SlideShare a Scribd company logo

The Ultimate Guide to Mobile API Security

Stormpath
Stormpath

The document is a comprehensive guide on mobile security, specifically focusing on authentication methods like basic, tokenization, cookie, and bearer authentication, along with their pros and cons. It emphasizes the use of JSON Web Tokens (JWT) for secure and scalable user authentication and provides links to relevant resources and tutorials for further learning. Additionally, it encourages interaction through support channels and social media follow-ups.

Technology
1 of 17
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ULTIMATE GUIDE TO MOBILE SECURITY Edward Jiang
HI, I’M EDWARD! @EdwardStarcraft Developer Evangelist @goStormpath
DEVELOPER TOOLS FOR AUTHENTICATION • Stormpath — Authentication as a Service • Web Framework Integrations — Authentication in your web framework of choice • Apache Shiro — Java security framework • JWTK — JWT libraries for JavaScript & Java • Simplicity — Easy social login for iOS • Turnstile — Authentication framework for server-side Swift
USERS STORMPATH INTEGRATIONS
A U T H E N T I C AT I O N H O W D O E S I T W O R K ?
A U T H E N T I C AT I O N I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E
BASIC AUTHENTICATION GET / HTTP/1.1 Authorization: Basic Base64(username:password) • Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request
TOKENIZATION “myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA” • No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password
COOKIE AUTHENTICATION GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA • Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication • Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state
BEARER AUTHENTICATION GET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA • Slightly more complicated: Need to write an endpoint, and a format for the client to understand • Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences) • But ultimate control over token usage, and state. Preferred method
STATELESS TOKENS • Used at scale in larger APIs • Self contained, unlike “dumb” / opaque tokens • Can be validated easily without a round trip to a central database • Harder to use properly
JSON WEB TOKEN eyJrafea.eyJzdWIiopkIefwEWFd.dPPxume Header Body Signature { "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186 } { "typ": "JWT", "alg": "HS256" }
STORMPATH MOBILE SDKS • Uses the Stormpath API to authenticate users & validate their identity • Authenticate to your APIs with Bearer Authentication • Use JWTs for scalability
LET’S SEE SOME CODE!
FINISHED RESULT • GitHub: https://github.com/stormpath/stormpath-ios-example • Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
WHAT NEXT? • Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for- android-app • Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest- api-mobile-apps-using-node-js • Talk to us! Email support@stormpath.com, or edward@stormpath.com • Follow us @EdwardStarcraft and @goStormpath on Twitter
QUESTIONS?

More Related Content

What's hot (20)

PDF
Securing Web Applications with Token Authentication
Stormpath
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
Secure Your REST API (The Right Way)
Stormpath
 
PDF
Protecting Your APIs Against Attack & Hijack
CA API Management
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
D@W REST security
Gaurav Sharma
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
OAuth - Open API Authentication
leahculver
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PPTX
Making Sense of API Access Control
CA API Management
 
PPTX
Api security
teodorcotruta
 
ODP
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
PDF
Securty Testing For RESTful Applications
Source Conference
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
PPTX
JWTs for CSRF and Microservices
Stormpath
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PPTX
Browser Security 101
Stormpath
 
Securing Web Applications with Token Authentication
Stormpath
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Secure Your REST API (The Right Way)
Stormpath
 
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
D@W REST security
Gaurav Sharma
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
OAuth - Open API Authentication
leahculver
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Making Sense of API Access Control
CA API Management
 
Api security
teodorcotruta
 
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
Securty Testing For RESTful Applications
Source Conference
 
OAuth2 + API Security
Amila Paranawithana
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
JWTs for CSRF and Microservices
Stormpath
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Browser Security 101
Stormpath
 

Similar to The Ultimate Guide to Mobile API Security (20)

PDF
Build a REST API for your Mobile Apps using Node.js
Stormpath
 
PDF
Json web token api authorization
Giulio De Donato
 
PPTX
HTTP Services & REST API Security
Taiseer Joudeh
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PDF
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
PDF
Secure JAX-RS
Rudy De Busscher
 
PDF
Architectural Patterns in IoT Cloud Platforms
Roshan Kulkarni
 
PPTX
How to Use Stormpath in angular js
Stormpath
 
PPTX
Hacking mobile apps
kunwaratul hax0r
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PDF
proxy2: HTTPS pins and needles
inaz2
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
PDF
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
 
PDF
SSL Everywhere!
Simon Haslam
 
PPTX
PortalGuard Product Tour
PortalGuard
 
PDF
HTTP - The Other Face Of Domino
Gabriella Davis
 
Build a REST API for your Mobile Apps using Node.js
Stormpath
 
Json web token api authorization
Giulio De Donato
 
HTTP Services & REST API Security
Taiseer Joudeh
 
JWT Authentication with AngularJS
robertjd
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
Secure JAX-RS
Rudy De Busscher
 
Architectural Patterns in IoT Cloud Platforms
Roshan Kulkarni
 
How to Use Stormpath in angular js
Stormpath
 
Hacking mobile apps
kunwaratul hax0r
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
proxy2: HTTPS pins and needles
inaz2
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
OWASP Top 10 Web Vulnerabilities from DCC 04/14
Chris Holwerda
 
Building Secure User Interfaces With JWTs
robertjd
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
 
SSL Everywhere!
Simon Haslam
 
PortalGuard Product Tour
PortalGuard
 
HTTP - The Other Face Of Domino
Gabriella Davis
 
Ad

More from Stormpath (20)

