Mobile APIs require a good amount of prerequisite knowledge and sufficient understanding in order to implement properly. This slide will walk you through everything you need to know to properly design a secure API for consumption on mobile devices, whether you’re building a mobile app that needs to access a REST API, or writing a REST API and planning to have developers write mobile apps that work with your API service.

1. Mobile App Security Meet
More Connections to more devices means
more vulnerabilities. If you control the code
you control the world
”
Secure API Design

2. Mobile App Security Meet
Mobile first
”The future of mobile is the future of online. It is how people
access online content now.

3. Mobile App Security Meet
Agenda
● API Threats
● Attributes of Secure API
● Realizing about the problem
● Authentication Schemes
● Best Practices
● Questions

4. Mobile App Security Meet
Threats to your APIs
● APIs are vulnerable to OWASP top 10 attacks
● Hackers reverse engineer apps to access private APIs
● Data thefts
● User account compromise
● Coding flaws
● Badly Implemented clients may leave your system vulnerable

5. Mobile App Security Meet
Realizing about the problem
● Unusual API requests
● Traffic spike
● Strange source addresses of requests
● Long service time

6. Mobile App Security Meet
Attributes of Secure API
● Authentication
System should service only legitimate users
● Authorization
System should allow users to perform only
legitimate operations
● Confidentiality
Confidential data should be protected
● Integrity
Integrity of transactions should be protected

7. Mobile App Security Meet
Authentication Schemes - Basic
Resend Request
GET
Request:
GET
Server Challenge
HTTP/1.1 401

8. Mobile App Security Meet
Authentication Schemes - Digest
Hash username and password before sending it
over network
Request
GET

9. Mobile App Security Meet
Authentication Schemes - Oauth 1.0
GET

10. Mobile App Security Meet
Authentication Schemes - Oauth 2.0
GET

11. Mobile App Security Meet
Authentication Schemes - Oauth 2.0

12. Mobile App Security Meet
Authentication Schemes - 2 Way TLS

13. Mobile App Security Meet
Best Practices
TLS
● Use TLS for all API’s
● Plain HTTP is vulnerable to man in the middle attack
● Once moved to TLS, do not support plain HTTP
● Use standard TLS implementations in clients
● Preferably use SSL pinning in mobile apps
○ Proper implementation of X509TrustManager in
Android Apps
○ Use additional unconventional checks like
hashing of public cert
● Use mutual TLS for trusting clients - private API’s or
apps not on playstore

14. Mobile App Security Meet
Best Practices
Access Tokens
● Long Strings
● Entropy
● Resistant to preimage attacks
● Resistant to collision attacks
● Strong cryptographic hash e.g. bcrypt
● Short TTL
● Avoid designing API’s which blindly return access
tokens for a given user id

15. Mobile App Security Meet
Best Practices
Scope access tokens
POST

16. Mobile App Security Meet
Best Practices
Validating Access Tokens
● All API calls must carry access tokens - Reject those which
have none.
● Build a framework which is invoked before the actual API call is
serviced - Spring Security in JAVA
● Map the access token to a valid User Entity for further
processing
● Validate the scope of token - Reject request which are trying to
perform unauthorized operations

17. Mobile App Security Meet
Best Practices
User Passwords
● Well defined password rules
● Mix of alphanumeric and special characters
● Avoid dictionary words - Dictionary Attack
● Extra care while designing API’s which reset password like
○ Forgot Password
○ Profile Edit
● Use additional security measures like OTP via email or text
● Badly implemented API’s will create a backdoor to your
system

18. Mobile App Security Meet
Best Practices
Session Cookies
● Avoid using session cookies - Consider Access
Tokens
● Stateless API’s are more easy to manage than stateful
● Access Tokens + Stateless API = No CSRF attacks
●
;

19. Mobile App Security Meet
Best Practices
ID’s
Request:
GET
vs
Request:
GET

20. Mobile App Security Meet
Best Practices
ID’s
● Don’t use serial numbers as primary identifiers of your
resources like accounts, transactions - Brute Force
Attack
● Use hashes instead
● Preferably use unique identifiers like UUID’s as
transaction id’s
○ universally unique
○ avoids contention
○ performance boost

21. Mobile App Security Meet
Best Practices
Treat Security as a first class citizen and not as an add-on
Consider it in the design phase of your product

22. Mobile App Security Meet
Thank you