Cellular APIs are weak to abuse. Attackers use emulators, manipulated or modified apps to flood cell API endpoints. They will replay buy calls to steal items or set off duplicate fund transfers to steal cash. They will even strip menace metadata from the API name to cover jailbreak standing.
Server validation misses these assaults as a result of the requests look legitimate. Most API safety instruments verify who despatched the request, however ignore whether or not the app itself is undamaged.
App Attestation provides a device-side stamp that proves the request is genuine and that it got here from the protected app on a wholesome gadget.
Why App Attestation Issues
- In banking, attackers clone the app, slip previous MFA, and wire funds to mule accounts to launder cash.
- In retail, attackers abuse a coupon redemption name and drain stock with countless reductions.
- In airways, attackers can generate pretend boarding passes, letting somebody clear the gate with no ticket on file.
- Within the automotive trade, attackers can exploit APIs to steal automobiles or revenue from stolen information.
Every assault works as a result of the backend sees a request that appears actual. It can not show the app or gadget is real.
App attestation fixes this. The server checks a sign that solely the untouched app on a trusted gadget can create.
With out it, attackers can:
- Generate new API calls that impersonate the actual app
- Replay previous requests and bypass server-side identification checks and protections
- Strip menace information inside the API name to bypass protections
How Zimperium Allows Cellular App Attestation
Zimperium’s runtime safety SDK (zDefend) helps this by serving to your supporting backend servers and gateways confirm that requests are initiated from an untampered app working in a safe atmosphere. As soon as embedded, it permits the host app and its backend servers to take care of the integrity of all communications.
Advantages of zDefend
1. Forestall App Tampering
zDefend integrates encrypted indicators immediately into your utility’s messages, creating a robust binding mechanism. This binding course of validates the applying’s authenticity and integrity to backend servers receiving API requests from the cell app. Ought to an attacker attempt to take away the SDK, the absence of this important sign will alert the server to terminate the request. This prevents app tampering and establishes a extremely safe communication channel between the applying and its servers.
2. Detect and Block Emulators, Machine Farms and Compromised Units
Attackers often use emulators, cloud-based gadget farms, or compromised bodily units as managed environments for reverse engineering and large-scale API abuse. With zDefend, every API request can embody an attestation sign that verifies the integrity of each the app and its runtime atmosphere. This helps be certain that your servers solely belief requests from real, uncompromised units.
3. Cease API Abuse with Replay Assaults
Replay assaults threaten server safety by resending legitimate information, permitting malicious actors to intercept and repeat requests. This may result in duplicate transactions, unauthorized entry, or safety bypasses. zDefend supplies a robust option to forestall replay assaults through the use of “nonces” strategically. A nonce, which implies “quantity used as soon as,” is a singular and randomly generated worth linked to every request. The server then checks this nonce when it receives the request to substantiate it has not been used earlier than.
4. Library Lifting
zDefend binds static libraries to your approved app, guaranteeing they can’t be eliminated or reused in unapproved or malicious apps. If an attacker tampers with the library or its visitors in any means, the attestation course of will fail, and the backend will reject requests. This protects proprietary code, enterprise logic, and embedded keys from being exploited in different apps.
5. Strong Key Safety
zDefend secures its indicators with cryptographically signed keys, protected by white-box cryptography, guaranteeing they’re by no means uncovered, even when the gadget is compromised. This prevents malicious actors from forging or manipulating indicators, preserving safety evaluation integrity.
6. Versatile Key Administration
The answer affords two key administration choices: built-in keys for safe out-of-the-box use with out setup, and “carry your individual” customized keys superb for regulated or high-security environments that require setup. The selection will depend on a corporation’s particular safety insurance policies, regulatory obligations, and operational preferences.
Remaining Ideas
zDefend’s App Attestation functionality helps backed servers belief the cell app and visitors coming from it. The answer lets you confirm that each request originates from a respectable and safe app, working on a trusted gadget.
Need assistance getting began?
Contact Us for extra data or a fast demo of the answer.