You Face

Threats to Your Business from API Abuse

Your mobile apps probably rely on a range of API services. A growing number of security threats can damage your business if you don’t have protections in place:

Aren't API Keys Good Enough?

Useful apps are dependent on the data and services provided by multiple APIs from a range of vendors. A typical enterprise app will make use of both internal and third-party APIs. Each will have its own approach to access management and associated charges.

Existing API security solutions may employ API keys or client secrets to identify accounts or lock down access to the mobile client. Such secrets can be easily reverse engineered from app code, and then used in attacker scripts to spoof requests to pretend they were coming from the official mobile app.

Even if such secrets can be protected at rest in the app code, they still need to be communicated to the backend API service. Therefore secrets can still be stolen in transit by Man-in-the-Middle (MitM) attacks.

Failing to protect keys from misuse can have a number of negative consequences for your business:

  • Paying for someone else who is using a pay-per-call API with your API key.
  • API key revocation because someone else has used it outside of terms of service.
  • Rate Limiting due to overuse by someone else.

The API keys used by your apps can become exposed in a number of ways. They can simply be extracted from your published app and redeployed in scripts, or they may be accidentally uploaded by developers to public code sharing sites such as GitHub and BitBucket.

User Authorization is Insufficient

Identity Access Management (IAM) services and Role-Based Access Control (RBAC) can control WHO can access backend services, but how well do you control WHAT can access your services? Approov closes this security gap by answering questions such as:

  • How do you prevent a bot using stolen credentials and calling your APIs?
  • How do you prevent a user from giving their credentials to a 3rd party app to access your data and services without your consent?
  • How do you prevent scraping of data when logins are not required?

Anatomy of a Hack

Hundreds of millions of API attacks occur each day attempting to steal valuable data, goods, or access accounts that can be exchanged for money. A typical attack sequence involves the following steps.

Layer 17


Your app is used to set up a temp account, then reverse engineered to extract API keys and other secrets while observing and manipulating API calls through your HTTPS/TLS-protected channels.

Layer 17


The attacker assembles a botnet and probes the API for weaknesses, trying stolen or generated user credentials and running them through your system, adjusting rates and perceived locations hoping to stay undetected.

Layer 17


Cracks in your defenses can bring down your systems; take over or sell customer accounts, credit, or private data; and serve as a seed for attacking other systems.

Request a Demo

Give us 30 minutes and our security experts will show you how to protect your revenue and business data by deploying Approov to secure your mobile apps and your APIs

Get a Trial

Approov offers a complimentary 30 day trial (no credit card necessary) to give you immediate and valuable insight into the security risks of your mobile apps and the devices they run on.

Close up of man using a smartphone

Discover how Approov can protect your business and users mobile security