Is it possible to fake progress on a mobile app if you managed to figure out the relevant API endpoints?

Question

In many mobile apps, one is required to complete tasks in order to mark them as complete/gain progress. This can range from completing lessons on a language learning app like Duolingo, to completing training courses that might be legally required by employers.

My question is, if you managed to figure out what the API endpoints for the relevant mobile app were, would it be straightforward to fake completing these tasks? As far as I understand, there is no way to be sure that a HTTP request is coming from a trusted mobile app. So, if one were motivated to do so, could one send requests to the 'I completed task X' endpoint and easily gain progress on the app without actually doing the work? For example, running a bot to complete 10 lessons a day on Duolingo.

My suspicion is that you cannot prevent malicious users from doing such a thing. In this case, is there any strategies that companies will employ to increase the difficulty for such users to meddle dishonestly? Something that came to mind was embedding an API key within the app code and using it to sign requests. Although this key could still be found if one delved through the entire app code, it seems like it might be a lot more work and hence deter some people. However, if just one person put in the work to figure out how to fool your backend, they could easily distribute this. I imagine this would be illegal if laid out in the TOS.

My main points are:

Could this easily be done?
If so, what can be done to prevent it/make it more difficult?
Would such a thing be illegal if laid out in TOS?

Thanks!

You might want to start by reading through [What topics can I ask about here?](https://stackoverflow.com/help/on-topic) — SiKing, Sep 14 '22 at 15:06

score 0 · Answer 1 · answered Sep 14 '22 at 15:07

If the progress is tracked through for example a quiz to check the user's knowledge (Duolingo does that for example), they can validate the answers server-side to prevent cheating.

But yes there are apps where you can just send a request to one of their endpoints to gain 'progress'. But generally this is only possible when the data integrity is not that important. Those progress tracking apps you mention are intended for self help, so there is not much point in cheating.

score 0 · Accepted Answer · answered Sep 16 '22 at 13:49

Your Question

My question is, if you managed to figure out what the API endpoints for the relevant mobile app were, would it be straightforward to fake completing these tasks? So, if one were motivated to do so, could one send requests to the 'I completed task X' endpoint and easily gain progress on the app without actually doing the work? For example, running a bot to complete 10 lessons a day on Duolingo.

Yes. from the moment you reverse engineer how a mobile app communicates with its backend then you are in position of automating such communication to be done from a bot or with one-off requests from cURL or a tool in the likes of Postman.

Could this easily be done?

MitM attacks are the most popular technique used to learn how a mobile app communicates with its backend, and you can read my article Steal that Api Key with a Man in the Middle Attack to see how easy is to intercept the HTTP5 call made to the backend:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

While the article is in the context of extracting an API key from the request, the steps are the same for learning how a mobile app communicates with its backend.

If the mobile app is using certificate pinning to protect against a MitM attack then you can learn how to bypass it by following my article How to Bypass Certificate Pinning with Frida on an Android App to show you how to do it:

Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.

Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.

A Possible Solution

As far as I understand, there is no way to be sure that a HTTP request is coming from a trusted mobile app.

You can have a very high degree of confidence that requests are indeed from a genuine and unmodified version of your mobile app when you use a Mobile App Attestation solution.

If so, what can be done to prevent it/make it more difficult?

I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

In a nutshell the Mobile App Attestation will allow for the backend to have a very high degree of confidence that the incoming request is not from a bot or any other type of automation, neither from replay attacks or one-off manual requests outside the mobile app.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.