Secure your app API

The past month I tested 3 web / mobile applications on security, and 2 of them really had some big issues. They were medium sized business apps, I have sent them detailed reports, and they have fixed the issues. I won’t discuss any further details about them, I will however list the problems I found, so you can avoid having the same problems, and keep your customer data secure.

No SSL certificate installed (on API and / or web dashboard)
using unsecure connections  when transmitting / receiving sensitive data should never be done in this day and age.

Database IDs for products and customers were md5 hashed and used in the url directly with no further checks.
MD5 in itself is not a security feature, md5 hashes are easily reversed, this particular site thought md5 hashing the database id’s  would make it impossible to access other users data, but simply hashing a large batch of id numbers to md5 would give you all customers and products of other businesses..
This could easily be avoided if they would just check in query if an id belongs to the particular user requesting it.
Also don’t rely on md5 hashing an ID for security, unless at the very least you add a large salt to your md5

You could also do this for passwords, but preferably use bcrypt

The API url from the api contained the api version
/api/v5/ this isn’t an issue in itself, but v1, v2, v3, v4 were still accessible, with their old issues and errors included.

Don’t think SSL solves all your problems
For some reason developers think if their mobile app connects to the API with SSL everything is secure.
But with a simple “man in the middle” attack in fiddler for example, people can analyze your urls, and test your app / api for vulnerabilities.
Some things you can do to secure your api:
– Use token based authentication
– Expect that people will try and change id’s / data to try and get information out of your API
– Add a rate limit to requests per minute (if someone is testing he will use a lot more requests then the normal app usage)
– Add a custom user agent to your app, and check in API (offcourse a user-agent can be changed in browser, but at least it will keep the  lightweight tweakers out)
– If something is wrong with the request dont give any information, just respond with a 503.