y">

How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services

Download PDF

Executive Summary

The mobile application space has experienced an unprecedented growth in recent years, and it’s no surprise: Mobile applications enhance productivity, provide new venues to reach customers, and deliver services. Because of its rapid progression, there has also been an expeditious growth of the Internet of Things (IoT).

In 2014, Goldman Sachs predicted that by 2018 consumers will spend 626 billion dollars via mobile applications, and Gartner predicts that by 2020 there will be 26 billion connected IoT devices.

With the advent of these applications and devices, your application servers are a more attractive target than ever before. This whitepaper takes you through the vulnerabilities, and shows you how the Barracuda Web Application Firewall provides the ideal frontline of defense.

Risks of Exposing APIs for Mobile and IoT Applications

The radical increases in reach and productivity provided by mobile services has led to companies building a mobile presence for their businesses and services.

Many new companies are fully mobile businesses, with no traditional website providing access to their services (e.g., Uber). Banks are also encouraging customers to move to mobile banking applications for all types of transactions. Other than convenience, mobile applications are allowing organizations to track a lot of metrics to get more customer data.

Unfortunately, the move to mobile has come with some perils. In many cases, while the web application is secure, the mobile application does not have the same level of security; therefore, it becomes an easy opening for attackers. Companies do not invest sufficiently in mobile security and this leads to data leakage and attacks via this new surface/vector.

Mobile and IoT Applciation typically expose their interfaces to the world via APIs, which are the mobile world’s analogue to web applications. As with web applications, vulnerabilities are rampant in the mobile applications as well.

Most Mobile/IoT applications and their APIs are quickly developed in order to get into the market as soon as possible. This leads to cutting corners and insufficient application of good security practices during development. As previously mentioned, many mobile applications do not have the same level of authentication security as their web counterparts. At times, these apps use spoofable information such as device identifiers and geolocation data for authenticating users.

Barracuda Web Application Firewall Protects the API Infrastructure

The Barracuda Web Application Firewall protects the entire API attack surface. As a reverse proxy, it intercepts and inspects all traffic to the API for malicious inputs. Using Virtual Patching, the Barracuda Web Application Firewall enables you to immediately remediate any known vulnerability in the API or framework. It provides a secure SSL/TLS stack that uses only strong ciphers and supports perfect forward secrecy. SSL/TLS can be offloaded to the Barracuda Web Application Firewall and help relax the API infrastructure.

To improve mobile and IoT security, the OWASP has compiled two lists of the top 10 vulnerabilities that affect mobile and IoT applications. The Barracuda Web Application Firewall provides complete protection against all the server-side vulnerabilities on this table (Note: M = mobile, I = IoT):

Vulnerability:
M1 - Weak Server Side Controls,
I1 – Insecure Web Interface,
M7 – Client-side Injection,
M7 – Client-side Injection,
I8 – Insecure Mobile Interface,

  • Description:
    A mobile or IoT application typically works by exposing APIs for client applications to use. In many cases (due to trying to quickly get to market on time), insecure coding practices lead to multiple vulnerabilities in the API. These bugs can expose almost everything bad that can happen on the server side to the world.
    Some IoT applications also provide a web, cloud, or mobile-based front end configuration and monitoring. These contain the same vulnerabilites that any web application could be hit with.
    Client-side injection attacks are typically SQL injection, JavaScript or XML-based attacks from a compromised mobile client. These attacks could be used to perform data theft, privilege escalation attacks, etc. This typically occurs when user inputs are not sanitized before execution.
  • Barracuda Web Application FireWall Solution:
    Employs a mix of positive and negative security for filtering all inputs from the client application to prevent known and unknown (zeroday) attacks. It blocks any inputs that can be executed unintentionally inside interpreters. It also deep inspects all parts of the client request to detect script injection.
    The Barracuda Web Application Firewall normalizes all payloads for common encoding schemes prior to inspection and applies the protocol and limit-based checks.
    Finally, it inspects all XML and JSON inputs to detect obfuscated malicious payloads that are meant to evade detection.