PDF
Getting Started With Angular
Stormpath
 
PDF
Building Beautiful REST APIs with ASP.NET Core
Stormpath
 
PDF
JWTs in Java for CSRF and Microservices
Stormpath
 
PPTX
Beautiful REST+JSON APIs with Ion
Stormpath
 
PPTX
Storing User Files with Express, Stormpath, and Amazon S3
Stormpath
 
PPTX
Custom Data Search with Stormpath
Stormpath
 
PDF
Building Beautiful REST APIs in ASP.NET Core
Stormpath
 
PPTX
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
PPTX
Token Authentication in ASP.NET Core
Stormpath
 
PDF
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
 
PPTX
Spring Boot Authentication...and More!
Stormpath
 
PPTX
Multi-Tenancy with Spring Boot
Stormpath
 
PPTX
Stormpath 101: Spring Boot + Spring Security
Stormpath
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
Elegant Rest Design Webinar
Stormpath
 
PPTX
Build a Node.js Client for Your REST+JSON API
Stormpath
 
PPTX
Build A Killer Client For Your REST+JSON API
Stormpath
 
PPTX
So long scrum, hello kanban
Stormpath
 
PPTX
REST API Design for JAX-RS And Jersey
Stormpath
 
PPTX
Design Beautiful REST + JSON APIs
Stormpath
 
Getting Started With Angular
Stormpath
 
Building Beautiful REST APIs with ASP.NET Core
Stormpath
 
JWTs in Java for CSRF and Microservices
Stormpath
 
Beautiful REST+JSON APIs with Ion
Stormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
Stormpath
 
Custom Data Search with Stormpath
Stormpath
 
Building Beautiful REST APIs in ASP.NET Core
Stormpath
 
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
Token Authentication in ASP.NET Core
Stormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
Stormpath
 
Spring Boot Authentication...and More!
Stormpath
 
Multi-Tenancy with Spring Boot
Stormpath
 
Stormpath 101: Spring Boot + Spring Security
Stormpath
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Elegant Rest Design Webinar
Stormpath
 
Build a Node.js Client for Your REST+JSON API
Stormpath
 
Build A Killer Client For Your REST+JSON API
Stormpath
 
So long scrum, hello kanban
Stormpath
 
REST API Design for JAX-RS And Jersey
Stormpath
 
Design Beautiful REST + JSON APIs
Stormpath
 
Ad

Recently uploaded (20)

PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 

The Ultimate Guide to Mobile API Security

  • 1. ULTIMATE GUIDE TO MOBILE SECURITY Edward Jiang
  • 3. DEVELOPER TOOLS FOR AUTHENTICATION • Stormpath — Authentication as a Service • Web Framework Integrations — Authentication in your web framework of choice • Apache Shiro — Java security framework • JWTK — JWT libraries for JavaScript & Java • Simplicity — Easy social login for iOS • Turnstile — Authentication framework for server-side Swift
  • 5. A U T H E N T I C AT I O N H O W D O E S I T W O R K ?
  • 6. A U T H E N T I C AT I O N I T ’ S A B O U T P R O V I N G T H AT Y O U A R E W H O Y O U S AY Y O U A R E
  • 7. BASIC AUTHENTICATION GET / HTTP/1.1 Authorization: Basic Base64(username:password) • Easy and convenient, but insecure • Username / password needs to be stored on the device • Username / password are sent on every request
  • 8. TOKENIZATION “myusername” and “mypassword” becomes “rCsspweTxMtz2sypA0PLGns6fkCA” • No risk of losing the username/password from the device • Device credentials can be independently revoked from the username/password
  • 9. COOKIE AUTHENTICATION GET / HTTP/1.1 Cookie: sessionId=rCsspweTxMtz2sypA0PLGns6fkCA • Convenient: the server sets a cookie, and the HTTP Client automatically takes care of authentication • Server-side logic for authentication can be shared between mobile and web • Downside: hard to understand state
  • 10. BEARER AUTHENTICATION GET / HTTP/1.1 Authorization: Bearer rCsspweTxMtz2sypA0PLGns6fkCA • Slightly more complicated: Need to write an endpoint, and a format for the client to understand • Need to deal with storing the token (use the iOS Keychain or Android SharedPreferences) • But ultimate control over token usage, and state. Preferred method
  • 11. STATELESS TOKENS • Used at scale in larger APIs • Self contained, unlike “dumb” / opaque tokens • Can be validated easily without a round trip to a central database • Harder to use properly
  • 12. JSON WEB TOKEN eyJrafea.eyJzdWIiopkIefwEWFd.dPPxume Header Body Signature { "sub": "1234567890", "name": "John Doe", "iat": 1487260586, "exp": 1487264186 } { "typ": "JWT", "alg": "HS256" }
  • 13. STORMPATH MOBILE SDKS • Uses the Stormpath API to authenticate users & validate their identity • Authenticate to your APIs with Bearer Authentication • Use JWTs for scalability
  • 15. FINISHED RESULT • GitHub: https://github.com/stormpath/stormpath-ios-example • Review this tutorial: https://stormpath.com/blog/build-note-taking-app-swift-ios
  • 16. WHAT NEXT? • Try the Android counterpart: https://stormpath.com/blog/build-user-authentication-for- android-app • Learn how to build a REST API for mobile: https://stormpath.com/blog/tutorial-build-rest- api-mobile-apps-using-node-js • Talk to us! Email [email protected], or [email protected] • Follow us @EdwardStarcraft and @goStormpath on Twitter