Tips & Tricks for Unmasking Ghoulish API Behavior

Jason Kent, -in-residence at Cequence , discusses track user-agent connections to mobile and desktop APIs, to spot malicious activity.

I was analyzing one of my customer’s traffic the other day and I noticed something odd about the devices that were using the mobile application API. I found standard browsers like Firefox and hitting API endpoints that should only be touched by their mobile-application communication.

In the application development world, we call browsers “user agents (UA)” or “user-agent strings.” For example, when an analyst looks at a batch of web logs, they would see the user agent for Chrome appearing as “/5.0 (Macintosh; Intel Mac OS X 11_5_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36.” This is a user sitting in front of a laptop or desktop with Chrome open, browsing the web.

On a mobile application, the development staff will create a user agent for their application. It can be something like “CoolAppV1-,” or anything else they want to use. The iPhone and Android user agents are often different, but they are almost always a hand-coded string that means something to the developers.

In this way you can track what kind of devices are

Read More: https://threatpost.com/unmasking-ghoulish-api-behavior/175253/