Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Published byPhillip Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway."— Presentation transcript:

1 Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway

2 About me Co-founder of Vordel (SOA/API Gateways) –Acquired by Axway in 2012 VP Innovation at Axway Based in Boston, MA Blog: www.soatothecloud.comwww.soatothecloud.com 2

3 Agenda APIs for Mobile –“Digital Business” Security issues for APIs –Data harvesting –API Key sniffing –Insecure use of plain HTTP OAuth –What can go wrong? –OAuth model applied to Mobile Solutions –API Management –“Certificate Pinning” 3

4 “Digital Business” Creating new channels for revenue –Cloud, Mobile, Social –Over 3 hours per day on smartphones [Analysys Mason]

5 5 Where do APIs fit in? Enabling mobile apps Health Records… Utility Metering…Payments All get their data through APIs

6 APIs – A soft underbelly? Security vulnerabilities related to APIs

7 API Security Axway #APIWorkshops

8 Identity - Key Users often allow the app to interact with APIs on their behalf e.g. call the Twitter API to send tweets Protection of OAuth credentials is important “Permission-based Web”

9 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ OAuth Actor Model applied to Mobile: Count the credentials… App Developer Resource Owner Authorization Server Resource Server Client API Business Owner The App The User The API Developer Portal Developer Portal CredentialsClient API CredentialsResource Owner Credentials Access TokenRefresh Token

10 More API Misuse – Why throttling is needed

11 Insecure use of plain HTTP Source: http://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html 11

12 Weak API Key Authentication 12 Problem: API Keys are often simply passed in URLs &APIKey=123456 Vulnerable to sniffing if SSL isn’t used (often it is not..) Amazon uses two keys: Secret Key ID to perform HMAC signing With detection of replay attacks Access Key ID to identify the client

13 Self-service internal and external developers to use APIs Manage and Secure API, SOA and XML traffic API Portal API GatewayAPI Manager Publish and Manage API Consumption by internal and external partners Enter API Management… On Premise

14 API First Axway #APIWorkshops The API is the contract …And the product WSDL is the Contract Backend App is the Product APIs SOA/ESB Courtesy of Kevin Kohut, Accenture ( @Kkohut )

15 API Catalog Lifecycle Management of APIs Versioning “Single Store of Truth” The API Catalog is the modern-day Registry Repository Version Lifecycle Info

16 Self Service Self-Service Developer Enrollment Registration workflows

17 In-place API Testing Test-as-you-go “Try it out” for API Methods Including using API Keys…

18 Stakeholders in API Management Client Applications REST API SOAP/XML/REST/JSON API Manager Services Applications Data Application Developers API Portal API API Registration & Lifecycle API Catalog Partner & Policy Administration Self-Service API consumption Build developer community New channel to market brand API Developers API Administrators Self-register to resources Browse and learn APIs Manage application credentials RESTREST SOAP Web Services POX, JMS, FTP Integration with non- REST API services Policy Enforcement API Gateway Register and manage API lifecycle Perform partner, policy and process admin Monitor and report API use Policy Developers Create and extend policies Integrate with applications and infrastructure

19 Managing mobile app access to APIs 19

20 Mobile App Monitoring in Action 20

21 Managing API Keys and OAuth 21

22 Quota Management for APIs 22 Managing usage quotas for APIs on an app-by-app basis

23 Certificate Pinning 23 Problem: API Keys are vulnerably when stored on the client Solution: “Certificate Pinning”: Leverages native mobile OS support for protecting certificates Uses Mutual SSL End-user credentials (e.g. username/password) then sent over this Mutual SSL connection

24 Further questions 24 @Axway @TheMarkONeill Visit us at the Axway Booth Thank you!

Download ppt "Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway."

Similar presentations

Managing Service-Oriented Architectures Jim Bole VP Professional Services Infravio, Inc. 408-861-3003 June 7,

Managing Service-Oriented Architectures Jim Bole VP Professional Services Infravio, Inc June 7,
The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Govern the Flow of Data: Moving from Chaos to Control

Govern the Flow of Data: Moving from Chaos to Control
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
quick audience poll an IT Pro or a developer or neither?

quick audience poll an IT Pro or a developer or neither?
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Similar presentations

Ads by Google