The Threats
of Exposed
Secrets
.webp)
Anatomy of a Hack
Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or create accounts that can be exchanged for money. A typical attack sequence involves the following steps.

Analyze
Your app is used to set up an account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.

Build
The attacker builds scripts or modified/hooked versions of your app to build spoofed but valid requests to suit their purposes.

Exploit
The attacker assembles a botnet and exploits your API, adjusting request rates and masking IP locations with VPNs to remain undetected
Exposed API Keys and Other Secrets are Dangerous
API security solutions may employ API keys or client secrets to identify accounts and lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests as if they were coming from the official mobile app.
Even if such secrets can be protected at rest in the app code using obfuscation technologies, they still need to be communicated to the backend API service. Thus secrets can be stolen in transit by Man-in-the-Middle (MitM) attacks.
Threats to Your Business from API Abuse
Exposure of secrets may result in very negative consequences for your business. There is a growing list of security threats can be very damaging if you don’t have protections in place.

Account Takeover
Form of identity theft using techniques like session hijacking, password cracking, or credential stuffing using mass log in attempts to verify the validity of stolen username/password pairs.
Fake Account Creation
Generation of fake accounts as a prelude to spamming, denial of service attacks, or credential stuffing attacks with stolen account info.
Denial of Service
Targets resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS), effectively preventing real customers from reaching the service or ruining the customer experience.
Credit Fraud
Multiple payment authorization attempts with small payments used to verify the validity of bulk stolen payment card data and identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
App Impersonation
Tampered or impostor app enabling attacker to exploit and misdirect user actions and gather (Personally Identifiable Information) PII for future attacks or customer manipulation.
Man in the Middle
Intercepting and/or manipulating API traffic via a Man-in-the-Middle attack enables an attacker to gather Personally Identifiable Information (PII) or perform malicious actions through the API.
API Security Breach
Exploitation of any API security flaws to exfiltrate confidential enterprise or customer data or damage business operations.
Scraping
Collection of large amounts of data via APIs in order to reuse or resell that data, often by aggregating data from multiple sources to provide an unofficial alternate marketplace.
Request a Demo
Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your.
Get a Trial
Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.