The Threats
of Exposed
Secrets
Anatomy of a Hack
Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or create accounts that can be exchanged for money. A typical attack sequence involves the following steps.
Analyze
Your app is used to set up an account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.
Build
The attacker builds scripts or modified/hooked versions of your app to build spoofed but valid requests to suit their purposes.
Exploit
The attacker assembles a botnet and exploits your API, adjusting request rates and masking IP locations with VPNs to remain undetected.
Exposed API Keys and Other Secrets Are Dangerous
API security solutions may employ API keys or client secrets to identify accounts and lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests as if they were coming from the official mobile app.
Even if such secrets can be protected at rest in the app code using obfuscation technologies, they still need to be communicated to the backend API service. Thus secrets can be stolen in transit by Man-in-the-Middle (MitM) attacks.
Threats to Your Business from API Abuse
Exposure of secrets may result in very negative consequences for your business. There is a growing list of security threats can be very damaging if you don’t have protections in place.
Account Takeover
Fake Account Creation
Denial of Service
Credit Fraud
App Impersonation
Man in the Middle
API Security Breach
Scraping
Form of identity theft using techniques like session hijacking, password cracking, or credential stuffing using mass log in attempts to verify the validity of stolen username/password pairs.
