如果您设法找出相关的 API 端点,是否可以在移动应用程序上伪造进度?
[英]Is it possible to fake progress on a mobile app if you managed to figure out the relevant API endpoints?
问题描述
In many mobile apps, one is required to complete tasks in order to mark them as complete/gain progress.
在许多移动应用程序中,需要完成任务才能将它们标记为完成/获得进度。 This can range from completing lessons on a language learning app like Duolingo, to completing training courses that might be legally required by employers.范围从在 Duolingo 等语言学习应用程序上完成课程,到完成雇主可能法律要求的培训课程。
My question is, if you managed to figure out what the API endpoints for the relevant mobile app were, would it be straightforward to fake completing these tasks?我的问题是,如果您设法弄清楚相关移动应用程序的 API 端点是什么,那么伪造完成这些任务会很简单吗? As far as I understand, there is no way to be sure that a HTTP request is coming from a trusted mobile app.据我了解,无法确定 HTTP 请求来自受信任的移动应用程序。 So, if one were motivated to do so, could one send requests to the 'I completed task X' endpoint and easily gain progress on the app without actually doing the work?那么,如果有人有这样做的动机,是否可以向“我已完成任务 X”端点发送请求,并在不实际执行工作的情况下轻松获得应用程序的进展? For example, running a bot to complete 10 lessons a day on Duolingo.例如,在 Duolingo 上运行一个机器人每天完成 10 节课。
My suspicion is that you cannot prevent malicious users from doing such a thing.我怀疑你无法阻止恶意用户做这样的事情。 In this case, is there any strategies that companies will employ to increase the difficulty for such users to meddle dishonestly?在这种情况下,公司是否会采取任何策略来增加此类用户不诚实干预的难度? Something that came to mind was embedding an API key within the app code and using it to sign requests.想到的事情是在应用程序代码中嵌入一个 API 密钥并使用它来签署请求。 Although this key could still be found if one delved through the entire app code, it seems like it might be a lot more work and hence deter some people.尽管如果深入研究整个应用程序代码仍然可以找到此密钥,但似乎它可能需要做更多的工作,因此会阻止某些人。 However, if just one person put in the work to figure out how to fool your backend, they could easily distribute this.但是,如果只有一个人投入工作来弄清楚如何欺骗您的后端,他们可以轻松地分发这个。 I imagine this would be illegal if laid out in the TOS.我想如果在 TOS 中规定这将是非法的。
My main points are:我的主要观点是:
- Could this easily be done?这很容易做到吗?
- If so, what can be done to prevent it/make it more difficult?如果是这样,可以做些什么来防止它/使它变得更加困难?
- Would such a thing be illegal if laid out in TOS?如果在 TOS 中规定这样的事情是否违法?
Thanks!谢谢!
2 个解决方案
解决方案1
0 2022-09-14 15:07:35
If the progress is tracked through for example a quiz to check the user's knowledge (Duolingo does that for example), they can validate the answers server-side to prevent cheating.如果通过例如测验来检查用户的知识(例如 Duolingo 这样做)来跟踪进度,他们可以在服务器端验证答案以防止作弊。
But yes there are apps where you can just send a request to one of their endpoints to gain 'progress'.但是,是的,有些应用程序您只需向其中一个端点发送请求即可获得“进度”。 But generally this is only possible when the data integrity is not that important.但通常这只有在数据完整性不那么重要时才有可能。 Those progress tracking apps you mention are intended for self help, so there is not much point in cheating.您提到的那些进度跟踪应用程序是用于自助的,因此作弊没有太大意义。
解决方案2
0 2022-09-16 13:49:43
Your Question你的问题
My question is, if you managed to figure out what the API endpoints for the relevant mobile app were, would it be straightforward to fake completing these tasks?
Yes.是的。 from the moment you reverse engineer how a mobile app communicates with its backend then you are in position of automating such communication to be done from a bot or with one-off requests from cURL or a tool in the likes of Postman.从您对移动应用程序如何与其后端进行通信进行反向工程的那一刻起,您就处于 position 中,可以通过机器人或 cURL 或 Z6F061E19CAD5E27843CEAZ0 等工具的一次性请求来自动完成此类通信。
Could this easily be done?
MitM attacks are the most popular technique used to learn how a mobile app communicates with its backend, and you can read my article Steal that Api Key with a Man in the Middle Attack to see how easy is to intercept the HTTP5 call made to the backend:中间人攻击是用于了解移动应用程序如何与其后端通信的最流行的技术,您可以阅读我的文章Steal that Api Key with a Man in the Middle Attack了解拦截对后端的 HTTP5 调用有多么容易:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key .
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key.
While the article is in the context of extracting an API key from the request, the steps are the same for learning how a mobile app communicates with its backend.虽然本文是在从请求中提取 API 密钥的上下文中,但学习移动应用程序如何与其后端通信的步骤是相同的。
If the mobile app is using certificate pinning to protect against a MitM attack then you can learn how to bypass it by following my article How to Bypass Certificate Pinning with Frida on an Android App to show you how to do it:如果移动应用程序使用证书锁定来防止中间人攻击,那么您可以通过阅读我的文章How to Bypass Certificate Pinning with Frida on an Android App来了解如何绕过它,向您展示如何做到这一点:
Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.
A Possible Solution一个可能的解决方案
As far as I understand, there is no way to be sure that a HTTP request is coming from a trusted mobile app.
You can have a very high degree of confidence that requests are indeed from a genuine and unmodified version of your mobile app when you use a Mobile App Attestation solution.当您使用移动应用程序证明解决方案时,您可以非常确信请求确实来自您的移动应用程序的真实且未经修改的版本。
If so, what can be done to prevent it/make it more difficult?
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?我建议您阅读我对如何保护移动应用程序的 API REST问题给出的答案? , especially the sections Hardening and Shielding the Mobile App , Securing the API Server and A Possible Better Solution . ,尤其是强化和屏蔽移动应用程序、保护 API 服务器和可能更好的解决方案等部分。
In a nutshell the Mobile App Attestation will allow for the backend to have a very high degree of confidence that the incoming request is not from a bot or any other type of automation, neither from replay attacks or one-off manual requests outside the mobile app.简而言之,移动应用程序证明将允许后端高度确信传入的请求不是来自机器人或任何其他类型的自动化,也不是来自移动应用程序之外的重放攻击或一次性手动请求.
Do You Want To Go The Extra Mile?您想要额外的里程吗?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.在回答安全问题时,我总是喜欢参考 OWASP 基金会的出色工作。
For APIS对于 APIS
OWASP API Security Top 10 OWASP API 安全前 10 名
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated.
For Mobile Apps对于移动应用
OWASP Mobile Security Project - Top 10 risks OWASP 移动安全项目 - 十大风险
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
OWASP - Mobile Security Testing Guide : OWASP - 移动安全测试指南:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.