Identity-based and social engineering attacks are surging in 2024. Stolen credentials give hackers immediate access and control… and an instant path to stealing data and orchestrating ransomware attacks. Credential stuffing attacks are the method of choice for hackers, so what are the steps you need to take to prevent them?
This blog lays out the steps that mobile developers and security professionals must take to stop credential stuffing attacks and better protect mobile apps… and APIs.
Credential stuffing usually uses stolen login and password data to access user accounts. This data may be obtained by social engineering methods such as convincing users to share protected data, by direct exfiltration using malware tools, or by purchasing them on the dark web. In essence they are brute force attacks that try out username/password pairs until some of the combinations work.
In fact, attackers don’t even need leaked, compromised, or stolen credentials. If an attacker can work out the format of username/password pairs used by legitimate users of the app, and acquire the address of the server or API which is used, all they need is to build an automated tool to send credential guesses to the targeted server. “Password spraying” is a term used for attacks which try common passwords across multiple accounts in an effort to find a combination that works.
OWASP describes Credential Stuffing as “the automated injection of breached username/password pairs to fraudulently gain access to user accounts.”
With a match achieved, the attacker can then execute the next step of the attack, performing an account takeover on the victim’s account.
Some organizations try to stop credential stuffing attacks at the network level, hoping to spot an attacker sending malicious requests to the server. But attacks are getting more sophisticated and attackers rotate their IP addresses and Device IDs, and they use fake devices, emulators and more to hide their tracks. Network level protections are not an effective way to stop credential stuffing attacks.
Sophisticated hackers build attacks in stages, and here's how credential stuffing or Account Takeover (ATO) attacks typically work in mobile apps:
1. Obtaining Credentials: Attackers acquire large lists of username/password combinations from previous data breaches or the dark web. These credentials may not be from the targeted mobile app itself, but from other breached services. An attacker may not even need passwords: email addresses and password guesses may be enough.Credential stuffing attacks on mobile apps are particularly dangerous because they can exploit the app's own API and authentication mechanisms, making them harder to detect and prevent compared to web-based attacks.
Lets break down the types of defenses which must be on your plan of action. The steps to take are as follows, effectively in order of importance:
The first two alone do not provide adequate defense and the third is only useful if there is an ability to act immediately on intelligence gathered. Only the fourth on the list is truly effective in blocking attacks. We will look closer in the following sections.
First on our list is to take every opportunity to educate your users about the risks of bad password hygiene including:
Next on our list is to take care to protect passwords everywhere they are stored and communicated. This will include:
You can't protect against what you cannot see. You need visibility to threats against your apps in real time so that you can track new and evolving threats, and immediately be alerted when credentials are abused and see brute force attacks as they unfold.
You should also monitor dark web forums for leaked credentials associated with your user base to be ahead of the hackers game.
By gaining this visibility you will be able to see threats in some cases before they become an issue. However it is essential to be able to act immediately also. If not, then the data you have is worthless. It is also essential to think about service continuity: how do you continue to provide service to genuine customers when issues arise. You must be able to immediately isolate and block problematic accounts and devices and you should be able to immediately rotate API Keys and other secrets when they need to be changed. Your security team should also be able to immediately update security policies as they see new threats evolve.
Making sure passwords are protected, and having a good Identity and Access Management (IAM) solution in place are essential first steps, but these are still not sufficient to prevent credentials being stolen and weaponized. You need to put in place transaction level validation at run time to prevent any credential abuse as it happens. Generally this means deploying app attestation and mobile Runtime Application Self Protection (RASP). Here are the protections such a solution can bring:
Attackers modify apps and create scripts and fake apps to launch attacks. App attestation is a run time technique used to provide proof that an app is truly authentic and unmodified. The running app must prove itself to be genuine through a sequence of integrity measurements and the result of this can be communicated to the backend servers in every request. The server then inspects the token, and can immediately block any traffic from anything other than genuine apps.
Prevent Weaponization of Apps By Emulators, Simulators, and Debugging Tools
Attackers can also manipulate the client environment at runtime to interfere with the operation of the app. The local client should never be trusted and continuously checked for the presence of malicious tools such as Frida or mitmproxy. Similarly an effective way to prevent a mobile credential stuffing attack in Android and iOS apps is to prevent the app from running on emulators in virtualized environments. Again, the device attestation should take place continuously at run time and the status can be incorporated in requests to the backend to allow easy and immediate elimination of problematic requests.
Protect Your Own and Third-party APIs
Most apps use a number of APIs and often the API endpoints and API keys are visible inside the logic of the app. Attackers are good at finding the server address, server passwords and API keys needed to launch a credential stuffing attack. You must get API keys and secrets out of your app code by using a solution which provides dynamic secrets protection and management, delivering API keys to apps only if they pass attestation checks. This type of solution also allows immediate rotation of secrets and certificates when they need to be updated.
Hackers can carry out MitM attacks on mobile apps and devices to extract credentials and keys, even if traffic is encrypted. Certificate pinning is your best defense against MitM attacks and a solution that implements dynamic pinning can make management easy and ensure service continuity.
Authenticating both the user and the app is essential for securing back-end services and preventing brute force attacks from bots or scripts. This, along with two-factor authentication, provides a robust defense against scripted attacks. Approov Mobile Security performs an ongoing, deep inspection of mobile apps and the devices they are running upon, and based on this guarantees the authenticity of requests to backend APIs and services. Read the felyx customer testimonial about how they used Approov to stop credential stuffing attacks
Approov ensures that only genuine mobile app instances, running in safe environments, can use your APIs and blocks any credential stuffing attacks by scripts, bots, modified apps and fake apps. Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JSON Web Tokens (JWT) Approov tokens. Approov JWT tokens are signed with a custom secret only known to the Approov cloud service and the backend API. The secret is never contained within the app itself, so it cannot be extracted. App registration can be immediately added and revoked from the Approov service, allowing tight control of which app versions can access your API.
Approov detects a full range of potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers can specify which policies should be enforced. Changes to security policies roll out immediately to active apps without the need to update the apps.
Approov also provides full protection against Man-in-the-Middle attacks by providing full pinning and dynamic certificate management to ensure service continuity. In order to allow dynamic and rapid reaction to changing threats, policies can be modified and certificates and pins can be updated over-the-air without the need to update and roll out new versions of an application.
Here is a quote from one of our customers: “Before integrating Approov, we were concerned about the risk of credential stuffing attacks on our shared e-moped platform. We realised that we needed an out-of-the-box security solution that enabled us to focus our resources and productivity on developing our core product. Approov provided the perfect solution to our problem.” - Arthur Bloemen, Head of Product and Technology at felyx.
Approov are experts on mobile app and API security. If you need protection against credential stuffing or any other threat contact us.
- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.
