Best Practices For Secure Access of Thirds Party APIs From Mobile Apps
Register Here to Download your Copy
Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:
- Hackers using your API keys to access a third-party service you pay for.
- Data breaches executed via third-party API traffic interception.
- DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.
Michael Sampson, senior analyst at Osterman Research says “Our research shows that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code. These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be.“
This new whitepaper from Approov presents an in-depth view of the threats as well as the pros and cons of different approaches to securing third-party API access.
You will learn how to eliminate the storage of secrets in the mobile app code completely, removing any risk of extraction through code analysis, as well as the risk of exposure through accidental source code repository leaks.
The Problem with API Keys
Third-Party API Access from Mobile
How a Man-in-the Middle Attack Works
The Risks of Stolen API Keys
Existing Protection Techniques
First-Party API Protection with Approov
App and Device Environment Checks
But What About 3rd Party APIs
Managed Trust Roots
App Instance Secure Strings