0

We are experiencing fraud with our open API, so we're turning it private.

Let's suppose that I'm using OAuth and Bearer token to authorize who can access my API.

Request: App -> Credentials -> Auth Endpoint ... Response: a bearer token to be used in future requests

But even with HTTPS an attacker can user Fiddler, Burp, Charles and other proxies to intercept and see what credentials I'm using with a self signed root certificate installed in the proxy machine and trusted in mobile device.

Request: App -> Credentials -> Proxy ... Intercepted Credentials Request: Postman/Attack Script -> Valid Credentials Intercepted -> Auth Endpoint ... Response: a bearer token to be used in future requests

So the attacker stole the credentials and is authorized to use the API until the token expires.

How can I avoid this?

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
Douglas Ferreira
  • 113
  • 4
  • 4
    You can't. It's literally impossible. – Conor Mancone Sep 27 '19 at 18:51
  • 1
    "The client is in the hands of the enemy." Anything that your app can do through your API, the user can do without any of the restrictions that the app might put in place. Validate the requests on the server side. – Ghedipunk Sep 27 '19 at 20:15

0 Answers0