Please log in to watch this conference skillscast.
Mobile apps increasingly leverage rich and complex REST API backends to enable server-side interaction. However access credentials, such as API keys, have to be embedded in your app code where they can be extracted and subsequently abused. Learn practical approaches to prevent this without having to change your whole development flow. Richard will share with you examples in native Android apps, using Kotlin as the example language.
Firstly you will survey the state of the art in terms of how authorization to these APIs is typically implemented, including API keys and user authorization via OAuth2. Richard will then discuss the types of attacks that are possible if unauthorized software clients are able to access the API and impersonate the intended client mobile app. You will also learn how TLS alone is not an effective countermeasure to credentials being reversed unless certificate pinning is also used to prevent Man-in-the-Middle attacks against the app. There will be some practical advice on how to implement TLS pinning with code examples. During this talk you will then learn how credentials can be easily extracted from mobile app code unless some effort is made to conceal these credentials. Further Richard will share some tips on improving credential obfuscation in code, across multiple frameworks. You will look at proxy based approaches to move secrets out of mobile apps and into more easily secured servers.
Finally you will discover more advanced techniques such as app hardening, white box cryptography and software attestation for applications where security is crucial. You should gain a good understanding of the problem, some short term practical tips to improve their API security posture with minimal effort and an appreciation of emerging tools and technologies that enable a significant step change in security.
YOU MAY ALSO LIKE:
- Real World Kotlin Development Workshop (in London on 1st - 2nd July 2019)
- Fast Track to Android Architecture (in London on 21st - 23rd October 2019)
- ProgNET London 2019 (in London on 11th - 13th September 2019)
- Keynote by Rebecca Franks on Tips for Building Custom Views on Android with Canvas APIs📏🎨 (in London on 19th June 2019)
- Keynote by Kris Nova on The Power of Linux Virtualization with Cloud Native (in London on 19th June 2019)
- Solving 5 typical Issues in API development with Domain Driven Design (SkillsCast recorded in June 2019)
- Fancy Bears Are Not Your Problem: Real World Appsec (SkillsCast recorded in June 2019)
How to Keep Your API Keys Safe
Richard is CTO of CriticalBlue, a UK technology company specializing in mobile app security. He started his career as a developer specializing in compiler technologies with a particular focus in low level code optimization techniques. In 2002 he co-founded CriticalBlue to focus on his innovations in compilation technologies, developing tools that automatically generate custom microprocessor architectures derived from software analysis. Over the years this technology became increasingly focused on multi-threaded software analysis for migrating sequential software implementations into multi-threaded alternatives. Richard developed a dynamic binary instrumentation technology to analyse x86, ARM, MIPS and PowerPC compiled applications on the fly to derive low level performance, cache impact and data dependency information. This technology was used in performance optimization of the Android Operating System for certain OEMs. Aspects of this technology have now been applied to CriticalBlue's Approov mobile application security solution that enables remote attestation to be performed on mobile apps to allow API providers to ensure that only official apps are able to access API services