I have an use case where in my flutter app makes an API call to a backend API which in turn makes a call to a 3rd party service to verify whether both the images are similar. My concern is, any user can use the api access token to call the backend API directly with spoofed data to get a verified profile. How can i make sure that the image data is coming from the mobile camera itself ?
Asked
Active
Viewed 127 times
1
-
Did you read about certificate pinning ? – CZ54 May 23 '22 at 12:21
-
Please provide enough code so others can better understand or reproduce the problem. – Community May 23 '22 at 13:18
1 Answers
0
The Difference Between WHO and WHAT is Accessing the API Server
I have an use case where in my flutter app makes an API call to a backend API which in turn makes a call to a 3rd party service to verify whether both the images are similar. My concern is, any user can use the api access token to call the backend API directly with spoofed data to get a verified profile.
You need to empower your backend API with a mechanism to distinguish between who is in the request vs what is making the request. I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read this:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
After you understand this idea and it's ingrained in your mindset, you will look into mobile API security with another perspective, and you will be able to see attack surfaces that you never though they could exist.
Possible Solution
How can i make sure that the image data is coming from the mobile camera itself ?
I will reply to this question more in the context of how you can be sure that the request sent to the backend with the image is originated from your genuine and unmodified mobile app, and not from a tampered one or from a bot or manual request.
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution to understand the several options you have to tackle your problem.
From the several solutions provided in the answer the best fit for your problem will be the Mobile App Attestation, that will allow your backend to have a very high degree of confidence that what is making the request is indeed your genuine and unmodified mobile app, therefore preventing attacker from getting a valid profile, as per your main concern:
My concern is, any user can use the api access token to call the backend API directly with spoofed data to get a verified profile.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
Exadra37
- 11,244
- 3
- 43
- 57