Attacks against APIs are increasing and API key protection is central to minimizing your business risks. In this article we’ll look at what your exposures are and what you should do about it.
API Attacks Are On The Rise
Stolen or accidentally exposed API keys and secrets can easily be exploited by threat actors and used to access sensitive information, impersonate your mobile app or make API calls on its behalf. With Salt Security reporting a 681% increase in API attacks during 2021 and Corsha estimating that poor API security will cost organisations up to $75B per year, this is a growing problem with significant financial risks for mobile businesses.
Exposed API keys can be used both to exploit vulnerabilities or bugs in the coding of the API itself and through API abuse (where the API is accessed or used in a way that was not intended). Example attacks include account takeover, automated account creation, data scraping or DDoS attacks.
A recent security review by BeVigil found that many apps using the RazorPay API payment gateway were exposing API keys. This was down to poor coding practice and a lack of security awareness by the app developers rather than a flaw in the RazorPay API.
While code hardening and obfuscation techniques can add an additional layer of protection against the theft of API keys, readily available tools, such as mobSF, enable attackers to take published apps, download and reverse engineer them to extract the API keys and secrets for malicious purposes.
A MitM attack can be carried out using tools like mitmproxy and Charles Proxy to intercept the API traffic between your mobile app and the backend server and steal API keys or other secrets.
The thing to recognise is that if an API key becomes available to a bad actor then all the protection you have built into your mobile app will be useless as the attacker will use a script to bypass your app and trick the server into thinking it is communicating with a genuine instance of your mobile app.
Protecting against this attack vector requires your APIs to be shielded and you can read more about this in a more detailed four part series which starts here.
The Risks For Your Business
Mobile apps with APIs that access fintech or healthcare records are particularly at risk from transaction skimming, exposure of sensitive user information or unauthorised access to customer accounts or patient records. Research by Alissa Knight found security issues with many healthcare apps and APIs that use the FHIR standard. Many of the mobile healthcare apps tested had hardcoded API keys and tokens which could be used to access EHR APIs. With confidential patient data at risk, the financial and reputational costs for mobile healthcare companies can be significant.
Run-time protection is needed to protect the mobile app and its environment from tampering at the same time as ensuring that your APIs are properly shielded. Using a service such as Approov Mobile App Protection allows you to verify your app’s authenticity and integrity at run-time, ensuring that API keys cannot be misused at scale and that only the official version of your mobile app operating in an untampered environment can access your back-end API. Bots, scripts, fake and tampered apps are all blocked at source.
Further tips on storing your API keys can be found here: https://approov.io/blog/how-should-api-keys-be-stored and more in-depth coverage of API key security here: https://approov.io/blog/improve-the-security-of-api-keys