Adding robust security controls to your API can significantly improve your mobile application’s security posture. These defenses increase resilience to attacks by raising the barrier for anyone attempting to probe or manipulate your API. This applies to both mobile and web applications.
In this blog, we’ll highlight three key controls that can help reduce API exploitation risk:
Hash-based message authentication codes (HMAC) signatures
Rate limiting
Encrypted message bodies
Adding one or all of these controls can help fortify your API against common attack vectors.
HMAC Signatures: Protect Message Integrity
HMAC signatures are used to verify the integrity and authenticity of API requests and responses. They help detect when a message has been modified in transit.
How HMAC Works
HMAC involves generating a signature using select request or response components, a hashing algorithm and a secret key known only to the application and server. The signature is then included as a header.
Typical components used to generate the HMAC signature include:
Message body
Timestamp
URL path
HTTP method
Relevant headers such as Content-Type
The hashing process uses a cryptographic algorithm and a secret key shared only between the client and server.
The client app sends the API request, including the newly generated HMAC signature, in a custom header.
Upon receiving the request, the server repeats the same hashing process using the same parameters and secret key. It then compares the calculated HMAC signature with the one sent by the application in the request header.
If the signatures match, the server accepts and processes the request.
If the signatures don’t match, the server rejects the request, preventing malicious or unsafe payloads from being processed.
Once the server verifies and processes the request, it generates a new HMAC signature that it adds to the response headers. The client app validates the response in the same way to safeguard message integrity. This two-way verification continues throughout the app session, ensuring integrity and authenticity at each step.
Real-World Impact
HMAC could have helped to prevent the Optus breach, where attackers modified customer ID values to access other users’ sensitive data. Proper HMAC header implementation would have flagged the manipulated requests as invalid.
Why It Matters for Mobile
Mobile application security is often deprioritized compared to web apps. But mobile apps typically interact with the same backend APIs. Implementing HMAC in mobile apps can stop attackers from modifying requests or responses in transit, helping to prevent data leakage, account takeover and other exploits.
Layered API controls including HMAC validation, rate limiting and encrypted message bodies protect critical functionality, block unauthorized access and reduce the likelihood of a costly breach.
Rate Limiting: Brute-Force API Attacks
Rate limiting restricts how frequently clients submit API requests, helping block brute-force attack attempts, bot traffic and denial-of-service exploits. This lightweight yet effective API control protects availability and user data.
How Rate Limiting Enhances API Security
Brute-force attacks typically entail iterating through a list of known emails and passwords in an attempt to gain unauthorized access to user account credentials and payment information. When a user or bot submits repeated requests in rapid succession, the system detects the behavior and throttles or blocks further attempts for a period of time. Rate limiting drastically reduces the window for brute-force success.
Real-World Impact: Dunkin Donuts Breach
Many brute-force attacks resulted in data breaches that cause costly financial, reputational and legal damage. Dunkin Donuts suffered two large-scale credential-stuffing attacks. Millions of automated login attempts compromised thousands of user accounts, resulting in lawsuits and brand damage. Robust rate limiting could have throttled these malicious requests and prevented account takeover.
Broader Use Cases
Rate limiting also helps defend against:
Credential stuffing
User enumeration
Payment fraud
API Layer Denial of Service (DoS) attacks
NowSecure strongly recommends that organizations implement rate limiting across all endpoints and validate those protections during testing. (Evaluate your app with NowSecure Platform automated mobile application security testing or engage NowSecure Pen Testing as a Service (PTaaS) for expert validation.)
NowSecure Mobile App Penetration Testing Services
Read More
Encrypted Message Bodies: Secure API Payloads in Transit
Encrypting API message bodies increases security by concealing payload content from unauthorized parties, even when they intercept network traffic.
Why Encryption Matters
Without encryption, attackers on the same network can observe or manipulate messages in transit. Encryption obscures message structure and content, requiring attackers to invest significantly more time and resources to launch an attack. Many give up and move on to easier targets.
Don’t leave attackers with low-hanging fruit. Make them climb the tree with thorny leaves and slippery breaches to annoy and deter them.
Encryption Types
Symmetric encryption uses a shared key to encrypt and decrypt the message — fast but riskier if key exposure occurs.
Asymmetric encryption is more resource intensive. It encrypts with a public key; only the corresponding private key can decrypt the data.
Hybrid encryption combines both methods. It encrypts the message with a symmetric key, then encrypts that key with a public key for secure transmission.
Case Study: PowerSchool Breach
In the PowerSchool breach, attackers modified API queries of a database to exfiltrate student, parent and employee data. Encrypted message bodies could have concealed the request parameters and blocked the tampering that enabled the exploit.
Mobile Considerations
Mobile apps frequently exchange data with backend services. Attackers with network access can intercept unencrypted messages to perform malicious acts. Encrypting API message bodies across both mobile and web platforms ensures confidentiality and resists traffic manipulation.
Strengthen Security with Layered Controls
Layered API controls including HMAC validation, rate limiting, and encrypted message bodies protect critical functionality, block unauthorized access and reduce the likelihood of a costly breach.
NowSecure enables organizations to test and validate API protections through mobile PTaaS. Our expert pen testers replicate real-world attacks and deliver actionable mitigation strategies to help security teams strengthen defenses before adversaries strike.
The post Top 3 Defense-in-Depth Security Controls to Protect APIs Against Attacks appeared first on NowSecure.