Protect All Mobile App APIs Against the OWASP API Security Top 10 Risks

By |2019-12-05T09:06:42+00:00October 10th, 2019|

On Sept 30, 2019, OWASP published the OWASP API Security Top 10 Release Candidate. The project team that published the Release Candidate said: “APIs play a very important role in modern applications’ architecture. Since creating security awareness and innovation have different paces, it’s important to focus on common API security weaknesses. The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations.”

The Appdome engineering team reviewed this Top 10 and determined that 8 out of 10 are relevant to Mobile APIs and that the Appdome Mobile Security Suite can help mobile developers protect their Mobile APIs against all those OWASP API Security risks.

Download the Appdome Mobile Security Suite Datasheet

Every mobile app is built around a set of APIs. Since there is no standard in Mobile APIs, securing each API is a difficult task, for which the burden is put on the developer. And most mobile app developers are not security experts. Appdome removes this burden completely and allows developers to secure all the APIs in their mobile apps with a single click of a button – no code or coding required!

Develpers and non-developers alike can secure their mobile APIs by selecting the following components from the Appdome Mobile Security Suite when building their apps:

  • Data Encryption – uses AES 256 encryption to secure and protect all API data (keys, secrets, urls, tokens, payload, etc.), including in the App Sandbox and Preferences.
  • Code Obfuscation – obfuscates the binary code, native and non-native libraries, to protect the API’s flow control and logic and making strings and resources not accessible.
  • API Shielding – hardens the app with anti-tampering, anti-debugging and anti-reversing protection.
  • Trusted Sessions – protects and encrypts all data in transit. SecureAPI ensures the validity of all end points and any intermediate systems in between an API and its backend servers.
  • API Segmentation – uses strong authentication, API tokenization, segmented API workflows (key stores, cookie stores, etc.) to ensure that only the right users can access specific API resources.
Appdome SecureAPI protects against the OWASP API Security Top 10

Appdome SecureAPI protects your Mobile APIs against the OWASP API Security Top 10 risks

Here’s How Appdome’s Mobile Security Suite Protects Mobile App APIs against the OWASP API Security top 10 risks

A1 – Broken Object Level Authorization

OWASP describes this risk as: “APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.”

Appdome recommends that developers:

  • Implement secure mobile access and/or standards based modern authentication & authorization in all mobile apps that access remote systems.
  • Automate the implementation of authorization workflows to ensure secure and consistent implementations across all mobile apps.
  • Avoid static and manual implementations of identity, access, and authentication technologies or standards. Instead, leverage technology to automate this process so that so that your mobile implementation of authentication standards is dynamically paired with that of the identity provider without requiring changing the app’s code manually.

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • Trusted Communication
  • API Segmentation

A2 – Broken Authentication

OWASP describes this risk as: “Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.”

Appdome recommends that developers:

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • Trusted Communication
  • API Segmentation

A3 – Excessive Data Exposure

OWASP states that: “Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.”

Appdome recommends that developers:

  • Avoid implementing APIs in mobile apps generically, and do not over-expose object properties or parameters used the API transaction. Instead, implement APIs with as much specificity as possible, given use case.
  • Leverage machine learning and AI based development techniques to apply obfuscation and encryption adaptively and dynamically relative to environmental context. Appdome’s AMI makes a build-time decision on whether to Encrypt or Obfuscate an element based on the API and app capabilities and attributes, performance characteristics, and overall risk.

Developers can achieve this on Appdome by building their apps with:

  • Code Obfuscation
  • API Shielding
  • Trusted Communication
  • API Segmentation

A4 – Lack of Resources and Rate Limiting

About this risk, OWASP says: “Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.”

Appdome recommends that developers:

  • Deploy Appdome’s Mobile Security Suite together with the F5 Anti-Bot service.

Developers can achieve this on Appdome by building their apps with:

  • API Segmentation

A5 – Broken Function Level Authorization

OWASP defines this risk as: “Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.”

Using Appdome, developers can mitigate against this risk when they:

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • API Shielding
  • Trusted Communication
  • API Segmentation

A6 – Mass Assignment

OWASP states that: “Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.”

With Appdome, developers can:

  • Lock down mobile API entry and egress points by requiring strong authentication, or by whitelisting trusted endpoints.
  • Implement Code Obfuscation, including obfuscation of all native and non-native libraries. Implement Flow relocation and Strip logs of debug information which give attackers clues about how your app works. Making your app harder to reverse engineer reduces the attack surface required to conduct a mass assignment attacks.

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • API Shielding
  • Trusted Communication

A7 – Security Misconfiguration

OWASP says that: “Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.”

Appdome can you help you prevent security misconfigurations when you:

  • Implement Trusted Session protection, to ensure all communication occurs over secure channels (eg: enforcing the use of TLS).
  • Rotate stale TLS sessions and CAs and avoid expiring certificates from causing security holes or open entry points.

Developers can achieve this on Appdome by building their apps with:

  • Code Obfuscation
  • API Shielding
  • Trusted Communication
  • API Segmentation

A8 – Injection

OWASP says that: “Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

Appdome prevents injection when developers:

  • Obfuscate all control flows and logical elements of their code.
  • Hide and Encrypt all Java code of Android apps with Appdome’s APPCode Packer.

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • API Shielding
  • Trusted Communication
  • API Segmentation

A9 – Improper Assets Management

OWASP found that: “APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.”

Appdome recommends that developers:

Developers can achieve this on Appdome by building their apps with:

  • Data Encryption
  • Code Obfuscation
  • API Shielding
  • Trusted Communication
  • API Segmentation

A10 – Insufficient Logging and Monitoring

OWASP says that: “Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.”

This risk is related to the backend API services, not the Mobile APIs. Network infrastructure Security companies like Appdome’s partner F5 protect against this risk.

Recommendations for Developers Looking to Secure Their Mobile APIs

With Appdome, you can instantly secure all your mobile app APIs without writing a single line of code. Create your free trial and get started today.

About the Author:

Gil heads engineering at Appdome. He's a security engineer, mobile app developer and has fused 1000s of Android and iOS apps.
Scroll Up