Akto for Mobile backends

Mobile backends expose REST and GraphQL endpoints to clients running on untrusted devices. These surfaces handle authentication tokens, personal data, and business logic, making them a priority for security testing. API security for mobile backends focuses on authentication integrity, authorization boundaries, input validation, and data exposure prevention.

The scanner evaluates endpoints using read-only methods and maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Detection areas include:

• Authentication bypass techniques and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, and missing claims.
• Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) via sequential ID patterns and adjacent ID probing.
• Privilege escalation attempts through admin endpoint discovery and role/permission field leakage.
• Property over-exposure, including internal field leakage and mass-assignment surfaces.
• Input validation issues like CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints.
• Rate limiting indicators, oversized responses, and unpaginated arrays that risk resource consumption.
• Data exposure of PII, credit card Luhn-validated numbers, API key patterns, and error or stack trace leakage.
• SSRF indicators involving URL-accepting parameters, internal IP probing, and IP-bypass attempts.
• LLM/AI security probes including system prompt extraction, jailbreak techniques, data exfiltration, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime observations to surface undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This helps identify discrepancies between documented behavior and actual implementation.

openapi: 3.0.3
info:
  title: Mobile Backend API
  version: 1.0.0
paths:
  /users/{id}:
    get:
      summary: Get user by ID
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: integer
      responses:
        '200':
          description: OK

Authenticated scanning is available starting with the Starter tier. Supported methods include Bearer tokens, API keys, Basic auth, and cookies. A domain verification gate using DNS TXT records or an HTTP well-known file ensures only the domain owner can submit credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*, to limit request impact.

Scan operations are read-only, using GET and HEAD methods, with text-only POST for LLM probes. Destructive payloads are not sent, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.

Pro tier features scheduled rescans at intervals of six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Email alerts are rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are supported, with auto-disable after five consecutive failures. The scanner integrates into CI/CD via a GitHub Action that can fail builds when scores drop below a defined threshold, and an MCP server enables scanning from AI coding assistants.

middleBrick is a scanner that detects and reports findings with remediation guidance. It does not fix, patch, block, or remediate issues. It does not perform active SQL injection or command injection testing, which requires intrusive payloads outside its scope. It does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace human pentesters for high-stakes audits.

For other frameworks, the tool helps you prepare for and aligns with security controls described in HIPAA, GDPR, ISO 27001, NIST, CIS, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, and FERPA. It surfaces findings relevant to audit evidence and supports controls mapped to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).