Onesignal, Wonderpush or similar applications stand out as popular platforms for sending notifications. However, developer teams that integrate their applications with such platforms to send notifications may be exposed to token-based attacks.

In this article, we will examine the methods used by attackers in token-based attacks and the precautions that can be taken against such attacks.

Token Security Problem
Notification sending platforms use the application’s user-specific device identities and API keys (tokens) for sending notifications. These tokens may contain the following information:

1. User Auth Tokens: Identities used to distinguish users.
2. REST API Key: Private key used to send notifications from the server.

Many attackers can obtain these keys by examining the API calls of mobile applications or web platforms. Attackers usually follow these steps:

1. Application Analysis: Attackers download the mobile application and perform a decompile (reverse engineering) process.
2. Network Traffic Listening: Tokens are obtained by analyzing the communication between the application and notification platform servers or services.
3. API Key Usage: With the captured token, fake notifications can be sent, users can be misled or malicious content can be distributed.

Causes of Token Security Problem

1. Hardcoded Keys: Application developers can hardcode the REST API Key or other credentials directly into the mobile application.
2. Insufficient Encryption: If the communication between the application and the server is not protected with strong enough encryption, attackers can easily capture tokens by listening to network traffic.
3. Insufficient Access Control: User-based access control may be missing in API calls, allowing attackers to misuse the captured tokens against other users.

Solution Recommendations to Ensure Token Security

1. Avoid Hard Coding

Problem: When REST API Key or other token information is hard coded within the mobile application, it can be intercepted by reverse engineering methods.

Solution: Sensitive information should be stored on the server side and only necessary dynamic information (e.g. temporary token) should be sent to the mobile application.

2. HTTPS Usage

Problem: Communication over unencrypted HTTP can lead to eavesdropping on network traffic.

Solution: All communication between the application and OneSignal should be done via HTTPS protocol. Also, make sure that SSL/TLS certificates are configured correctly.

3. Dynamic Token Usage

Problem: When tokens with long-term validity are compromised, the risk of abuse increases.

Solution: Tokens should be kept short-lived and renewed regularly (e.g. JSON Web Token – JWT). In this way, even if compromised, the token becomes invalid in a short time.

4. API Access Control

Problem: If a compromised token can be used in all API calls, the attacker has a great advantage.

Solution: User-based access control should be added to the token validation process. For example, a specific token should only be able to perform operations by the relevant user.

5. Obfuscation of Application Code

Problem: Attackers can reverse engineer the application code.

Solution: You can make it harder to analyze by obfuscating the application code. Tools such as ProGuard or R8 can be used for Android.

6. Rate Limiting

Problem: A large number of API calls can be made with the hijacked tokens.

Solution: You can limit the attackers’ range of motion by limiting the rate of API endpoints (e.g. a maximum of X requests per second from a specific IP).

7. Security Logging and Monitoring

Problem: Attacks can continue unnoticed.

Solution: Set up a comprehensive logging and monitoring system to detect abnormal behavior in API calls. For example, if too many transactions are made with a token in a short time, the token can be automatically revoked.