The Threats to Your Business from API Abuse
Your mobile apps probably rely on a range of API services. There are a growing number of security threats that can damage your business if you don’t have protections in place:
By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.
Gartner: How to Build an Effective API Security Strategy
Aren't API Keys Good Enough?
Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and 3rd party APIs, and each will have its own approach to access management and associated charges.
Existing API security solutions may employ API keys or client secrets to identify accounts or lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests to pretend they were coming from the official mobile app.
Even if such secrets can be protected at rest in the app code, they still need to be communicated to the backend API service. Therefore secrets can still be stolen in transit by Man-in-the-Middle (MitM) attacks.
Failing to protect keys from misuse can have a number of negative consequences for your business:
- Paying for someone else who is using a pay-per-call API with your API key.
- API key revocation because someone else has used it outside of terms of service.
- Rate Limiting due to overuse by someone else.
The API keys used by your apps can become exposed in a number of ways. They can simply be extracted from your published app and redeployed in scripts, or they may be accidentally uploaded by developers to public code sharing sites such as GitHub and BitBucket.
User Authorization is Insufficient
Identity Access Management (IAM) services and Role-Based Access Control (RBAC) can control WHO can access backend services, but how well do you control WHAT can access your services? Approov closes this security gap by answering questions such as:
- How do you prevent a bot using stolen credentials and calling your APIs?
- How do you prevent a user from giving their credentials to a 3rd party app to access your data and services without your consent?
- How do you prevent scraping of data when logins are not required?
Anatomy of a Hack
100's of millions of API attacks occur each day attempting to steal valuable data, goods, or access accounts which can be exchanged for money. A typical attack sequence involves:
Read our guide on The Threats to Mobile Apps and APIs.
Talk to a Security Expert
Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIsTalk to an Expert