Approov offers free pinning generator tool to protect against automated attacks on APIs – Help Net Security

help net security ProxyEgg Approov offers free pinning generator tool to protect against automated attacks on APIs - Help Net Security

Approov introduced the Mobile Certificate Pinning Generator, a free tool to help mobile-first companies make Man-in-the-Middle (MitM) attacks targeting mobile app APIs a thing of the past. It enables organizations to simplify what has long been a complex and little understood recommendation: certificate public key pinning.

Without the use of certificate pinning, connections are only secured by the trust store held on the client device. This trust store can be manipulated by an attacker to allow data interception. Furthermore, interception becomes possible if any trusted Certificate Authority (CA) were to issue a fraudulent certificate, allowing backend servers to be impersonated.

The Open Web Application Security Project (OWASP) recommends: “You should pin anytime you want to be relatively certain of the remote host’s identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.”

However, recent research reveals that certificate pinning is not widely used, even in critical industry verticals such as financial services and healthcare.

Certificate public key pinning lets an app definitively confirm the identity of any server it is connecting to, preventing any possibility of data interception. Certificate pinning is widely recognized as an effective defense against MitM attacks. Indeed, in recent years, both Google and Apple have moved to integrate certificate pinning capabilities directly into their mobile Operating Systems. However, providing the correct pinning configuration remains complicated but this is now addressed by this new free tool.

Cybersecurity researcher Alissa Knight said: “In my research on the security of financial and health care apps, Woman in the Middle attacks were a primary attack surface I could exploit, since in all cases pinning was not implemented and its absence was easy to exploit. I could use the information gained to mount automated attacks on APIs. Pinning the channel between mobile apps and their APIs should be a priority for all mobile-first companies, and would make it much harder for attackers to exploit their mobile apps to exfiltrate sensitive data on them and their customers.”

The pinning generator tool

The tool simplifies the creation and ongoing management of pinning configurations for mobile apps, ensuring configurations are consistently and correctly generated across Android and iOS.

The free tool from Approov lets organizations more easily deploy pinning across Android and iOS apps. It also provides helpful guidelines to help organizations manage configuration activity.

The tool can automatically extract pins from live APIs and from certificates provided in a wide range of formats. The pin information is generated automatically in the correct form for Android and iOS to be pasted directly into the app’s configuration.

The limitations of static pinning

Some DevOps teams express concern about deploying certificate pinning due to concerns around certificates needing to be changed. Such situations can require the deployment of a new version of the app, with a risk of downtime and some users failing to upgrade. This occurs because the pinning set in the app is static and can only be updated by an app change.

Moreover, the generator tool provided pinning mechanism may not support the full range of Operating System versions that the app may need to be deployed onto.

Security-aware organizations are deploying the Approov solution, which protects against automated attacks on APIs, but also manages pinning using an innovative dynamic approach.

The Approov API Threat Protection Platform provides:

  • Full dynamic pinning capability: pins can be updated over-the-air as required without the risk of app downtime due to a certificate change,
  • Pinning implementations across a wide range of frameworks supporting Android 5 or iOS 10 and above, and
  • Advanced detection of Frida and other invasive tools, ensuring the server side can thwart attempts to bypass pinning for MitM analysis.

Anatomy of mobile app API attacks

Attacks enabled by MitM analysis are a real and growing security threat to mobile apps and APIs. They are conducted as follows:

  • The attacker intercepts traffic between mobile app and API using a proxy tool.
  • The attacker gains secrets and information which can be used to access the API.
  • Using the secrets and keys which have been harvested, the attacker creates a script which impersonates the app to the API and accesses unauthorized data.

“Mobile apps are — now more than ever — the lifeblood of organizations large and small,” said Approov CEO David Stewart. “Not pinning API connections is like leaving your front door open to MitM attackers, and organizations must act immediately to deploy pinning. Step one is to put a mechanical lock on the door which will deter many attackers, although it carries the risk of the key being lost or copied. Step two is to employ an electronic lock which can be instantly controlled and remotely configured. Based on our considerable experience of helping our customers, we are well qualified to help accelerate the elimination of MitM attacks completely.”

