The Threats
of Exposed
Secrets


Anatomy of a Hack

Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or create accounts that can be exchanged for money. A typical attack sequence involves the following steps.

Layer 17

Analyze

Your app is used to set up an account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.

Layer 17

Build

The attacker builds scripts or modified/hooked versions of your app to build spoofed but valid requests to suit their purposes.

Layer 17

Exploit

The attacker assembles a botnet and exploits your API, adjusting request rates and masking IP locations with VPNs to remain undetected.

Exposed API Keys and Other Secrets Are Dangerous

API security solutions may employ API keys or client secrets to identify accounts and lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests as if they were coming from the official mobile app.

Even if such secrets can be protected at rest in the app code using obfuscation technologies, they still need to be communicated to the backend API service. Thus secrets can be stolen in transit by Man-in-the-Middle (MitM) attacks.

Threats to Your Business from API Abuse

Exposure of secrets may result in very negative consequences for your business. There is a growing list of security threats can be very damaging if you don’t have protections in place.

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIs

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.