(Image via http://maxpixel.freegreatpicture.com)
The API for a service faces conflicting demands in order to deliver value to end users.
-
It needs to be open to allow innovation by 3rd party app developers. This is necessary to meet niche customer needs and open new markets for your service beyond what an in house app development team could provide.
-
Access to the API must be tightly controlled in order to prevent abuse, our customers have seen up to 20% of their API traffic coming from illegitimate sources. Preventing API abuse through bad API security is important when delivering Quality of Service to legitimate users and apps, minimizing server side resource usage, ensuring fair and accurate charging and protecting customer data.
Enabling and protecting a 3rd party ecosystem around the API for your service is a vital component for success.
Balancing API Management with Accessibility
Traditionally, developer API keys are used to limit access to trusted apps only. An API key is just a static string a few tens of characters long and is used in a very simple manner with each API request. Typically the key is either inserted into a field in the HTTP request header or appended to the URL as a query parameter. For example:
curl -H 'X-Api-Key: DEMO_KEY' 'https://api.data.gov/nrel/alt-fuel-stations/v1.json?limit=1'
or
curl 'https://api.data.gov/nrel/alt-fuel-stations/v1.json?limit=1&api_key=YOUR_KEY_HERE'
While this makes it very easy for developers to make use of your API, it provides no protection at all against anyone seeking to make use of the API in an unauthorized manner since the key is trivially stolen by anyone intercepting the network traffic between app and API (a Man-in-the-Middle or MitM attack). HTTPS does little to improve the situation as the encryption can easily be broken using a proxy server and older devices where the attacker has control of the internet connection the app is using.
Requiring developers to use more sophisticated techniques to hide the API key in the app can improve matters but is unlikely to hold up a determined attacker for long, and the additional complexity is likely to impede adoption of your API by developers.
Mobile API Management with Approov
Approov is a solution to the problem of effective API ecosystem management. It meets the conflicting demands of ease of integration by developers and robust endpoint security expected by users of your service while providing a straightforward path to providing differential services on a per app basis to maximize the business potential of the your API.
Approov provides authorized apps with dynamically generated tokens, signed with a secret key held only on the server, never in the app, which can then be verified on your server side (read about how we do this here). There is no need for 3rd party developers to have access to API secret keys. Everything is managed on your server side and within your Approov account.
Once you have reliable identification of apps in place, via the Approov service and SDK, you can use this information to reject or direct requests to suit your business model and API monetization strategy.
With robust app authentication your 3rd party developers will be happy with simple, secure access to your API, end users will be pleased about the rich range of options they have when engaging with you services, and you will benefit from the reduction in non-profitable, illegitimate traffic clogging up your API.