Source of this news:

Related posts:

Update on IPv6 Plans for Virgin Media, TalkTalk, Plusnet and Vodafone -
A number of our readers have been asking for an update on the progress being made by several major UK broadband ISPs, including TalkTalk, Vodafone, Plusnet and Virgin Media (VMO2), toward the deploym...
Make Your WordPress Site Fast & Unhackable: 7 Key Tips - Search Engine Journal
Ready to build your first website? Are you shopping for affordable WordPress web hosting?There are multiple types of web hosting solutions to choose from: shared hosting, dedicated hosting, cloud hos...
How to Fix Roblox Error Code 282 and 522 on Windows PC - TWCN Tech News
Roblox is an online gaming platform that enables gaming enthusiasts to play a variety of games. While most of the time you enjoy a hassle-free experience, it is not unusual to encounter errors on Rob...
Messages view - The Daily Swig
PROFESSIONAL DOM Invader's Messages view drastically simplifies testing for DOM XSS vulnerabilities using web messages. It lets you intercept messages that are sent on the target website, view usefu...
The meaning of proxy server because why you should use it - Techstory
A proxy — is a server that runs between the patient and the web, encrypting actual address of a client. It can benefit to prevent cyberattacks, protecting registered users from malware and ann...
Fix Steam download stuck at 0 bytes - TWCN Tech News
If Steam download stuck at 0 bytes then this post is sure to help you. In some cases, users are not able to download games on Steam due to the unstable internet connection. So, if you experience this...
80 million Russians banned from Instagram - Kashmir News flash Service
  April 22:   Popular social media platform Instagram is now inaccessible for the great majority of Russia’s population, fueling the demand for  instagram-proxies   of ensu...
Ranking: Sift Uncovers and Chunks Fraud Ring Swarming Elektronischer geschäftsverkehr Merchants with...
SAN FRANCISCO, Sept. 30, 2021 (GLOBE NEWSWIRE) -- Sift , the leader in Electronic digital Trust & Safety, times released its Q3 2021 Digital Trust & Basic Index, which details the mo...
X-Force Threat Intelligence: Monthly Malware Roundup - Security Intelligence
X-Force Threat Intelligence: Monthly Malware Roundup <!-- --> Today’s reality means that organiz...
Best VPN for iPhone and iPad 2021 - ZDNet
Image: Daniel Romero via Unsplash My iPhone offers pretty good connectivity, but tends to be hamstrung by the limits imposed by my cellular carrier. Even though I have an unlimited data plan, using ...
Correcting volume message on initial and its taking more tham 12 hours - Windows $20 Support - Bleep...
Hi folks, Need all of your current help on this situation. Model: Dell 15 inspiron 5547 (2015) Panes 10 Intel i7 8gb RAM 1TB HDD (not ssd) Last week after the sacrifice of fowl.|leaving the...
Hackers Trick Microsoft Into Deciding upon Netfilter Driver Loaded With Rootkit Malware - The Hacker...
Microsoft on the topic of Friday said it's investigating an incident wherein a good driver signed by the service} turned out to be a malicious Computers rootkit that was observed communicating ...
How Can You Use A VPN On Netflix? - HackRead
To watch Netflix securely and unlock its international catalog, you just need a reliable VPN – Let’s dig deeper. Netflix is one of the leading streaming platforms that has over 15,000 titles in its...
I would say the 100 Greatest Music Motion picture Artists of All Time: Staff Inventory - Billboard
Why She's a Video Icon:   It's going to take no more than 10 seconds find out you’re watching a Sia video – an impressive accomplishment considering she rarely, when, appears herself. Teen...
Blazor Developers Can Now Create Custom Elements, Render Components from JavaScript - Visual Studio ...
News Blazor Developers Can Now Create Custom Elements, Render Components from JavaScript By David Ramel09/16/2021 Microsoft's Blazor web-dev tech received a raft of improvements in the new .NET...
Very next Article Shotcut 21. 05. 18 - Neowin
Shotcut is a free, open source, cross-platform video editor for The computer, Mac and Linux. Fundamental features include support for wide range of formats; no significance required meaning nativ...
Rockwell Automation CIP Security Proxy - Automation World
With high-profile cyberattacks growing in frequency, industry has become all too aware of the potential dark side of internet-connected devices. While plant-floor networks were once air-gapped to sep...
Netflix Intensifies Crackdown On VPN Users - Gentside
Thanks to licensing and as a consequence copyright restrictions in for each country, Netflix may have different shows and films on offer. But, many of us have been sneakily getting around thi...

IP Rotating Proxy Onsale


First month free with coupon code FREE30