Identity-based and social engineering attacks are surging in 2024. Stolen credentials give hackers immediate access and control… and an instant path to stealing data and orchestrating ransomware attacks. Credential stuffing attacks are the method of choice for hackers, so what are the steps you need to take to prevent them? 

This blog lays out the steps that mobile developers and security professionals must take to stop credential stuffing attacks and better protect mobile apps… and APIs.

What is Credential Stuffing?

Credential stuffing usually uses stolen login and password data to access user accounts. This data may be obtained by social engineering methods such as convincing users to share protected data, by direct exfiltration using malware tools, or by purchasing them on the dark web. In essence they are brute force attacks that try out username/password pairs until some of the combinations work. 

In fact, attackers don’t even need leaked, compromised, or stolen credentials. If an attacker can work out the format of username/password pairs used by legitimate users of the app, and acquire the address of the server or API which is used, all they need is to build an automated tool to send credential guesses to the targeted server. “Password spraying” is a term used for attacks which try common passwords across multiple accounts in an effort to find a combination that works. 

OWASP describes Credential Stuffing as “the automated injection of breached username/password pairs to fraudulently gain access to user accounts.”

With a match achieved, the attacker can then execute the next step of the attack, performing an account takeover on the victim’s account.

Some organizations try to stop credential stuffing attacks at the network level, hoping to spot an attacker sending malicious requests to the server. But attacks are getting more sophisticated and attackers rotate their IP addresses and Device IDs, and they use fake devices, emulators and more to hide their tracks. Network level protections are not an effective way to stop credential stuffing attacks.

Anatomy of a Mobile Credential Stuffing Attack

Sophisticated hackers build attacks in stages, and here’s how credential stuffing or Account Takeover (ATO) attacks typically work in mobile apps:

1. Obtaining Credentials: Attackers acquire large lists of username/password combinations from previous data breaches or the dark web. These credentials may not be from the targeted mobile app itself, but from other breached services. An attacker may not even need passwords: email addresses and password guesses may be enough.

2. Automated Login Attempts: Attackers use automated tools, bots, or scripts to attempt logins on the mobile app’s authentication endpoints. These tools can try thousands of login attempts per second. All the information needed to carry out the attack can be found inside the mobile app itself.

3. Bypassing Security Measures: The basic approach can be turned into advanced attacks by using techniques to bypass security measures such as:

• Distributing login attempts across multiple IP addresses
• Mimicking legitimate user behavior
• Using device emulators or simulators to appear as genuine mobile devices

4. Successful Account Access: Even with a low success rate (often less than 1%), the sheer volume of attempts can lead to a handy collection of compromised accounts for the attacker.

5. Exploiting API Vulnerabilities: Attackers may also extract API endpoints, API keys and server information from the mobile app itself. This information is used to direct the automated login attempts to the correct servers. Well known API vulnerabilities such as
BOLA
can be tested to see if different users’ data can be accessed. 

6. Account Takeover: Once access is gained, attackers can:

• Extract personal information
• Make unauthorized transactions
• Use the account for further malicious activities including ransomware attacks

7. Scaling the Attack: Successful credentials are often used to attempt logins on other services, exploiting password reuse.

Credential stuffing attacks on mobile apps are particularly dangerous because they can exploit the app’s own API and authentication mechanisms, making them harder to detect and prevent compared to web-based attacks.

How to Prevent Mobile Credential Stuffing and Password Spraying Attacks

Lets break down the types of defenses which must be on your plan of action. The steps to take are as follows, effectively in order of importance:

1. User Education
2. Take Steps to Protect Passwords
3. Continuous Monitoring
4. Implement Zero Trust Run Time Protection

The first two alone do not provide adequate defense and the third is only useful if there is an ability to act immediately on intelligence gathered. Only the fourth on the list is truly effective in blocking attacks. We will look closer in the following sections. 

1. User Education

First on our list is to take every opportunity to educate your users about the risks of bad password hygiene including: 

• The risks of password reuse
• Using password managers
• Encouraging the use of MFA on their accounts
• How to recognize phishing attempts

2. Take Steps to Protect Passwords

Next on our list is to take care to protect passwords everywhere they are stored and communicated. This will include: 

• Implement strong authentication measures (e.g., MFA, biometrics)
• Use encryption for stored credentials and API information. Best practice for mobile banking apps is to use AES-256 encryption to encrypt all usernames/passwords stored inside the app
• Use secure, HTTP-only cookies for session management
• Make sure the channels which mobile apps use to communicate with backend systems and APIs are encrypted and pinned in order to prevent MitM attacks from stealing passwords or derailing MFA. 