Vulnerability:
M3 - Insufficient Transport Layer Protection,
I4 – Lack of Transport Encryption

  • Description:
    A mobile application that uses SSL/TLS may not implement the solution properly. Very often, authentication happens over SSL/TLS, but other transactions that follow happen over plain text. In some cases, data may be weakly encrypted. In others, strong encryption may be in force, but security warnings are ignored or fallback (in case of failure) is in plain text.
    Very often IoT devices do not have transport encryption enabled for their local web interfaces or APIs. This causes a major problem with all data being transmitted in plain text and vulnerable.
  • Barracuda Web Application FireWall Solution:
    Implements strong cryptography in SSL offloading and Instant SSL. With Instant SSL, it can provide a secure front end immediately without any changes on the server side. This ensures that SSL is always on for the application, even after authentication.
    The Barracuda Web Application Firewall also supports Perfect Forward Secrecy.

Vulnerability:
M5 - Poor Authentication and Authorization,
I2 – Insufficient Authentication/Authorization

  • Description:
    Mobile applications often overlook an important aspect of application security: strong and secure authentication, and authorization systems. This is typically done in the interest of usability.
    When implemented, the mobile application may use authentication along with spoofable contextual values such as device identifiers or geolocation. Compromise leads to unauthorized access and privilege escalation attacks, among others.
    Any IoT application that provides a web or API interface could be vulnerable to the same poor AA schemes as mobile and web applications.
  • Barracuda Web Application FireWall Solution:
    Can pre-authenticate API services or completely offload authentication to itself. It integrates with existing authentication systems (LDAP, RADIUS, etc.), and supports client certificates, CRL and OCSP. It can whitelist and validate API keys in any part of the requests.
    The Barracuda Web Application Firewall enforces verb-based security constraints and access control to restrict access to specific methods for resources using its granular profiling capabilities.

Vulnerability:
M8 - Security Decisions via Untrusted Inputs,
M9 - Improper Session Handling

  • Description:
    At times, specific security decisions (like authentication and authorization) are taken based on weak parameters such as cookies,tokens, etc.
    For the sake of usability and convenience, mobile application sessions are typically longer than web applications. Many apps maintain sessions via http cookies, SSO tokens, or use device identifiers as persistent tokens. When compromised, it can lead to privilege escalation and unauthorized access – typically used to circumvent payment for the app services.
  • Barracuda Web Application FireWall Solution:
    It enforces session security and integrity by signing or encrypting tokens to prevent MITM attacks.

Vulnerability:
I5 – Privacy Concerns

  • Description:
    An IoT device or application that collects sensitive data can be vulnerable to all of the issues discussed above.
  • Barracuda Web Application FireWall Solution:
    Provides full server-side protection to the IoT application during connection setup and transmission as discussed in the above sections.
In addition to the vulnerabilities listed above, the Barracuda Web Application Firewall also protects your mobile application against other attacks. It can prevent competitors or price watching websites from scraping your API and pulling your information from your website. These requests, which can impose an excessive load on your backend, are mitigated by using brute force and anti-DDoS policies. The Barracuda Web Application Firewall enables you to ensure SLAs to customers and business partners by having granular access policies to different resources.

The Barracuda Web Application Firewall also allows you to scale more efficiently by offloading authentication and SSL/TLS from your backend servers. REST APIs are chatty by nature and offloading SSL/TLS to the Barracuda We b Application Fi rewall re laxes yo ur infrastructure. Th e Barracuda Web Application Firewall’s connection multiplexing feature allows you to optimize these connections. It keeps a pool of connections open between the server, and it also multiplexes all client requests between them. This also ensures that your infrastructure is spared the impact of constant connection setup and teardown.

Being a reverse proxy, the Barracuda Web Application Firewall enables caching for your API. This speeds up API delivery and reduces server load. Being HTTP aware, the Barracuda Web Application Firewall will only cache safe methods (GET) and avoid caching unsafe methods (POST). The Barracuda Web Application Firewall’s compression module can compress XML or JSON data in responses, improving delivery of services over bandwidth constrained mobile networks.

Conclusion

As a security solution, the Barracuda Web Application Firewall provides complete and powerful security for mobile and IoT applications and services. It provides award-wining protection against hackers who leverage protocol or application vulnerabilities to instigate identity theft, denial of service, or data theft against your mobile application.

The Barracuda Web Application Firewall has data center ready functionalities such as load balancing, SSL offloading, high availability clustering, and third party reporting integrations that make it a powerful and easy-to-use solution.

With more than a decade of experience in securing web applications, the Barracuda Web Application Firewall is the proven solution used by many of the largest organizations in the world to secure their valuable assets against web threats. Whatever your platform of choice—be it physical, virtual or cloud—the Barracuda Web Application Firewall can protect you everywhere.