Best Practices for Secure Access of Third-Party APIs from Mobile Apps

API Key Challenges

API keys are commonly used to secure backend API access. However, exposing API keys poses risks, including unauthorized access, data manipulation, and quota depletion. Accidental exposure of API keys in source code, tools trawling repositories, and man-in-the-middle attacks are general concerns.

Third-Party API Access from Mobile

When mobile apps access third-party APIs, they extract API keys from code and transmit them over the network. Tools like MobSF, Apktool, and Burp Suite can extract secrets, and man-in-the-middle attacks can compromise communication.

MitM Attack

Attackers can intercept app-backend communication through a proxy tool and extract API keys using device-rooting techniques, undermining security.

Risks of Stolen API Keys

The risk obviously depends on the capabilities of the particular API whose key has been compromised. Stolen API keys can lead to data exfiltration, skewed analytics, and denial of service attacks. Pay-per-use APIs may incur unauthorized costs.

Existing Protection Methods

Obfuscation, code hardening, and pinning offer some protection but have limitations against runtime extraction and MitM attacks.

Approov's First-Party API Protection

Approov secures first-party APIs using a unique, short-lived cryptographic token, evaluating app and device integrity. Cloud-based checks ensure proper app identity and protection against various threats.

The Approov SDK agent embedded within a user's app conducts continuous monitoring to detect any suspicious activities, such as function hooking that might attempt to extract app data. Additionally, it enhances the security of the API channel, effectively preventing any potential Man-in-the-Middle attacks.

3rd Party APIs and Approov

Applying Approov directly to third-party APIs is challenging due to backend control limitations. Some users opt for a proxy solution, though latency and complexity arise.

Approov Runtime Secrets Protection

Approov's Runtime Secrets Protection extends third-party API safeguarding. Integration involves adding the Approov SDK, app registration, and securing secrets in the Approov cloud. Secrets are shielded from reverse engineering by removal from the app's build environment. During runtime, the Approov integration verifies the app's integrity, transmitting obfuscated secrets to the cloud only upon successful checks. These secrets are stored securely in memory and added to network requests, further protected against theft. Failed checks prevent secret transmission, optionally notifying users. This approach ensures that only valid, uncompromised app instances can access stored API keys and secrets in the Approov cloud, without altering backend APIs.

Managed Trust Roots

Approov's "Managed Trust Roots" enhances channel protection by checking certificates within device and Approov trust stores.

Quickstart Integrations

Approov offers app quickstart integrations, simplifying the process by substituting secrets with placeholders and automating authenticity checks.

Summary

Approov Runtime Secrets Protection prevents API key exposure in mobile apps. Valid app instances in uncompromised environments access securely stored API keys. Managed trust roots ensure secure communication, and backend APIs remain unchanged. Dynamic secret updates enhance flexibility and security.