Play all

Intro

The Dark API Economy

Mobile Apps Rely on APIs

Abusing APIs in the Mobile Market

Mobile Attack Surfaces

The ShipFast Driver App

API Sequence for Pick Up and Delivery

The Ship Raider Bench and Driver App

ShipRaider's API Exploit

Initial Security Posture

User Authorization is not Service Authorization

Common API Gateway Defenses

API Proxy Pattern

Inspect the App Package

Obfuscate Code and Secrets in Code . Obfuscate calling logic and API & kay strings

Observe/Manipulate Communication Channel

Certificate Pinning

Unpin the Channel

Block Rooting and Instrumentation

Nervous Product Manager

a: Use App-Level Message Protection

Defense 4: Removing Secrets from App Package

Find Message Signing Secret

a: Improve Run-Time Defenses

Moving secrets and security decisions off device

Defense 5b: Authenticate the App Off Device

Defense 5c: Reintroduce the Pinning Service

API Defense Objectives

Attacker Pivots to a Less Secure App

Description:

Learn to protect React Native mobile applications from API exploitation in this 45-minute OWASP Foundation talk. Explore the dark API economy, mobile app vulnerabilities, and attack surfaces using the ShipFast Driver App as an example. Discover common API gateway defenses, including the API proxy pattern, code obfuscation, and certificate pinning. Address challenges like rooting and instrumentation, and implement app-level message protection. Examine strategies for removing secrets from app packages, improving run-time defenses, and authenticating apps off-device. Gain insights into API defense objectives and potential attacker pivots to less secure applications.

Secure React Native Apps Against API Abuse

OWASP Foundation

Add to list

#Information Security (InfoSec) #Cybersecurity #Web Security #API Security #Programming #Mobile Development #React Native #Computer Science #Cryptography #Code Obfuscation

0:00 / 0:00