Skip to content

Anatomy of a Hack

Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or create accounts that can be exchanged for money. A typical attack sequence involves the following steps.

phone1

Analyze

Your app is used to set up an account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.

 
phone2

Build

The attacker builds scripts or modified/hooked versions of your app to build spoofed but valid requests to suit their purposes.

 
phone3

Exploit

The attacker assembles a botnet and exploits your API, adjusting request rates and masking IP locations with VPNs to remain undetected

 

Exposed API Keys and Other Secrets are Dangerous

API security solutions may employ API keys or client secrets to identify accounts and lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests as if they were coming from the official mobile app.

Even if such secrets can be protected at rest in the app code using obfuscation technologies, they still need to be communicated to the backend API service. Thus secrets can be stolen in transit by Man-in-the-Middle (MitM) attacks. 

Threats to Your Business from API Abuse

Exposure of secrets may result in very negative consequences for your business. There is a growing list of security threats can be very damaging if you don’t have protections in place.

Locker
Account Takeover

Form of identity theft using techniques like session hijacking, password cracking, or credential stuffing using mass log in attempts to verify the validity of stolen username/password pairs.

Fake Account Creation

Generation of fake accounts as a prelude to spamming, denial of service attacks, or credential stuffing attacks with stolen account info.

Denial of Service

Targets resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS), effectively preventing real customers from reaching the service or ruining the customer experience.

Credit Fraud

Multiple payment authorization attempts with small payments used to verify the validity of bulk stolen payment card data and identify missing start/expiry dates and security codes for stolen payment card data by trying different values.

App Impersonation

Tampered or impostor app enabling attacker to exploit and misdirect user actions and gather (Personally Identifiable Information) PII for future attacks or customer manipulation.

Man in the Middle

Intercepting and/or manipulating API traffic via a Man-in-the-Middle attack enables an attacker to gather Personally Identifiable Information (PII) or perform malicious actions through the API.

API Security Breach

Exploitation of any API security flaws to exfiltrate confidential enterprise or customer data or damage business operations.

Scraping

Collection of large amounts of data via APIs in order to reuse or resell that data, often by aggregating data from multiple sources to provide an unofficial alternate marketplace.

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your.

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.