When you hear about the recent devastating attacks involving smartphones, malware infection of Android/iOS comes naturally to your mind. However, once you take a closer look at these mobile security incidents, you will be surprised to find that Android/iOS is not the one to blame. Incidents like United Airlines mobile application hack, Verizon FiOS app vulnerability (Exposed 5 Million Customer Email Addresses) and Moonpig mobile application vulnerability (Exposed 3.6 Million Customer Data) all point towards mobile API as the weakest link. Conventional web attacks are having a field day with mobile APIs. There is a general misconception amongst programmers that only mobile applications utilize the exposed server functionality. There is a strong reliance on security by obscurity—that the attacker will not spend the effort to understand the mobile application interaction with the server.
OWASP top mobile risk is “Weak Server Side Control” which encapsulates mobile API. Furthermore, at least, half of OWASP’s top ten mobile risks are server related issues.
Over the last few weeks, we made a random selection of web applications and examined their Mobile API implementation. Unsurprisingly, a majority of the mobile API we examined had vulnerabilities and were peppered with bad practices leaving them susceptible to run-of-the-mill web attack techniques that have been around for a long time. One would expect mobile API, which closely resembles web application API, to be implemented with security in mind to protect against well-known and well-researched web attack techniques. However, our research sheds light on the sad state of mobile API security.
The vulnerabilities we found in mobile APIs range from simple technical attacks such as SQL injection and parameter enumeration to sophisticated business logic attacks such as data scraping. In some of the cases we found that after the first login, the user can freely switch to another user account without authorization, simply by enumeration of parameters such as account ID, and extract private/sensitive information from other accounts. Another discovery was the recurring lack of client automation detection. Similarly to the Waze attackers we were able to run an automated high-volume attack from our tools, enumerating account IDs and fetching account information, without any restrictions. The lack of basic security is a grave cause for concern, leaving the door open to brute force attacks on account credentials. We used TOR network and anonymous proxies to hide the origin of our activity, sometimes deliberately using different geo-locations without notice. In some cases we were able to extract information from arbitrary user’s accounts, using simple parameter enumeration techniques.
The recent Security Research report from HP Enterprise concurs with our findings. HPE’s report shows that mobile applications are 250% more likely to suffer from API vulnerabilities than traditional web applications.
<image source HPE Security Research report >
Mitigation of these vulnerabilities is possible through existing mature security technologies deployed in today’s web application arena, Web Application Firewall(WAF) being the most useful one for mobile APIs. Using WAF together with IP intelligence enables administrators to detect traffic originating from the TOR network or Anonymous Proxies, limit traffic origin to relevant geo-locations, identify technical attacks and client automation attempts, and provide superior protection.