Page 144 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 144
the much larger collections of sensitive user data accessible on the servers that support the app
frontends. Bad actors meticulously plan and construct attacks for backend systems by first deciphering
and analyzing communication patterns used by apps. Armed with this knowledge, they then craft scripts,
bots, or replacement/repackaged apps that replicate legitimate communications, enabling them to
perform their malicious activities.
While the threat landscape predominantly resides on the API side, it's crucial to recognize that effective
defense should begin in the app. App attestation involves embedding mechanisms within the application
to verify its integrity and to ensure interactions with backend APIs only originate from authentic, unaltered
instances of the app. By prioritizing app attestation as a fundamental security measure, developers lay a
solid foundation for comprehensive app-based protection. Traditional Runtime Application Self Protection
(RASP) defenses can then build on this to strengthen resilience against attacks that dynamically
manipulate the behavior of a legitimate app running in a compromised environment such as rooted or
jailbroken devices.
At its heart, app attestation uses a positive security model, analogous to user authentication. Scripts,
bots, or counterfeit/tampered apps are all blocked because none of these can present themselves as
legitimate to the protected services. Additionally, app attestation doesn’t falsely identify good app
instances as bad, as is sometimes the case with AI based API defenses. With the addition of RASP, apps
can also actively defend themselves against on-device attacks attempting to directly manipulate the
behavior of the untampered app to circumvent attestation, harvest sensitive data, or perform illegitimate
or unauthorized transactions.
Pioneering security companies developed app attestation solutions to enhance mobile app security
beginning around 2016. The evolution of their services includes not only user-driven enhancements, such
as the dynamic delivery of API keys to verified apps and the implementation of dynamic certificate
pinning, but also a stronger security posture. Enhancements encompass the integration of sophisticated
Runtime Application Self-Protection (RASP) defenses, including the detection of rooted or jailbroken
devices, the identification of root hiding software like Magisk, and the monitoring for runtime app
manipulation tools such as Frida and Xposed. Moreover, these solutions also tackle threats that do not
require root access, such as app cloning and the use of game cheat engines. Continuously, these
companies are dedicated to educating app developers about the security threats their APIs may face and
collaboratively work with their clients to mitigate emerging threats.
Counter to Andeer’s statement, denying the presence of 1st party security services, Apple released a set
of app attestation APIs in 2020, App Attest. While this attestation solution provides a level of security for
iOS applications that use it, it fails to provide protection when operated from a jailbroken device. So, in
effect, even when App Attest is in use, there remains a requirement for a 3rd party security service to
detect and identify those apps operating in a compromised environment. This highlights the need for API
security to secure every access path. It is not sufficient to cover 99.9% of accesses as an attacker will
always gravitate towards the easiest method of access and failing to cover a class of device is effectively
the same as having no cover at all.
Google followed Apple by releasing its own app attestation solution for Android as part of Google Play in
2022, the Play Integrity API. Their approach is slightly different, instead of a strict good/bad result,
Google’s service can report different levels of integrity for the device running the attestation: basic, device
144
