We're Hiring!

Is an API Gateway Secure?

Gateway Arch in St Louis, Missouri

An API Gateway is a tool that manages APIs and API traffic. Essentially it sits between remote clients (servers, browsers, mobile apps) and backend services and is responsible for routing API requests in either direction to the right source. But how much security should you expect from an API Gateway?

What are the Key Features of an API Gateway?

An API Gateway manages the passage of API traffic in and out of your backend infrastructure. Some of the key features to look for are:

  • API Control and Governance, which covers traffic routing, monitoring, load balancing and throttling where necessary.
  • API Transformation, which involves coordination and translation of API traffic between different formats to ease communication, as well API virtualization.
  • API Monitoring, which enables alerts, logging and analysis to determine the health of the platform.
  • API Development, which involves the creation/deletion of APIs and support for APIs testing before release.
  • API Security, which covers authentication and authorization of API traffic, management of API keys and associated certificates.

You can consider an API Gateway to be a comprehensive set of tools for managing the complexity of interfacing all of your internal systems and services with the outside world of disparate remote clients and protocols.

Are the Security Capabilities of an API Gateway Enough?

Effective security is never a ‘one size fits all’ situation. Generally, you need to assess the risk of typical threats to your platform and the business impact to you in a worst case scenario. This kind of analysis will most likely lead you to select one or more additional security solutions to deploy alongside your API Gateway.

It is often said that a good security posture is based on a layered approach, defense in depth if you will. Another common piece of guidance given when considering security is to recognise that without context, making decisions about what constitutes good and bad can be very challenging.

So, although API Gateways do have a set of useful security levers that you can use, by their very nature they consider all API traffic to be equal and they have limited context on which to base their decisions.

Mobile is a good example of where additional security is necessary and sensible to add. If mobile apps are a key component in your interface to your customers or a significant driver for your business, you should be aware of the specific risks inherent in this channel.

Your mobile app code and the API interactions to and from your API Gateway are fertile sources of data (in the form of API keys, certificates and other secrets) and business logic (in the form of the relationship between app actions and API requests/responses). Considering that any anonymous person can download your mobile app and analyze the code and its behavior at length, you should be able to immediately get a sense of how things might go wrong. 

After using your mobile app code to understand how to gain access to your backend systems, attackers will create scripts which use the keys and secrets which they have harvested to generate traffic which is indistinguishable from genuine mobile app traffic. Your API Gateway will not detect it and for this use case you need a dedicated security layer.

The Mobile Use Case

An API Gateway can be effective in only allowing genuine instances of your mobile app, running on safe mobile devices, to use your APIs and backend systems - but to do that, it needs context. Approov provides that context in the form of a simple yes/no signal with every incoming API request.

Approov uses short lived cryptographic tokens to attest the authenticity of your mobile app to backend APIs and services. All API communications are protected from malicious observation or interference, ensuring that only your official mobile app operating in an untampered environment can access your API. Potentially unsafe mobile device environments such as rooting/jailbreaking and hooking frameworks are detected and bots, scripts and cloned apps are blocked at your API Gateway.

Please contact us today and speak to one of our mobile API security experts.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.