Home > Back-end >  Can I verify a that an API call is coming from a mobile app?
Can I verify a that an API call is coming from a mobile app?

Time:08-31

We are building a very small API that receives winning contest entries for prize fulfillment. The data we are receiving is:

  • account ID (members know their account IDs)
  • prize ID
  • address
  • consent
  • date

Here is the problem... If someone dissects the mobile app they could theoretically locate prize IDs, their account ID, and submit fictitious winning entries to our API.

The submissions are coming from a mobile app. So we can't restrict the API to a specific IP address or anything.

I am not developing the actual app, just the API. The API will likely be programmed using PHP.

Is there a way to prevent someone from submitting fictitious contest entries?

Notes:

I found similar questions asked, but they mostly don't have a solid answer or they are were asked years ago. I'm wondering if anything has changed since they were answered.

We have one solution, but it requires a second API call coming from the app's server. I'm hoping there is a more simple solution.

Edit 1: Users are logged into their app, but the only piece of data we are receiving is their member ID.

Edit 2: I don't actually know what is determining the winner. I am not developing this part of the app. I hope it's not being done client side.

CodePudding user response:

No matter what you do, it will always be falsifiable. All you can do is authentication of your users with email and password, but as far as I understand this is the registration process and anyone can register. All you can do is adding a captcha, so they will register manually instead of automatically at least. Your can add an API key to the app, but it will be easy to steal from the HTTP request. You can add a private key to the app to sign each request and some protection against replay attacks, and it will be somewhat harder to steal the private key, but it will be possible by dissecting the app. So you can make it a little harder, but this is a security, not a technical problem, and there is no good solution. You need to check the risks, what happens when they do it, what are the consequences, is there an alternative way to detect it, is there a workaround e.g. personal registration, or registration with FB account only, etc.

CodePudding user response:

Your Problem

If someone dissects the mobile app they could theoretically locate prize IDs, their account ID, and submit fictitious winning entries to our API.

Reverse engineering a mobile app isn't hard because nowadays a lot of open source tools exist to automate this for us to the point that even non developers can do it. You can see how easy it is by following the example on an article I wrote to show How to Extract an API key from a Mobile App with Static Binary Analysis:

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

With all the prize ids identified from reverse engineering the mobile app with MobSF framework its time to perform a MitM attack to learn how the API requests are made. MitM attacks are also easy to perform and you learn how to do one from reading my article that show how to Steal that Api Key with a Man in the Middle Attack:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

Now that you know the prize ids, how the mobile app does the API requests and how the responses look like it will be easy to replicate and automate such requests with a script. In fact the mitmproxy and all other tools allow you to save the API requests to later replicate them.

User authentication alone will not be enough to solve your problem of preventing the submission of fictitious winning entries to your API backend, because it only tells who is in the request made to your API backend, but your backend also needs to have a very high degree of confidence that what is doing the API request is indeed a genuine and unmodified instance of the mobile app uploaded to the app store of Android and iOS. In the article Why Does Your Mobile App Need An Api Key? you can read in more detail the difference between who and what is accessing your API server:

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

After you understand this idea and it's ingrained in your mindset, you will look into mobile API security with another perspective, and you will be able to see attack surfaces that you never though they could exist.

Possible Solutions

Is there a way to prevent someone from submitting fictitious contest entries?

It's not easy, but its possible to achieve with a very high degree of confidence. The degree of success will depend on the solution(s) you decide to adopt from reading this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

The Mobile App Attestation is the solution that will give the most high degree of confidence to your API server that the API request is from what it expects, a genuine and unmodified mobile app, one that is not under attack or have been tampered with.

I know you may not be in control off, but no matter what security solution(s) are adopted it would be wise to not have the mobile app deciding the prize winners, because anything that runs on the client side can be tampered with at runtime, including business logic. One of the best tools to tamper with a mobile app during runtime it's Frida:

Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

  • Related