On Sept 30, 2019, OWASP published the OWASP API Security Top 10 Release Candidate. The project team that published the Release Candidate said: “APIs play a very important role in modern applications’ architecture. Since creating security awareness and innovation have different paces, it’s important to focus on common API security weaknesses. The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations.”
The Appdome engineering team reviewed this Top 10 and determined that 8 out of 10 are relevant to Mobile APIs and that the Appdome Mobile Security Suite can help mobile developers protect their Mobile APIs against all those OWASP API Security risks.
Download the Appdome Mobile Security Suite Datasheet
Every mobile app is built around a set of APIs. Since there is no standard in Mobile APIs, securing each API is a difficult task, for which the burden is put on the developer. And most mobile app developers are not security experts. Appdome removes this burden completely and allows developers to secure all the APIs in their mobile apps with a single click of a button – no code or coding required!
Develpers and non-developers alike can secure their mobile APIs by selecting the following components from the Appdome Mobile Security Suite when building their apps:
- Data Encryption – uses AES 256 encryption to secure and protect all API data (keys, secrets, urls, tokens, payload, etc.), including in the App Sandbox and Preferences.
- Code Obfuscation – obfuscates the binary code, native and non-native libraries, to protect the API’s flow control and logic and making strings and resources not accessible.
- API Shielding – hardens the app with anti-tampering, anti-debugging and anti-reversing protection.
- Trusted Sessions – protects and encrypts all data in transit. SecureAPI ensures the validity of all end points and any intermediate systems in between an API and its backend servers.
- API Segmentation – uses strong authentication, API tokenization, segmented API workflows (key stores, cookie stores, etc.) to ensure that only the right users can access specific API resources.
Here’s How Appdome’s Mobile Security Suite Protects Mobile App APIs against the OWASP API Security top 10 risks
A1 – Broken Object Level Authorization
OWASP describes this risk as: “APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.”
Appdome recommends that developers:
- Implement secure mobile access and/or standards based modern authentication & authorization in all mobile apps that access remote systems.
- Automate the implementation of authorization workflows to ensure secure and consistent implementations across all mobile apps.
- Avoid static and manual implementations of identity, access, and authentication technologies or standards. Instead, leverage technology to automate this process so that so that your mobile implementation of authentication standards is dynamically paired with that of the identity provider without requiring changing the app’s code manually.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- Trusted Communication
- API Segmentation
A2 – Broken Authentication
OWASP describes this risk as: “Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.”
Appdome recommends that developers:
- Never store credentials or authorization tokens in clear text. Encrypt all token, credential, and user information and store those elements separately in a secure storage vault out of the reach of services not in the chain of trust.
- Encrypt in-app preferences, strings and resources to prevent attackers from piecing together information that they can later use to conduct attacks.
- Implement Multi-Factor Authentication (MFA) natively in all mobile apps that have an account construct or connect to a remote endpoint for identification, verification or recovery purposes.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- Trusted Communication
- API Segmentation
A3 – Excessive Data Exposure
OWASP states that: “Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.”
Appdome recommends that developers:
- Avoid implementing APIs in mobile apps generically, and do not over-expose object properties or parameters used the API transaction. Instead, implement APIs with as much specificity as possible, given use case.
- Leverage machine learning and AI based development techniques to apply obfuscation and encryption adaptively and dynamically relative to environmental context. Appdome’s AMI makes a build-time decision on whether to Encrypt or Obfuscate an element based on the API and app capabilities and attributes, performance characteristics, and overall risk.
Developers can achieve this on Appdome by building their apps with:
- Code Obfuscation
- API Shielding
- Trusted Communication
- API Segmentation
A4 – Lack of Resources and Rate Limiting
About this risk, OWASP says: “Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.”
Appdome recommends that developers:
- Deploy Appdome’s Mobile Security Suite together with the F5 Anti-Bot service.
Developers can achieve this on Appdome by building their apps with:
- API Segmentation
A5 – Broken Function Level Authorization
OWASP defines this risk as: “Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.”
Using Appdome, developers can mitigate against this risk when they:
- Where possible implement Certificate validation, CA validation and Certificate pinning ensure the validity of client and server side endpoints, certs, and, CAs.
- Build their apps with Trusted Session Inspection since Trusted Session will identify and block any malicious certificates during the SSL Handshake.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- API Shielding
- Trusted Communication
- API Segmentation
A6 – Mass Assignment
OWASP states that: “Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.”
With Appdome, developers can:
- Lock down mobile API entry and egress points by requiring strong authentication, or by whitelisting trusted endpoints.
- Implement Code Obfuscation, including obfuscation of all native and non-native libraries. Implement Flow relocation and Strip logs of debug information which give attackers clues about how your app works. Making your app harder to reverse engineer reduces the attack surface required to conduct a mass assignment attacks.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- API Shielding
- Trusted Communication
A7 – Security Misconfiguration
OWASP says that: “Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.”
Appdome can you help you prevent security misconfigurations when you:
- Implement Trusted Session protection, to ensure all communication occurs over secure channels (eg: enforcing the use of TLS).
- Rotate stale TLS sessions and CAs and avoid expiring certificates from causing security holes or open entry points.
Developers can achieve this on Appdome by building their apps with:
- Code Obfuscation
- API Shielding
- Trusted Communication
- API Segmentation
A8 – Injection
OWASP says that: “Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
Appdome prevents injection when developers:
- Obfuscate all control flows and logical elements of their code.
- Hide and Encrypt all Java code of Android apps with Appdome’s APPCode Packer.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- API Shielding
- Trusted Communication
- API Segmentation
A9 – Improper Assets Management
OWASP found that: “APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.”
Appdome recommends that developers:
- Implement Code Obfuscation and Data Encryption.
- Implement Flow relocation and Strip logs of debug information thereby removing any clues about how your app works.
- Make your app harder to reverse engineer and reduce the attack surface required to conduct a mass assignment attacks.
Developers can achieve this on Appdome by building their apps with:
- Data Encryption
- Code Obfuscation
- API Shielding
- Trusted Communication
- API Segmentation
A10 – Insufficient Logging and Monitoring
OWASP says that: “Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.”
Recommendations for Developers Looking to Secure Their Mobile APIs
With Appdome, you can instantly secure all your mobile app APIs without writing a single line of code. Create your Appdome account and get started today.
