Insecure APIs Threaten Mobile App Security – What To Do

Today’s mobile apps increasingly rely on APIs to access data and backend services.  Appdome CEO Tom Tovar explains how such APIs can threaten mobile app security – and what developers can do about it. 

Tags: Android, APIs, Appdome, apps, iOS, mobile, security, vulnerabilities,

Tom Tovar, AppDome
Tom Tovar

"Each new API represents an additional and potentially unique attack vector for a mobile app."

Application Architecture Summit
Modern Application Development for Digital Business Success
June 9, 2022
Virtual Summit

For most mobile apps, it’s not much of an exaggeration to describe them as a collection of APIs all tied together with a wrapper.


In fact, without connectivity, many mobile apps can’t function at all, because they depend on APIs to connect to back-end services. And that’s a big problem for developers, because, unfortunately, these APIs are frequently insecure -- even in very sensitive apps.


A study of banking, fintech and cryptocurrency exchanges found that practically every single one of the mobile apps researchers reverse engineered contained hardcoded API keys and tokens. The exact number was a whopping 99%!  This includes usernames and passwords to third-party services.  


Worse yet: All the APIs tested had vulnerabilities that enabled researchers to change PIN codes and transfer funds in and out of accounts. And if apps that control end-users’ money are this insecure, the situation is not going to be any better for apps that work with far less sensitive data and assets than people's bank accounts.


Certainly, cybercriminals are paying attention.


By this year in 2022,Gartner predicts APIs will become the largest attack vector. It stands to reason. API keys in mobile apps and code repositories provide hackers with the means they need to attack back-end servers and access valuable assets, such as customer accounts and production servers.


But securing APIs is not simply a matter of willpower. Developers haven’t neglected API security because they are lazy or unconcerned. API security is complex, difficult and time-consuming. It requires highly specialized skills that are in short supply. And while much of the DevOps cycle is automated, mobile API security implementation is largely manual.


Simply put, in the aggressive mobile app marketplace, publishers must churn out new apps and features at a rapid pace to remain competitive. Implementing strong API security would substantially extend development cycles and break budgets.


A recent global survey of 10,000 mobile consumers found that a solid majority (63%) value security and malware protection of equal or even greater importance than they do features.  This shows that conventional wisdom about lax consumer attitudes toward security is wrong. The problem is that consumers have no good way to tell whether an app is insecure unless there’s a highly publicized incident.


If mobile publishers could affordably and efficiently provide truly secure apps, and then market them as safer than their competitors, it could provide a huge competitive advantage.

But there’s a lot of work to do before we can get to that point. So let’s cover the primary security issues with mobile APIs.


The Proliferation and Decentralized Management of APIs
APIs are a vital part of many digital transformation efforts, and to facilitate integration, many organizations are relying on open APIs. This is particularly true within the financial sector, where traditional banks have deployed new APIs to keep up with upstart fintechs and new banks.


Open APIs enable more flexible and agile digital experiences because they make it easier for payments, accounts services and other data to be accessed by third party providers. But API creation, development and deployment is often loosely managed. Security teams are dealing with new APIs that exist outside normal processes and controls, potentially introducing significant and often unknown risk.


Skill Shortage for Securing APIs
According to a June 2021 study from ISSA and ESG, 95% of cybersecurity professionals surveyed said that the cybersecurity skills shortage has not improved, and 44% said that it has gotten worse. In addition to API specific skills, organizations need to account for the skills required to address new attack surfaces. iOS and Android are changing continuously, resulting in multiple releases for app makers per year for each new OS, app and SDK.


Each new revision of iOS or Android means new development, new testing and troubleshooting. So, with so many other things to account for in the development process, API security often gets sent to the back of the line. This is especially true when companies lack the needed skills on their team to do it properly.


General Purpose Application Security isn’t Sufficient to Protect APIs
Each new API represents an additional and potentially unique attack vector for a mobile app, and general purpose application security solutions often do not account for the ways in which mobile apps are uniquely compromised.


For example, many DevSecOps teams have focused on improving API testing in development, using traditional tools such as static AST and dynamic AST. While these tools are important in identifying issues, they don’t resolve them. Developers still need to code the security features to address the vulnerabilities identified. In addition, traditional AST tools such as SAST, DAST and interactive AST were not originally designed to test for vulnerabilities associated with typical attacks against APIs, or for newer types of APIs.

The Way Forward: Automation that Enables DevSecOps

To ensure that APIs are secure, mobile development teams need to work in a DevSecOps framework that’s powered by automation. There are five primary steps to achieving this:

Step 1: Clearly understand the desired security outcome
All teams — developers, security and operations — have to come to an agreement about their expectations for mobile security, including APIs.


Step 2: Shift-Left Security
Developers must build API security into mobile apps as early as possible in the app’s development cycle. In other words, mobile developers must rethink how they secure their mobile app APIs. They need to secure the APIs at the same time as they are building the mobile app, not after they have finished building the app.


Step 3: Automate security implementation
Manually coding security is extremely cumbersome, and it’s out of sync with largely automated DevOps processes. To speed implementation, organizations should evaluate and take advantage of automated, AI-powered systems that can integrate security into a mobile app. In many cases, these platforms are no-code, eliminating the need for any manual implementation at all.


Step 4: Integrate with your existing workflows
Whatever platform the organization chooses to use, it must be integrated with continuous integration  and continuous delivery (CI/CD) processes to achieve an accelerated mobile app lifecycle.


Step 5: Instant verification and validation of the desired security outcome 

Make sure that verification and validation are automatically conducted and documented to avoid last-minute release hiccups.

APIs are vital to the functionality of mobile apps, but they also serve as dangerous vectors for cybercriminals to take over accounts, steal data and infiltrate the production systems of large organizations.


Through automation, development teams can implement a true DevSecOps framework that enables them to efficiently and affordably secure APIs.


Tom Tovar is CEO and co-creator of Appdome no-code mobile security solutions platform.  Tom has expertise in security tech, as well as and legal issues. Prior to Appdome, Tom served as executive with a DNS security and services provider and began his career as a corporate and securities attorney and holds a JD from Stanford Law School.