Tag Archive for: API

Unified API Protection for Telcos and Mobile Carriers – Time to Value

/in


Largest Mobile Carrier Identified 4,600 APIs
in Days, not Weeks, or Months

The security team at the nation’s largest mobile carrier had a problem trying to obtain a consistent and complete inventory of the company’s sprawling API footprint. Business critical API-based applications were driving the mobile carrier’s day-to-day business of managing their mobile network, but the number of APIs were quickly outstripping their ability to keep track of them all.

Key Objectives: A Complete API Catalog

A 2021 security team objective was to obtain a complete running inventory of all their APIs within their organization to ensure that they understood their entire API footprint. Across the organization, they had software groups that supported API application development but worked independently of each other. What resulted was shadow APIs that were not cataloged and were without the oversight of the security team. However, because so many teams were associated with API development, and in the absence of API protection solutions, the cataloging process for both managed and unmanaged APIs was difficult, time-consuming, and lacked accuracy.

AppSec/API Security 2022

Scratching the Surface

When asked how many APIs they had, the security team replied that they had roughly 100 APIs that had been documented manually. They intuitively knew that they were only scratching the surface as there were (likely) hundreds if not thousands of APIs still unaccounted for and not within their existing API catalog.

API Sentinel Automates API Discovery

Cequence introduced API Sentinel to the security team and a proof of concept (PoC) was kicked off. By deploying API Sentinel, in just a matter of days, they were able to discover over 4,600 API endpoints that were active across their infrastructure – a 98% increase in API visibility and inventory over what the security team had just days prior to the introduction of Cequence. Moreover, they were able to obtain deep security insights that included the following:

  • 6 sensitive data exposure incidents where customer ID, account number and other related business sensitive data was exposed.
  • 5 instances of user authentication issues where username and passwords were exposed in cleartext,…

Source…

Researchers find 3,000+ mobile apps exposing Twitter API keys

/in


Cybersecurity researchers have discovered more than 3,000 mobile apps exposing Twitter Inc. application programming interface keys that can be used to gain access to or take over Twitter accounts.

Detailed today by security firm CloudSEK, 3,207 apps were found to be leaking valid Consumer Key and Consumer Secret keys. Some 230 apps, some of which are described as belonging to unicorn startups, were found to leak all four Twitter authentication credentials that could be used to take over Twitter accounts fully.

With full access, an attacker would gain the ability to perform actions such as reading direct messages, retweeting, liking, deleting and removing and adding followers, along with the ability to change account settings and the display picture on the account.

The researchers explain that the exposure of the API keys is typically the result of mistakes in which developers embed their authentication keys in the Twitter API but then forget to remove them when the mobile application is released.

By exposing the API keys, the risk of exploitation is genuine. A malicious actor who has access to the API keys can use them to create a “Twitter bot army” that could be used to spread false information or used in a phishing scam.

The researchers highlight a recent case where Twitter was exploited to promote a “fake suspension notices” phishing scam. In this case, verified Twitter accounts were used to lend credence to the scam.

The researchers concluded that it is imperative that API keys are not directly embedded in code and that developers should follow secure coding and deployment processes. Processes include implementing a standardized review procedure to ensure accurate versioning, hiding keys to increase security and rotating API keys to reduce the threat of leaked keys.

“There are only two ways to solve this problem,” David Stewart, chief executive officer of mobile app protection company Approov, told SiliconANGLE. “Either adopt a mobile security solution that enables you to store your API keys off the device and deliver them only when needed or require a second independent factor to be present alongside the API key to access backend data and resources –…

Source…

Hands-on Mobile App and API Security – Runtime Secrets Protection

/in


old key in the forest floor on autunm

DevOps Connect:DevSecOps @ RSAC 2022

In a previous article we saw how to protect API keys by using Mobile App Attestation and delegating the API requests to a Proxy. This blog post will cover the situation where you can’t delegate the API requests to the Proxy, but where you want to remove the API keys (secrets) from being hard-coded in your mobile app to mitigate against the use of static binary analysis and/or runtime instrumentation techniques to extract those secrets.

We will show how to have your secrets dynamically delivered to genuine and unmodified versions of your mobile app, that are not under attack, by using Mobile App Attestation to secure the just-in-time runtime secret delivery. We will demonstrate how to achieve this with the same Astropiks mobile app from the previous article. The app uses NASA’s picture of the day API to retrieve images and descriptions, which requires a registered API key that will be initially hard-coded into the app.

Introduction to Some New Concepts

The last section may have introduced some new technical terms to you, and so an overview of these is below.

What is Mobile App Attestation?

This is the process of authenticating that a running instance of a mobile app is the same exact one that was uploaded to the app store. This process consists of attesting that the mobile app is not running in a compromised device, hasn’t been modified in any way, isn’t being manipulated during runtime, isn’t a target of an ongoing MitM attack, etc.

What are Runtime Secrets?

These are secrets provided to the mobile app at runtime via secure over-the-air updates from a third-party service, as they are required to make the API requests, and protected with Mobile App Attestation on retrieval and subsequent usage in the API calls.

The AstroPiks Mobile App

Now let’s look at the app we are going to use to demonstrate these principles. It’s a very simple mobile app that uses the Nasa API to show some nice pictures in a list from which you can select any and see more details about it.

The Setup

First, you need to clone the provided Github repo:

git clone –branch approov-runtime-secrets-protection https://github.com/approov/hands-on-api-proxy.git

Next, get your free NASA API key on…

Source…

API Security Losses Total Billions, But It’s Complicated

/in


US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and DevOps-style development methodologies, according to an analysis of breach data.

In the last decade, API security has grown to become a significant cybersecurity issue. Acknowledging this, the Open Web Security Application Project (OWASP) released a top-10 list of API security issues in 2019, flagging major API weaknesses — such as broken authorization for objects, weak user authentication, and excessive data exposure — as critical issues for software makers and companies that rely on cloud services.

According to the Quantifying the Cost of API Insecurity report out this week, published last week by application-security firm Imperva and risk-strategy firm Marsh McLennan, security issues will only likely grow as APIs continue to become a common pattern for cloud and mobile infrastructure.

“The growing security risks associated with APIs correlates with the proliferation of APIs,” says Lebin Cheng, vice president of API security for Imperva. “The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs.”

Interestingly, the business losses have less to do with API-specific issues, the analysis found. Rather, breach recovery and interruption of operations account for the majority of the cyber-losses. Only a small subset of companies in any country suffered losses directly linked to API vulnerabilities, the report found.

API Losses Vary by Business Segment

The Marsh McLennan data comes from reported breaches, which represents a subset of all businesses. It found that when drilling down into the data, important differences between impact can be drawn out.

For instance, certain kinds of companies (larger firms in IT and professional services, for example) are much more likely to face API-related security incidents than others (smaller companies, say, in the finance sector).

“The $12 billion is not distributed over millions of…

Source…