Security
Threats
You Face
Threats to Your Business from API Abuse
Your mobile apps probably rely on a range of API services. A growing number of security threats can damage your business if you don’t have protections in place:
Account Takeover
Fake Account Creation
Denial of Service
Credit Fraud
App Impersonation
Man in the Middle
API Security Breach
Scraping
Form of identity theft using techniques like session hijacking, password cracking, or credential stuffing using mass log in attempts to verify the validity of stolen username/password pairs.
Aren't API Keys Good Enough?
Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and third-party APIs. Each will have its own approach to access management and associated charges.
Existing API security solutions may employ API keys or client secrets to identify accounts or lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests to pretend they were coming from the official mobile app.
Even if such secrets can be protected at rest in the app code, they still need to be communicated to the backend API service. Therefore secrets can still be stolen in transit by Man-in-the-Middle (MitM) attacks.
Failing to protect keys from misuse can have a number of negative consequences for your business:
- Paying for someone else who is using a pay-per-call API with your API key.
- API key revocation because someone else has used it outside of terms of service.
- Rate Limiting due to overuse by someone else.
The API keys used by your apps can become exposed in a number of ways. They can simply be extracted from your published app and redeployed in scripts, or they may be accidentally uploaded by developers to public code sharing sites such as GitHub and BitBucket.
User Authorization is Insufficient
Identity Access Management (IAM) services and Role-Based Access Control (RBAC) can control WHO can access backend services, but how well do you control WHAT can access your services? Approov closes this security gap by answering questions such as:
- How do you prevent a bot using stolen credentials and calling your APIs?
- How do you prevent a user from giving their credentials to a 3rd party app to access your data and services without your consent?
- How do you prevent scraping of data when logins are not required?
Anatomy of a Hack
Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or access accounts that can be exchanged for money. A typical attack sequence involves the following steps.
Breach.
Your app is used to set up a temp account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.
Extract.
The attacker assembles a botnet and probes the API for weaknesses, trying stolen or generated user credentials and running them through your system, adjusting rates and perceived locations hoping to stay undetected.
Exploit.
Cracks in your defenses can bring down your systems; take over or sell customer accounts, credit, or private data; and serve as a seed for attacking other systems.
