Reputation: 668
Stop api abuse before user is authenticated
We have an Android app. Users need to login using sms based OTP before app can be used.
Our request for OTP is public API. Attackers have started to abuse this API. 10x more API calls as compared to actual users.
What are the different ways this can be prevented? Solution should work at scale with response time and server resources should not get impacted.
Upvotes: 0
Views: 339
Answers (1)
Reputation: 4384
This is called SMS pumping.
You could do some server-side throttling by IP address and/or telephone number. But a persistent abuser could have blocks of numbers and IPs available.
The best solution is to have your app sign the payloads you send to your backend. If an unsigned or incorrectly signed payload comes in, don't send an OTP.
For iOS there's attestation, for Android there's Play Integrity. These API's allow you to verify that a call to your backend originated from a genuine app.
Upvotes: 0
Related Questions
- Securing a RESTful API
- RESTful API: how to distinguish users requests from front-end requests?
- How to prevent abuse of internal API calls in a website without user interaction (username, password)?
- Prevent malicious users from abusing and spamming unauthenticated open APIs
- How to prevent authenticated user from spoofing restful api calls
- Best practice for securing a client side call to an API endpoint
- Protecting REST API behind SPA against data thiefs
- How do you prevent brute force attacks on RESTful data services
- How to prevent API request source spoofing?
- Blocking REST API calls