I have mobile app which heavily depends on apis response, I was using charles proxy and fiddler to see the api calls made by my app and I have noticed for one of get api call I am able to see full url with all request parameters(which is fine) and request headers(which include secure keys).
So using those info anyone can execute that api outside of mobile app. my app has millions of user and if someone run script to increase traffic it also increase load on server. so is there any way I can secure or hide those keys ?
I am able to think only one way of doing it is
encryption on both app and api side
is there any better way of doing it ?
You can implement certificate or public-key pinning in your app (for the leaf or the root-CA-certificate). This makes it harder for an attacker to use a proxy and intercept HTTPS traffic. However with XPosed and SSL-Unpinning module this will still work.
Also keep in mind that APK files can be decompiled easily, therefore you don't have to attack the network traffic.
Therefore the next step is to harden your app to make it resistent against manipulation via XPosed or Frida. Note that good harding frameworks cost a lot of money. Usually the protection offered is raising with the cost.
See also this related question.
Related
When I run an IOS App through proxy using tools such as Charles, Burp suite and Proxyman I'm not able to see the full request (receiving 403 when SSL is enabled) of the final end point after loged in, and also the App just stop working(Just work when SSL is disabled). I would like to see what the full request looks like to do it using Postman and HttpClient in Java. Is there anything I could do in order to get status 200 like when SSl is disabled ?
Any help to try bypass it is appreciated.
This is probably due to TLS fingerprinting.
Platforms like Cloudflare offer services to block bots and other non-browser traffic, which analyse low-level details of how a client makes connections, including the TLS fingerprint, and use this to spot unusual traffic. Because proxies like the ones you're using create separate upstream TLS connections when they intercept incoming connections, they can often end up sending HTTPS traffic where the TLS fingerprint the server sees doesn't match the HTTP headers, which is sufficient for the connection to be blocked as 'unusual'.
Defeating this is not easy. I also maintain an HTTPS debugging proxy called HTTP Toolkit, where I've done some work to defeat this, by optimizing individual fields of TLS handshakes to avoid common blocks (some more details: https://httptoolkit.tech/blog/tls-fingerprinting-node-js/). You might have more success using HTTP Toolkit in this case, since it can successfully avoid 90% of these kinds of blocks at the moment.
(Note that HTTP Toolkit doesn't have automated setup for iOS yet, but you can still use it manually like any other debugging proxy - you just need to trust the certificate & set your proxy settings)
That said, this still won't work 100% of the time. This is a cat & mouse game between bots and site-scrapers and bot-blocking services, where the criteria are constantly changing & tightening, so there is no perfect solution. Your best bet is to keep trying different tools, and see which ones can make themselves look least suspicious while proxying your traffic.
I am creating an application, while working on its back-end I found that anyone can see my data while connected to server. I want to secure them. I tried many application which blocked the proxy connection like gmail and other big applications while I used them by turning on fiddler proxy they stopped me to connect to server by saying please remove proxy but when I used my application data via fiddler it showed all my data.
How can I check this?
You haven't specified what "applications" you're referring to (e.g. web pages vs. native apps on Android, etc), but in general you cannot detect Fiddler nor should you bother to try, as anything you do can be undone by a motivated attacker.
I have 2 servers, Web and Api. Web serves up webpages, and Api serves up json.
I want to be able to make ajax calls from Web to Api, but I want to avoid CORS pre-flight requests. So instead, I thought to proxy all requests for https://web.com/api/path to https://api.com/path.
The only way I've been able to get this to work is to drop the https when making the request to the api server. In other words, it goes https://web.com/some/page -> https://web.com/api/path -> http://api.com/path.
Am I leaving myself vulnerable to an attack by dropping the https in my proxy request?
(I would make a comment but I don't have enough rep)
I think this would depend largely on what you mean by proxying.
If you actually use a proxy (that is, your first server relays the request to the second, and it comes back through the first), then you're only as vulnerable as the connection between those two servers. If they're in physical proximity, over a private network, I wouldn't worry about it too much, as an attacker would have to compromise your physical network. If they're communicating over open internet, you might have other attacks happen (DNS spoofing comes to mind if you don't supply an actual IP address), and I would not recommend this.
If by 'proxy' you mean the webpage makes an Ajax call to your API server, this would open things up to the same attacks that proxying across the internet could.
Of course, this all depends on what you're serving up in JSON. If any of it involves authentication or session-related information, I wouldn't leave it unencrypted. If it's just basic info that's the same for all users, you might not care. However, a skilled attacker could potentially manipulate the data with a man-in-the-middle attack, so I would still encrypt it.
I will build a cross platform application (WP8, IOS, Android) and those apps will use
my server to make API requests.
My server also will call different type of APIs (google, facebook, etc) and return some results.
And application owner does not has to be logged in to make those calls.
If there is man in the middle, he can track api calls and use it for his own usage drain my quota against api services I am using.
I only want phone who has application be able to make those calls.
What would be the best way to detect api calls to my server should come from my application?
You can use SSL to prevent man in the middle attacks but there really isn't a way that you can be 100% certain that you are communicating with your application.. You can make it harder to do by requiring some sort of access token or using custom encryption but if somebody can decompile your app they can do whatever they want.
In your specific case you should use HTTPS and in the client, not only check that you are using an HTTPS connection, but that the certificate presented by the server and its certificate chain are the ones you expect.
If you fail to do so, you could still perform a MITM attack. For example:
The MITM proxy could act as the client to the server and use an HTTP connection to serve the contents to the real client.
The MITM proxy could act as the client to the server and use a self-signed SSL certificate to present the real client an HTTPS connection.
I apologize, I know this is a very short question but Google doesn't seem to help (I guess I'm not searching for the correct phrase or set of keywords).
If I have a site not protected by SSL and it makes an api call to an https site, is that information secure or do I need to have SSL as well?
I want to make sure I keep my users' data secure.
Only data in the API call (request) needs to be protected. Data returned by the API (response) to my (non-SSL) site isn't meaningful or sensitive.
Thanks in advance.
The call to the SSL site will be protected, but if it's multihop (client to non SSL to SSL site) and the data on first hop is plain text.
However as #VictorRonin says, security is a much bigger concern than just SSL.
The call is protected. Your website talking to another website (protected by SLL) will send and get information inside of protected channel.
However, it's hard to say whether your users data is secure. Security requires a lot more than just usage of SSL.
I also got the same problems.
I'm using 16 bits micro connect to net by Wifi's AT command .
after connected in transparent mode. normally I can send some simple text (HTTP ) to request content from every web page.(if those webpages not need SSL).
this makes programing fun and easy.
But these few years. life got stuck almost webpage use SSL. mean programming need more complex step to reach content.
but the most serious things is that the CA (cert auth) cannot use forever it has expired time !!!
This mean hardware device have to modified CA data frequently . so it's not practical for small iot firm .
However I found a way even it's not the best by using thingspeak.com (ThingHTTP)
with ThingHTTP you can request without SSL to any website which need SSL
I hope in the future there are more iot cloud or even some webpage turn to use old method (HTTP) in case of that data no need secure.
In my opinion user can encode/decode the data by themself instead of secure everything in webpage.
Thnks