Please log in to watch this conference skillscast.
Mobile apps increasingly leverage rich and complex REST API backends to enable server-side interaction. However access credentials, such as API keys, have to be embedded in your app code where they can be extracted and subsequently abused. Learn practical approaches to prevent this without having to change your whole development flow. Richard will share with you examples in native Android apps, using Kotlin as the example language.
Firstly you will survey the state of the art in terms of how authorization to these APIs is typically implemented, including API keys and user authorization via OAuth2. Richard will then discuss the types of attacks that are possible if unauthorized software clients are able to access the API and impersonate the intended client mobile app. You will also learn how TLS alone is not an effective countermeasure to credentials being reversed unless certificate pinning is also used to prevent Man-in-the-Middle attacks against the app. There will be some practical advice on how to implement TLS pinning with code examples. During this talk you will then learn how credentials can be easily extracted from mobile app code unless some effort is made to conceal these credentials. Further Richard will share some tips on improving credential obfuscation in code, across multiple frameworks. You will look at proxy based approaches to move secrets out of mobile apps and into more easily secured servers.
Finally you will discover more advanced techniques such as app hardening, white box cryptography and software attestation for applications where security is crucial. You should gain a good understanding of the problem, some short term practical tips to improve their API security posture with minimal effort and an appreciation of emerging tools and technologies that enable a significant step change in security.
YOU MAY ALSO LIKE:
- Brian Egan's Flutter and Dart Workshop (in London on 22nd - 23rd October 2019)
- Fast Track to RESTful Microservices (in London on 11th - 13th November 2019)
- droidcon London 2019 (in London on 24th - 25th October 2019)
- Practical ML 2020 (in London on 2nd - 3rd July 2020)
- Clean Architecture using BLoC & Voyager: DI & the Widget Router (in London on 21st October 2019)
- A Guide to the Market Promise of Automagic AI-Enabled Detection and Response (in London on 29th October 2019)
- Cleaning the Big Picture: Creating Maintainable Mobile Games in Haskell (SkillsCast recorded in October 2019)
- TBA: Top Secret Cloud-Native Security Lessons (SkillsCast recorded in September 2019)
How to Keep Your API Keys Safe
Richard is CTO of CriticalBlue, a UK technology company specializing in mobile app security. He started his career as a developer specializing in compiler technologies with a particular focus in low level code optimization techniques. In 2002 he co-founded CriticalBlue to focus on his innovations in compilation technologies, developing tools that automatically generate custom microprocessor architectures derived from software analysis. Over the years this technology became increasingly focused on multi-threaded software analysis for migrating sequential software implementations into multi-threaded alternatives. Richard developed a dynamic binary instrumentation technology to analyse x86, ARM, MIPS and PowerPC compiled applications on the fly to derive low level performance, cache impact and data dependency information. This technology was used in performance optimization of the Android Operating System for certain OEMs. Aspects of this technology have now been applied to CriticalBlue's Approov mobile application security solution that enables remote attestation to be performed on mobile apps to allow API providers to ensure that only official apps are able to access API services