At APIWorld, Inon Shkedy, co-chair of the OWASP API Security project and Tom Tovar, CEO of Appdome, had a very well attended keynote on Securing Mobile APIs. The OWASP API Security project “focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).”
Focus on Mobile API Security
As we’ve discussed on the Appdome blog multiple times, there is no standard in mobile app development. Android and iOS are very different operating systems, and mobile apps can be built in many different development frameworks. Furthermore, there is no standard for Mobile APIs. Each API works differently, and every API security implementation is different. As a result, Mobile API Security tends to be the least priority for developers.
The keynote highlighted the following Mobile API risks:
- Authentication (Account Hijack). To access the service, the app needs to authenticate to the API using at a minimum, the API Key and API Secret.
- Connection (MiTM). To create the connection, the app needs the Service Address. It also needs a secure way to reach the service (using either single or mutual validation, TLS, etc.).
- Payload (Data Theft). To actually consume the API intent, the app needs to store and use the API payload throughout the app, cache API data, etc.
- Tampering (Mucking). Even if everything is done right to make the API work, is it possible to insert instructions in an API to filter API data out of the app (or impersonate the developer).
OWASP API Security Project
Inon Shkedy reviewed the work the OWASP API Security project has been doing and how they came up with the OWASP API Security Top 10 risks. The list was published as a release candidate during the Global AppSec DC 2019 and Global AppSec Amsterdam 2019 conferences. The project team is still incorporating contributions from the community. Please scan the QR code to add your contributions.
Here are the slides from the keynote: