Best Practices For Secure API Access From Mobile Apps Without Exposing API Keys

Webinar Recording: 9 June 2022

No More Hardcoded API Keys

Register Here To Watch Immediately

CriticalBlue (developer of Approov) will use the personal information you provide to send you the content requested and information about our services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:

  • Hackers using your API keys to access a third-party service you pay for.
  • Data breaches executed via third-party API traffic interception.
  • DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.

Michael Sampson, senior analyst at Osterman Research says “Our research shows that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code. These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be.“

This webinar employs a live demo to show it is possible to avoid storing secrets in the mobile app code completely, eliminating any risk of extraction through code analysis, as well as the risk of exposure through accidental source code repository leaks.

What you will learn

  • The types of financial and reputational risks of using third-party APIs in mobile apps
  • The pros and cons of direct API access from mobile apps vs access via backend proxies
  • How to securely store keys and secrets in a way they cannot be stolen
  • The particular challenges of using certificate pinning to protect the channel between apps and third-party APIs, and how to overcome these challenges and make operations easy with dynamic pinning
  • Mitigation strategies for the situation when secrets are leaked: How to dynamically update keys to keep ahead of hackers
© 2022 CriticalBlue, Ltd.