How to Keep Your API Keys Safe

26th October 2017 in London at Business Design Centre

There are 73 other SkillsCasts available from droidcon London 2017

Please log in to watch this conference skillscast.

663132153 640

Mobile apps increasingly leverage rich and complex REST API backends to enable server-side interaction. However access credentials, such as API keys, have to be embedded in your app code where they can be extracted and subsequently abused. Learn practical approaches to prevent this without having to change your whole development flow. Richard will share with you examples in native Android apps, using Kotlin as the example language.

Firstly you will survey the state of the art in terms of how authorization to these APIs is typically implemented, including API keys and user authorization via OAuth2. Richard will then discuss the types of attacks that are possible if unauthorized software clients are able to access the API and impersonate the intended client mobile app. You will also learn how TLS alone is not an effective countermeasure to credentials being reversed unless certificate pinning is also used to prevent Man-in-the-Middle attacks against the app. There will be some practical advice on how to implement TLS pinning with code examples. During this talk you will then learn how credentials can be easily extracted from mobile app code unless some effort is made to conceal these credentials. Further Richard will share some tips on improving credential obfuscation in code, across multiple frameworks. You will look at proxy based approaches to move secrets out of mobile apps and into more easily secured servers.

Finally you will discover more advanced techniques such as app hardening, white box cryptography and software attestation for applications where security is crucial. You should gain a good understanding of the problem, some short term practical tips to improve their API security posture with minimal effort and an appreciation of emerging tools and technologies that enable a significant step change in security.


Thanks to our sponsors

How to Keep Your API Keys Safe

Richard Taylor

Richard is CTO of CriticalBlue, a UK technology company specializing in mobile app security. He started his career as a developer specializing in compiler technologies with a particular focus in low level code optimization techniques. In 2002 he co-founded CriticalBlue to focus on his innovations in compilation technologies, developing tools that automatically generate custom microprocessor architectures derived from software analysis. Over the years this technology became increasingly focused on multi-threaded software analysis for migrating sequential software implementations into multi-threaded alternatives. Richard developed a dynamic binary instrumentation technology to analyse x86, ARM, MIPS and PowerPC compiled applications on the fly to derive low level performance, cache impact and data dependency information. This technology was used in performance optimization of the Android Operating System for certain OEMs. Aspects of this technology have now been applied to CriticalBlue's Approov mobile application security solution that enables remote attestation to be performed on mobile apps to allow API providers to ensure that only official apps are able to access API services