The Threats to Your Business from API Abuse
Your mobile apps probably rely on a range of API services. There are a growing number of security threats that can damage your business if you don’t have protections in place:
By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.
Gartner: How to Build an Effective API Security Strategy
Aren't API Keys Good Enough?
Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and 3rd party APIs, and each will have its own approach to access management and associated charges.
Most APIs require apps to present some sort of valid API key with each request to allow access. Failing to protect this key from misuse can have a number of negative consequences for your business:
- Paying for someone else who is using a pay-per-call API with your API key.
- API key revocation because someone else has used it outside of terms of service.
- Rate Limiting due to overuse by someone else.
The API keys used by your apps can become exposed in a number of ways. They can simply be extracted from your published app and redeployed in scripts, or they may be accidentally uploaded by developers to public code sharing sites such as GitHub and BitBucket.
User Authorization is Insufficient
Identity Access Management (IAM) services and Role-Based Access Control (RBAC) can control WHO can access backend services, but how well do you control WHAT can access your services? Approov closes this security gap by answering questions such as:
- How do you prevent a bot using stolen credentials and calling your APIs?
- How do you prevent a user from giving their credentials to a 3rd party app to access your data and services without your consent?
- How do you prevent scraping of data when logins are not required?
Anatomy of a Hack
100's of millions of API attacks occur each day attempting to steal valuable data, goods, or access accounts which can be exchanged for money. A typical attack sequence involves:
Read our guide on The Threats to Mobile Apps and APIs.
Talk to a Security Expert
Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIsTalk to an Expert