re: I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything VIEW POST


Ohai. So here is my question.
How do you restrict Mobile API to package-name ?
And, apart from SafetyNet, which are other mobile app attestation techniques ?


How do you restrict Mobile API to package-name ?

You mean how do only make your API server to only accept requests from your mobile app?

And, apart from SafetyNet, which are other mobile app attestation techniques ?

SafetyNet is not a mobile app attestation technique, because it only attests the mobile device, not the mobile app.SafetyNet is primarily designed to check if the OS image that a particular Android device is running is considered to be secure and compatible or not, you can think of it as an advanced root check.

So SafetyNet cannot tell if your mobile app have been tampered with, is being MitM attacked or have an instrumentation framework hooked to modify its behavior during run time, like Frida, xPosed or Magisk. Where I work we have a small report in pdf format that can explain it in more detail.


Sorry about the lack of details.
1.) Yeah I was thinking Google APIs or Firebase. We can restrict APIs to Mobile Application package name, viz., Going a step further how to restrict certain API endpoints to signing keys.

2.)Interesting. Let me reframe the question. What attestation techniques can I use to secure my API ?

Question 1

1.) Yeah I was thinking Google APIs or Firebase. We can restrict APIs to Mobile Application package name, viz., Going a step further how to restrict certain API endpoints to signing keys.

I have no experience at all with Google APIs, thus cannot help here.

Regarding Firebase I just took a quick look some weeks ago and for what I can tell you cannot hook custom scripts for each incoming request, thus you cannot implement aditional security measures, like a Mobile App Attestation solution.

Question 2

2.)Interesting. Let me reframe the question. What attestation techniques can I use to secure my API ?

The Who vs What Is Accessing the API Server

You can start with understanding the difference between WHO vs WHAT is accessing your API server, as I explain here, where you can read:

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The Basic API Security Defences

Now that you understand the difference between who vs what is accessing your API server you may want to go an read my article about the basic techniques to secure an API:

In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.

More Advanced Security Defences

Afterwards you can get a little more deep and read the series on Mobile API Security Techniques to understand how API keys, HMAC, OAUTH and certificate pinning can be used to enhance the security and at same time how they can be abused/defeated.

You can also resort to a WAF(Web Application Firewall) or A UBA(User Behaviour Analytics) that will use machine learning and Artificail intelligence to detect bad requests into your API server. This ones have the downside of blocking some good requests while letting some bad ones to pass by, thus they require constant monitoring to adjust security policies and filters.

WAF - Web Application Firewall:

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

UBA - User Behavior Analytics:

User behavior analytics (UBA) as defined by Gartner is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats. Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.

Possible Solutions

In my opinion the best solution is defence in depth, by applying as many layers as you can, so that you increase the time, effort and skill-set necessary to by pass all your security layers, thus keeping at bay the script kids and season hackers from abusing your service.

So you should employ has much techniques as possible from the ones you have learned when reading the articles I have linked, like HTTPS, API keys, User Agents, Captchas, Rate Limiting, OAuth, HMAC, Certificate Pinning, Code Obsfuscation, Secretes hidden in native C code with JNI/NDK, WAF, UBA, etc.

Finally if you have the time you can go even further by building your own Mobile APP Attestation solution:

The role of a Mobile App Attestation service is to authenticate what is sending the requests, thus only responding to requests coming from genuine mobile app instances and rejecting all other requests from unauthorized sources.

In order to know what is sending the requests to the API server, a Mobile App Attestation service, at run-time, will identify with high confidence that your mobile app is present, has not been tampered/repackaged, is not running in a rooted device, has not been hooked into by an instrumentation framework(Frida, xPosed, Cydia, etc.), and is not the object of a Man in the Middle Attack (MitM). This is achieved by running an SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and device it is running on.

On a successful attestation of the mobile app integrity, a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud know. In the case that attestation fails the JWT token is signed with an incorrect secret. Since the secret used by the Mobile App Attestation service is not known by the mobile app, it is not possible to reverse engineer it at run-time even when the app has been tampered with, is running in a rooted device or communicating over a connection that is the target of a MitM attack.

The mobile app must send the JWT token in the header of every API request. This allows the API server to only serve requests when it can verify that the JWT token was signed with the shared secret and that it has not expired. All other requests will be refused. In other words a valid JWT token tells the API server that what is making the request is the genuine mobile app uploaded to the Google or Apple store, while an invalid or missing JWT token means that what is making the request is not authorized to do so, because it may be a bot, a repackaged app or an attacker making a MitM attack.

A great benefit of using a Mobile App Attestation service is its proactive and positive authentication model, which does not create false positives, and thus does not block legitimate users while it keeps the bad guys at bay.

The Mobile App Attestation service already exists as a SaaS solution at Approov . The solution supports SDKs for several platforms, including iOS, Android, React Native and Cordova. To deploy, a small check in the API server code to verify the JWT token issued by the Approov cloud service is needed. This check is how the API server authenticates what is making the request.

When correctly implemented a Mobile APP Attestation solution have the advantage of not requiring constant monitoring to not block good requests to your API server.


In the end, the solution to use in order to protect your API server must be chosen in accordance with the value of what you are trying to protect and the legal requirements for that type of data, like the GDPR regulations in Europe.

Thanks for the detailed reply. Much Appreciated.

code of conduct - report abuse