Best Practices For Secure API Access From Mobile Apps Without Exposing API Keys
Register Here To Watch Immediately
Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:
- Hackers using your API keys to access a third-party service you pay for.
- Data breaches executed via third-party API traffic interception.
- DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.
Michael Sampson, senior analyst at Osterman Research says “Upcoming Osterman findings show that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code. These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be.“
This webinar employs a live demo to show it is possible to avoid storing secrets in the mobile app code completely, eliminating any risk of extraction through code analysis, as well as the risk of exposure through accidental source code repository leaks.
What you will learn
- The types of financial and reputational risks of using third-party APIs in mobile apps
- The pros and cons of direct API access from mobile apps vs access via backend proxies
- How to securely store keys and secrets in a way they cannot be stolen
- The particular challenges of using certificate pinning to protect the channel between apps and third-party APIs, and how to overcome these challenges and make operations easy with dynamic pinning
- Mitigation strategies for the situation when secrets are leaked: How to dynamically update keys to keep ahead of hackers
Richard is co-founder and CTO of Approov. He manages the Approov engineering team and in that role, he is responsible for the design, technical architecture and operation of the service.
Skip heads the US team, and is based in California. His focus is on helping customers secure API usage between mobile apps and their backend services. He is a frequent speaker at mobile, API and security conferences.