I’ve learned some rather intriguing things about what our mobile apps are doing while we’re not looking in the six days since I launched the challenge to find crazy stuff in mobile app communications.
For example, there’s the social app that allows you to accept friend requests on behalf of someone else if you call the API in the right way. Sequential user IDs and no rate limiting help that one along nicely.
Then there’s the word game that sends you all the possible solutions via the API whilst you’re playing. That’s rather handy and it only take a little bit of device proxying and wammo! There’s all your answers.
Or how about this detailed overview of how an API passes credentials around in the URL after storing them in clear text and making a vain attempt to thwart SQL injection. Yep.
I recently caught up with Greg Shackles of the Gone Mobile Podcast and we spoke about a heap of these security anti-patterns in mobile APIs. This is off the back of my latest Pluralsight course, Hack Your API First so if you want to know what that’s all about, the podcast will give you a really good sense of why it’s important. You can find it podcast on Gone Mobile’s site or listen to it directly here:
Oh – and if you want to take the course for free, head on over to that little challenge I mentioned earlier, leave a comment on the crazy stuff you’ve found and I’ll send you over a free pass.