Is the API in Your App a Trojan Horse?

Continued from page 1. 

Attackers can use an app's functionality unchecked unless that endpoint app is hardened. The Open Web Application Security Project (OWASP) notes that "App hardening and shielding along with layered security measures are recognized as a critical component of overall IT compliance." The group highlights four recent industry regulations that are placing an emphasis on it. You can do numerous things to harden your apps, and one way is to follow the OWASP Mobile Application Security Verification Standard under Section V8: Resiliency Against Reverse Engineering Requirements that among other steps recommends that apps:

  • Detect and respond to the presence of a jailbroken device
  • Prevent or detect debugging attempts
  • Include multiple defense mechanisms
  • Leverage obfuscation and encryption

If you've properly hardened an app's code, attackers will find they must reverse engineer and emulate the behavior of the application from the outside significantly more costly. The attacker might then resort to more invasive techniques, such as code lifting, code modification, and dynamic analysis of the application during runtime. These are all detectable with the proper protection.

In addition, you must prevent data exfiltration threats. If your application uses cryptographic keys to access an encrypted API, then these will reside on the device. You should secure them using white-box cryptography to defend against attempts to lift and distribute these keys and tokens. White box cryptography is a mathematical obfuscation of traditional cryptography routines that you can more safely use in untrusted environments.

Lastly, the most effective defense is one that can complete the app protection cycle by providing security telemetry from apps running in the wild. You can use this kind of feedback to learn if apps are running on compromised devices and to identify emerging attack vectors. This helps you and your other business stakeholders make crucial decisions regarding how often and when to adapt their app's security — creating a closed-loop, continuous security improvement process.

Creating Apps with Armor

Apps are a new threat vector, the app attack surface is vast, and apps can easily provide entry points into critical infrastructure. You need to wrap all your app's access points to critical backend systems with ironclad protection, encryption, and obfuscation so that bad actors can't tamper with, reverse engineer, and use your app as a gateway into your infrastructure.

Be sure to read the next Security article: Daily API RoundUp: GitHub, Findaspot, Mapfit, Beekeeper

 

Comments (1)

rondavis

APIs provide the gateway to approach backend infrastructure. These gateways are accessed by every mobile app that a consumer uses to transact with an organization.