API Security is as Crucial as Ever: Here’s How You Can Keep Up

In this blog, we explore:

• How our 2022 prediction about mobile app security and API security in 2022 came to fruition.
• How API attack traffic has grown by 681%, including incidents on mobile apps,and what those incidents are costing organizations.
• The frequency of API abuses resulting in data breaches for enterprise web apps and how it relates to mobile app security.
• How developers should utilize API security solutions, combined with mobile application protection that includes code hardening, and RASP to thwart reverse engineering and tampering attempts.

Last year, we predicted that we would see a growing relationship between mobile app security and API security in 2022. We’ve seen a growing trend of organizations manifesting their infrastructure in APIs, causing threat actors to put more focus on API weaknesses.

With 2022 behind us, we can confidently say that this prediction has become a reality. Developers should utilize API security solutions with mobile app protection solutions that incorporate a combination of code hardening and RASP to thwart reverse engineering and tampering attempts.

Mobile app API attacks in the real world

To illustrate how the importance of securing your APIs has grown, here are some real-world examples of API attacks from the past year that illustrate the need for solutions that will help you ensure your API endpoints are only used by trusted parties.

3,200 mobile apps exposed API keys

Researchers recently found over 3,200 mobile applications that exposed Twitter API keys to the public. With access to these API keys, threat actors can take over a Twitter account and read messages; retweet, like, or delete messages; and remove followers or follow new accounts. They could even impersonate other identities and use them to login into other services, if said service has an option to login in with Twitter credentials.

This is the result of an app developer embedding their authentication keys in the Twitter API and forgetting to remove them or not taking measures to protect them when the mobile app is released.

A compromised app had 2.5 million downloads

In November 2022, it was discovered that over 1,500 apps were leaking Algolia API keys. Of this leak, 32 apps included hardcoded administration secrets through which threat actors could access customer information, analytics data, IP addresses, and even have the ability to delete user information.

These Algolia API keys are utilized by 11,000 companies. Coupled with the fact that the 32 apps mentioned have over 2.5 million downloads, we can safely say that private data belonging to millions of customers is at risk of being used maliciously.

The criticality of mobile app API security

As businesses lean on mobile apps to provide services for and communicate with their customers, the importance of effectively securing API keys will continue to grow.

API attack traffic grew by 681%, and 95% of companies have experienced an API security incident in the past year. On top of that, API vulnerabilities are costing organizations about $75 billion per year.

API security is extremely important because an organization’s infrastructure is commonly revealed through APIs and services, garnering more attention from threat actors.

A threat actor can reverse engineer a mobile app to learn how the API works and what data and secrets are communicated through the API as well as explore different ways to exploit the API to access private customer data and steal your IP. It’s also worth noting that reverse engineering is a popular practice, as there are easily available tools and guides online to learn how to do it. A misconfigured or unsecured API could result in a loss of revenue, damaged brand reputation, and decreased user trust.

Securing your mobile app APIs

To avoid these threats, mobile app developers cannot skip the step of securing APIs at the mobile app level.

Continuously test your security posture

When developing your mobile app, you should utilize an app security testing tool like AppSweep to easily find and fix security issues in your code and dependencies, including actionable recommendations.

Once a mobile app security testing tool has been implemented in the software development life cycle (SDLC), you should leverage a combination of code hardening and runtime application self-protection (RASP) to thwart reverse engineering and mobile app tampering situations like the ones mentioned earlier in this blog.

Code hardening and RASP

Code hardening techniques make your code illegible without affecting its functionality. This ensures that threat actors who try to decompile your apps won’t be able to easily interpret its internal logic.

RASP helps developers protect their app from dynamic modification of the application behavior, which can be used to abuse or manipulate an API’s behavior.

A mobile app security solution like DexGuard or iXGuard will enable you to extensively secure your iOS apps, Android apps, and SDKs with multiple layers of RASP and code hardening. With code hardening and RASP combined, you can prevent the discovery of an API or the tokens used to authenticate an API call. And while there are still server-side measures devs need to take, these practices are an essential step in the process of securing your API.

Monitor for threats

After your mobile app is released for public use, leveraging a mobile threat monitoring solution like ThreatCast will allow you to view any suspicious activity and attacks as they happen and analyze threat actors’ attempts at tampering and reverse engineering that could be related to API abuse you track on the server side.

To learn more about proactively preventing data leakage, IP theft, loss of revenue, and reputational damage from a mobile app attack, check out these tips on what you should consider when looking for a mobile app security solution.