I am building a web service that has to be only accessible for iOS apps. In the future I want to expand to a mobile website to make my service also available for other mobile operating systems.
Now, I have everything working through an API. my users can register, search companies, order products from those companies and track their orders. It's not active yet, but it's working..
I am facing one major problem: How to secure this?
For the last few days I have stopped coding and I have constantly been busy with searching the web, StackOverflow and Information Security for how to do this. I have found that the way amazon secures their API would be the best solution for me. The way amazon secures it's service is explained here. I have tweaked it a little bit for my service:
This way of securing a service makes sense to me, and I can code most of it. but I have a major problem and I can not find any solution to it:
Does anybody know how to solve this problem?? any help would be highly appreciated!!
This way of securing a service makes sense to me, and I can code most of it. but I have a major problem and I can not find any solution to it:
The user gets a public & private API key when an account is created. The public key can be sent from the server to the user device, because that is not necessarily a secret. Since the private API key can never be sent over the wire, how on earth can I make sure that an account logged in on a user's device knows the private API key that is created on the server?
As you well said the private key can never be sent over the wire in whatever way anyone deems secure (thinking of an https connection using certificate pining, that can be bypassed), because from the moment you do it it must be considered as belonging to the public domain, not as it's name convey, private. Shipping it with mobile app code in whatever form deemed secure is also making the private key indeed a public one. Storing it in the encrypted store of the mobile device doesn't also secure it from leaking, because reverse engineer techniques exist to reverse engineer a mobile app statically or at runtime.
Contrary of what many think reverse engineering is not that hard, and a lot of open source tools exist to help us in the process. For example, some of the most popeular reverse engineering tools that can be used in stand-alone mode or combined, are this ones (many more exist):
MobSF - Mobile Security Framework
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
I wrote several articles on how to use the above tools to extract API keys or bypass certificate pinning, for example:
How to Extract an API key from a Mobile App with Static Binary Analysis:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.
Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
Bypassing Certificate Pinning
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.
All this can be done without the need to be a security expert, even non-developers will be able to follow online tutorials to hack a mobile app.
So, in the end of the day the motivation (financial or others) to hack your mobile app will be the one dictating how much effort an attacker will want to put on it, thus you need to put as many obstacles (security defences) in his way as possible, even the ones that you know that can be bypassed.
Does anybody know how to solve this problem?? any help would be highly appreciated!!
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections "The difference between what and who is accessing the API server", Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
You will find that the solution best fitted to solve your problem will be the Mobile App Attestation that will allow your API server to know with a very high degree of confidence that what is making the request is indeed a genuine and untampered version of your mobile app.
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With