Best Practices for Secure Access of Third-Party APIs from Mobile Apps
Mobile apps increasingly depend on third-party API access, employing them for many reasons, including payment, location, social media and other services. Access is validated via API keys but these keys are being stolen, either from the mobile app code itself or from cloud repositories. If APIs are abused using keys you have not protected you could be exposed to financial losses, fines, and reputational damage due to:
- Hackers using your API keys to access a third-party service you pay for.
- Data breaches executed via third-party API traffic interception.
- DDoS attacks on APIs using your keys, causing services to stop responding either because service allocation limits are used up, or service rate limits are triggered.
API Key Challenges
API keys are commonly used to secure backend API access. However, exposing API keys poses risks, including unauthorized access, data manipulation, and quota depletion. Accidental exposure of API keys in source code, tools trawling repositories, and man-in-the-middle attacks are general concerns.
Third-Party API Access from Mobile
When mobile apps access third-party APIs, they extract API keys from code and transmit them over the network. Tools like MobSF, Apktool, and Burp Suite can extract secrets, and man-in-the-middle attacks can compromise communication.
Attackers can intercept app-backend communication through a proxy tool and extract API keys using device-rooting techniques, undermining security.
Risks of Stolen API Keys
The risk obviously depends on the capabilities of the particular API whose key has been compromised. Stolen API keys can lead to data exfiltration, skewed analytics, and denial of service attacks. Pay-per-use APIs may incur unauthorized costs.
Existing Protection Methods
Obfuscation, code hardening, and pinning offer some protection but have limitations against runtime extraction and MitM attacks.
Approov's First-Party API Protection
Approov secures first-party APIs using a unique, short-lived cryptographic token, evaluating app and device integrity. Cloud-based checks ensure proper app identity and protection against various threats.
The Approov SDK agent embedded within a user's app conducts continuous monitoring to detect any suspicious activities, such as function hooking that might attempt to extract app data. Additionally, it enhances the security of the API channel, effectively preventing any potential Man-in-the-Middle attacks.
3rd Party APIs and Approov
Applying Approov directly to third-party APIs is challenging due to backend control limitations. Some users opt for a proxy solution, though latency and complexity arise.
Approov Runtime Secrets Protection
Approov's Runtime Secrets Protection extends third-party API safeguarding. Integration involves adding the Approov SDK, app registration, and securing secrets in the Approov cloud. Secrets are shielded from reverse engineering by removal from the app's build environment. During runtime, the Approov integration verifies the app's integrity, transmitting obfuscated secrets to the cloud only upon successful checks. These secrets are stored securely in memory and added to network requests, further protected against theft. Failed checks prevent secret transmission, optionally notifying users. This approach ensures that only valid, uncompromised app instances can access stored API keys and secrets in the Approov cloud, without altering backend APIs.
Managed Trust Roots
Approov's "Managed Trust Roots" enhances channel protection by checking certificates within device and Approov trust stores.
Approov offers app quickstart integrations, simplifying the process by substituting secrets with placeholders and automating authenticity checks.
Approov Runtime Secrets Protection prevents API key exposure in mobile apps. Valid app instances in uncompromised environments access securely stored API keys. Managed trust roots ensure secure communication, and backend APIs remain unchanged. Dynamic secret updates enhance flexibility and security.