3. Continuous Monitoring

You can’t protect against what you cannot see. You need visibility to threats against your apps in real time so that you can track new and evolving threats, and immediately be alerted when credentials are abused and see brute force attacks as they unfold.

You should also monitor dark web forums for leaked credentials associated with your user base to be ahead of the hackers game.

By gaining this visibility you will be able to see threats in some cases before they become an issue. However it is essential to be able to act immediately also. If not, then the data you have is worthless. It is also essential to think about service continuity: how do you continue to provide service to genuine customers when issues arise. You must be able to immediately isolate and block problematic accounts and devices and you should be able to immediately rotate API Keys and other secrets when they need to be changed. Your security team should also be able to immediately update security policies as they see new threats evolve. 

4. Implement Zero Trust Run Time Protection 

Making sure passwords are protected, and having a good Identity and Access Management (IAM) solution in place are essential first steps, but these are still not sufficient to prevent credentials being stolen and weaponized. You need to put in place transaction level validation at run time to prevent any credential abuse as it happens. Generally this means deploying app attestation and mobile Runtime Application Self Protection (RASP). Here are the protections such a solution can bring: 

• Permit Only Trusted Mobile Apps to Connect to Your Backend Servers and APIs

Attackers modify apps and create scripts and fake apps to launch attacks. App attestation is a run time technique used to provide proof that an app is truly authentic and unmodified. The running app must prove itself to be genuine through a sequence of integrity measurements and the result of this can be communicated to the backend servers in every request. The server then inspects the token, and can immediately block any traffic from anything other than genuine apps.

• Prevent Weaponization of Apps By Emulators, Simulators, and Debugging Tools

Attackers can also manipulate the client environment at runtime to interfere with the operation of the app. The local client should never be trusted and continuously checked for the presence of malicious tools such as Frida or mitmproxy. Similarly an effective way to prevent a mobile credential stuffing attack in Android and iOS apps is to prevent the app from running on emulators in virtualized environments. Again, the device attestation should take place continuously at run time and the status can be incorporated in requests to the backend to allow easy and immediate elimination of problematic requests.

• Protect Your Own and Third-party APIs 

Most apps use a number of APIs and often the API endpoints and API keys are visible inside the logic of the app. Attackers are good at finding the server address, server passwords and API keys needed to launch a credential stuffing attack. You must get API keys and secrets out of your app code by using a solution which provides dynamic secrets protection and management, delivering API keys to apps only if they pass attestation checks. This type of solution also allows immediate rotation of secrets and certificates when they need to be updated.

• Block Man-in-the- Middle Attacks

Hackers can carry out MitM attacks on mobile apps and devices to extract credentials and keys, even if traffic is encrypted. Certificate pinning is your best defense against MitM attacks and a solution that implements dynamic pinning can make management easy and ensure service continuity. 

How Approov Blocks Credential Stuffing

Authenticating both the user and the app is essential for securing back-end services and preventing brute force attacks from bots or scripts. This, along with two-factor authentication, provides a robust defense against scripted attacks. Approov Mobile Security performs an ongoing, deep inspection of mobile apps and the devices they are running upon, and based on this guarantees the authenticity of requests to backend APIs and services. Read the felyx customer testimonial about how they used Approov to stop credential stuffing attacks 

Approov ensures that only genuine mobile app instances, running in safe environments, can use your APIs and blocks any credential stuffing attacks by scripts, bots, modified apps and fake apps. Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JSON Web Tokens (JWT) Approov tokens. Approov JWT tokens are signed with a custom secret only known to the Approov cloud service and the backend API. The secret is never contained within the app itself, so it cannot be extracted. App registration can be immediately added and revoked from the Approov service, allowing tight control of which app versions can access your API. 

Approov detects a full range of potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers can specify which policies should be enforced. Changes to security policies roll out immediately to active apps without the need to update the apps.

Approov also provides full protection against Man-in-the-Middle attacks by providing full pinning and dynamic certificate management to ensure service continuity. In order to allow dynamic and rapid reaction to changing threats, policies can be modified and certificates and pins can be updated over-the-air without the need to update and roll out new versions of an application.

Conclusion 

Here is a quote from one of our customers: “Before integrating Approov, we were concerned about the risk of credential stuffing attacks on our shared e-moped platform. We realised that we needed an out-of-the-box security solution that enabled us to focus our resources and productivity on developing our core product. Approov provided the perfect solution to our problem.” – Arthur Bloemen, Head of Product and Technology at felyx.

Approov are experts on mobile app and API security. If you need protection against credential stuffing or any other threat contact us.

*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by George McGregor. Read the original post at: https://blog.approov.io/how-to-prevent-credential-stuffing-attacks-on-mobile-apps