting an estimated 6.47 million users at risk.

Hiding in Plain Sight

Although nefarious people can use an injection attack to identify exploitable app APIs en masse, its practicality is limited, primarily because Web Application Firewall (WAF) devices and server-side RASP solutions can quickly identify and alert on these types of attacks. However, the problem remains.

Sophisticated attackers targeting a single app can take a more savvy approach designed to circumvent WAF and RASP security methods: by emulating the behavior of unmodified apps to establish a baseline of legitimate backend access. In so doing, attackers dilute the corpus of requests with legitimate API calls to the point that the backend treats malicious requests as an anomaly rather than as a threat. Then they can expand this method of attack to exfiltrate data slowly, and over time find subtle data access control violations, often employing methods used by "normal" apps. These seemingly innocuous requests essentially become an attacker's most effective tool.

How to Protect Your App and API

The foundation of addressing this risk exposure is to assume all apps are running in a zero-trust environment. This primarily means assuming that all of the data and functionality inside the app is directly available as a tool to any attacker, including API request generation, API response interpretation, Encryption and decryption routines, Authentication procedures, and more.

Be sure to read the next Security article: Daily API RoundUp: GitHub, Findaspot, Mapfit, Beekeeper