An API Gateway is a tool that manages APIs and API traffic. Essentially it sits between remote clients (servers, browsers, mobile apps) and backend services and is responsible for routing API requests in either direction to the right source. It provides a degree of protection out of the box and in this article we’ll examine how much security you’ll get from your API Gateway and what else might be needed to secure your data and services.
What Security Features Can I Expect From My API Gateway?
An API Gateway manages the passage of API traffic in and out of your backend infrastructure. Normally it will have most or all of the following security capabilities:
Rate limiting: Protection against high volumes of upcoming traffic.
User authentication and authorization: Verification of the validity of the user’s credentials, and validation that they are allowed to access the resources they are requesting.
API key verification: Checking that an API key is present in the API request and that the key is valid.
SSL termination: Presentation of the appropriate server-side SSL certificate to set up a secure communication channel with the remote client.
Event alerts: Setting up conditions which trigger deeper investigation, for example a sudden increase in traffic from a particular IP address.
In addition to your API Gateway managing the complexity of interfacing all of your internal systems and services with the outside world of disparate remote clients and protocols, you can rely on it to deliver some basic API protection. It will secure you against coarse-grain attacks but will leave you open to abuse through scripts.
What Additional Protection Do I Need?
Effective security should always be a layered approach based on an assessment of the risk of typical threats to your platform and the business impact to you in a worst case scenario. For example, considering how to deal with API abuse via scripting attacks may cause you to add one or more additional security solutions to sit alongside your API Gateway.
Scripted traffic pretends to be coming from remote clients such as your website or mobile app and uses valid credentials such as usernames/passwords and API keys. This synthetic traffic is very difficult to distinguish from genuine traffic. In the case of mobile traffic, this is particularly problematic.
What About Mobile?
Remember that anyone can download your mobile app and analyze the code and its behavior for as long as they want - and they don’t need to identify themselves to do this. This makes protecting your mobile channel very challenging.
As described above, a common attack vector against mobile is to create scripts which embed the keys and secrets which have been extracted from your mobile and API to generate traffic which is indistinguishable from genuine mobile app traffic. Your API Gateway will see correctly formed API requests containing valid credentials and will not consider those transactions to be suspicious. For this scenario, you need a dedicated security solution.
Approov Mobile App/API Protection ensures that only genuine instances of your mobile app, running on safe mobile devices, can use your APIs and backend systems. Approov does this by providing a simple green/red light with every incoming API request.
Approov attests the authenticity of your mobile app and then provides short lived cryptographic tokens with each API request. Your API endpoints, e.g. your API Gateway, then verify the tokens. In this way all API communications are protected from malicious observation or interference, ensuring that only your official mobile app operating in an untampered environment can access your API. Potentially unsafe mobile device environments such as rooting/jailbreaking and hooking frameworks are detected and bots, scripts and cloned apps are blocked from using your APIs.