In preparing for APIWorld 2019 I came across a Forbes article about a vulnerability in Uber’s Mobile API which prompted me to ask the question: how secure are your Mobile APIs. The article explains how a white-hat security researcher Anand Prakash executed a complete account takeover of any Uber user’s account with little more than a simple API call using Uber’s mobile API. Lucky for Uber (and every Uber customer), Anand reported the vulnerability to Uber as part of a responsible disclosure program. It never made its way into the wild. But the ease of exploit and the magnitude of the damage that could have been done paint a picture of a very big problem.
Let me be clear. I’m not surprised that Uber’s API was not protected. I’d go so far as to state that a vast majority of mobile apps and their APIs have vulnerabilities, many of them significant or downright scary.
What surprised me was the sheer ease within which the attack could be executed, as well as the magnitude of the damage that could have been done. In the Uber example, the only piece of info that the attacker needed was any Uber user’s mobile phone number OR email. That’s it. With either, you could have executed a complete account takeover for any Uber user in the world. Automating this attack was also quite doable, whereby an attacker could replicate the operation and takeover Uber accounts en-masse – all in the span of a couple of minutes. YIKES!
An account takeover is one of the most damaging methods of attack because it enables the attacker to assume the identity of a legitimate user. They can lock the ‘real’ user out, escalate their own privileges, and access all of the seemingly protected and sensitive information within the account. In this case, the attacker BECAME the Uber user. I mean, an account takeover is like the “Uber of all attacks” (pun absolutely and shamelessly intended). And this one was Uber-easy. Here are the requirements needed to complete this attack:
Uber mobile app
Uber API docs
Email or phone number of a known Uber user
There is no 4. That’s it
Of the 3 things needed, 1 and 2 are publicly available and 3 can be obtained with very little effort. Don’t despair, at the end of this blog I’ll show you how easy I was able to secure Uber’s mobile app even faster than Prakash was able to break it (what do you expect? In my case, machines do the coding for me).
The researcher initiated a call to Uber’s API which included the phone number or email for any Uber user. The response from the Uber API included a highly sensitive data element in the payload in cleartext (ie: unencrypted). He then replayed the unique ID in another API call, combined with the valid email or phone number. And from there, he was able to access the secure authentication token, which was also not encrypted – another big no-no. Voila, you’re the proud owner of that Uber customer’s account in totality (and any other Uber customer you run the same attack on).
Here’s a laundry list of all the nasty things could be done:
Pinpoint the exact location or home address of any Uber customer
Access credit card and other account information
Get free rides
Escalate account privileges
Obtain authentication tokens
Feast like a champ on Uber Eats
How to Build Secure Mobile APIs
Here are a few Best Practices you can follow to secure your mobile APIs and ensure that Uber’s near miss doesn’t become your worst nightmare.
Don’t expose more object information than necessary in API responses.
Encrypt all sensitive data in your mobile app, especially API Keys and API Secrets.
Never pass sensitive payload data in clear text or over unauthenticated APIs
Implement Data in Transit protection to ensure the validity of all certificates in your chain of trust. This will protect against MiTM attacks.
Don’t store authentication tokens in shared storage, and always encrypt the data.
Obfuscate your code and your app’s logic, as well as any native or non-native libraries. Hackers go after easy, high-value targets first. Don’t let your mobile app become ‘low hanging hacker-fruit’
Whether you’re a mobile developer, SecOps, DevOps, or just a non-coding product dude like myself, you can implement all the above and much more on Appdome – all without writing a single line of code. Like I say in every blog I write, don’t take my word for it. Create your Appdome account now and see for yourself. And many of you have considering the 30k+ apps built on Appdome.
As promised above, here’s a video showing how I used Appdome’s no-code mobile development platform to secure Uber’s app and mobile APIs in less than 5 minutes – end to end (including ordering a ride to APIWorld)! To all my mobile dev peeps, see you in San Jose. I’m out.
Alan is VP Security Products & Partnerships at Appdome. A longtime product exec and serial entrepreneur, Alan leverages his passion and understanding of technology to bring a deeper perspective to partnerships.