本文介绍了如何防止对 API Key 和 API Secret 的 MITM 攻击?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

人们将如何防止针对 API 机密/API 密钥的 MITM 类型的攻击?facebook/instagram 如何保护他们的用户免受 MITM 类型的黑客攻击?

他们甚至保护用户吗?或者他们认为任何可能的攻击都应该由用户承担?

解决方案

Some Context on my Answer

我假设您的问题与移动应用有关,因此我的回答将展示如何防止为移动应用提供服务的 API 遭受中间人攻击以及如何绕过它.

您的 Facebook/Instagram 相关问题

facebook/instagram 如何保护他们的用户免受 MITM 类型的黑客攻击?

他们甚至保护用户吗?或者他们认为任何可能的攻击都应该由用户承担?

这个问题最好由 Facebook/Instagram 的内部人员或在其移动应用和 API 上做了大量工作的安全研究人员回答.

很抱歉不能在这里向您解释.

防止中间人攻击

人们将如何防止针对 API 机密/API 密钥的 MITM 类型的攻击?

我可以通过使用证书公钥锁定证书来帮助您并快速回复它,我们将在下面详细介绍.

首先,您需要通过将移动应用程序配置为仅与 API 建立连接来保护 HTTPS 通信通道,在 TLS 握手期间,如果它提供为其域颁发的证书并且该证书是已知且可信的通过移动应用程序,忽略根据对设备的证书信任存储的验证可能仍然有效的任何其他内容.我在我写的文章中详细介绍了它以及如何实现它 和iOS 是分步教程.

绕过证书固定

重要的是,任何决定在其移动应用中实施证书锁定的开发人员也必须了解如何绕过它,以便了解威胁模型并评估是否需要进一步保护以防止绕过证书锁定.

我写了两篇关于如何绕过 Android 上的证书锁定的文章,您可以在其中一篇文章中学习如何通过提取、修改和重新打包 APK 来实现这一点,而在另一篇文章中,您将学习如何使用 Frida 检测框架在运行时挂钩到移动应用程序以绕过证书固定:

通过 APK 绕过 Android 上的证书固定

在本文中,您将学习如何重新打包移动应用以使其信任自定义 ssl 证书.这将允许我们绕过证书锁定.

如何绕过在 Android 应用上使用 Frida 进行证书固定:

今天,我将展示如何使用 Frida 检测框架在运行时连接到移动应用程序并检测代码,以便即使在移动应用程序实施了证书锁定的情况下也能成功执行中间人攻击.

绕过证书锁定并不太难,只是有点费力,并且允许攻击者详细了解移动应用程序如何与其 API 通信,然后使用相同的知识自动进行攻击或围绕它构建其他服务.

总结

尽管可以绕过证书锁定,但我仍然强烈建议您在您的移动应用中实现它,因为它大大减少了移动应用的攻击面.

了解如何绕过证书锁定可以让您深入了解是否需要采取进一步的保护措施.动态证书固定和运行时应用程序自我保护 (RASP) 可能是您的安全阶梯的下一步.

How would someone go about preventing MITM type attacks against API secrets/ API keys?How does facebook/ instagram protect their users against MITM type hacks?

Do they even protect the users? Or they assume that any possible attacks should be shouldered by users?

解决方案

Some Context on my Answer

I assume that your question is in the context of mobile apps, thus my answer will show how to protect against a MitM attack for APIs serving mobile apps and how it can be bypassed.

Your Facebook/Instagram Related Questions

This questions are best answered by an insider at Facebook/Instagram or from a security researcher that have done extensive work on their mobile apps and APIs.

Sorry for not being able to elucidate you here.

Preventing MitM Attacks

This one I am able to help you with and the quick reply its by using certificate pinning against the certificate public key, and we will go in more detail below.

In a first instance you will want to secure the HTTPS communication channel by configuring the mobile app to only establish a connection with the API, during the TLS handshake, if it presents the certificate issued for its domain and that is known and trusted by the mobile app, ignoring any other that may still be valid as per validation against the certificate trust store of the device. I go into more detail about it and how to implement it on the article I wrote Securing HTTPS with Certificate Pinning:

What to pin?

From the same article I will quote:

Implementing Static Certificate Pinning

The easiest and quick way you can go about implementing static certificate pinning in a mobile app is by using the Mobile Certificate Pinning Generator that accepts a list of domains you want to pin against and generates for you the correct certificate pinning configurations to use on Android and iOS.

Give it a list of domains to pin:

And the tool generates for you the Android configuration:

And the iOS configuration too:

The tool even as instructions how to go about adding the configurations to your mobile app, that you can find below the certificate pinning configuration box. They also provide an hands on example Pin Test App for Android and for iOS that are a step by step tutorial.

Bypass Certificate Pinning

It's important that any developer that decides to implement certificate pinning in their mobile apps also understands how it can be bypassed in order to learn the threat model and evaluate if further protections are needed to prevent certificate pinning bypass.

I wrote two articles on how to bypass certificate pinning on Android where you can learn in one of them how to do it by extracting, modifying and repackaging the APK, while in the other article you learn how to use the Frida instrumentation framework to hook at runtime into the mobile app in order to bypass certificate pinning:

Bypassing Certificate Pinning on Android via APK

How to Bypass Certificate Pinning with Frida on an Android App:

Summary

Despite being possible to bypass certificate pinning I still strongly recommend you to implement it in your mobile app, because it reduces a lot the attack surface of your mobile app.

Being aware of how certificate pinning can be bypassed gives you the insights to decide if further protections are needed to be in place. Dynamic certificate pinning and Runtime Application Self-Protection(RASP) may be the next steps to take in your security ladder.

这篇关于如何防止对 API Key 和 API Secret 的 MITM 攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-17 13:00
查看更多