Best Practices For Secure Access of Thirds Party APIs From Mobile Apps

API Keys WHitepaper Image

Register Here to Download your Copy

CriticalBlue (developer of Approov) will use the personal information you provide to send you the content requested and information about our services. You may unsubscribe from these communications at any time by clicking the link at the bottom of our emails. For information on our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:

  • Hackers using your API keys to access a third-party service you pay for.
  • Data breaches executed via third-party API traffic interception.
  • DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.

Michael Sampson, senior analyst at Osterman Research says “Our research shows that mobile apps depend on average on more than 30 third-party APIs, and that half of the mobile developers we surveyed are still storing API keys in the app code. These two things together constitute a massive attack surface for bad actors to exploit. And third-party API threats against mobile apps aren’t as well understood by companies as they should be.“

This new whitepaper from Approov presents an in-depth view of the threats as well as the pros and cons of different approaches to securing third-party API access.

You will learn how to eliminate the storage of secrets in the mobile app code completely, removing any risk of extraction through code analysis, as well as the risk of exposure through accidental source code repository leaks.

Contents

Introduction
The Problem with API Keys
Third-Party API Access from Mobile
How a Man-in-the Middle Attack Works
The Risks of Stolen API Keys
Existing Protection Techniques
First-Party API Protection with Approov
Approov Architecture
App and Device Environment Checks
But What About 3rd Party APIs
Managed Trust Roots
Quickstart Integrations
App Instance Secure Strings
Summary

© 2022 CriticalBlue, Ltd.