Many users of mobile apps have no idea what an API is and why it is important. Unless you are a programmer and/or work in information security, chances are you don't even have the slightest clue about what I'm talking about. Is it a gang name? An Asian-Pacific Islander? Something to do with an APT#? Sure, maybe. If you asked a random person what it is, they are more likely to answer, "I dunno." In fact, the majority of mobile app users do not even realize they are often interacting with an API when they utilize a mobile app, computer, or browse the internet.
Each time you use the Facebook app on your mobile phone, send money to someone's bank through CashApp, text a friend through WhatsApp, or purchase items from Amazon, you are utilizing an API without even knowing it.
So, what is an API?
An API is an application programming interface which works as a software middleman or translator that allows two applications to talk to each other.
When you use an application on your mobile phone, the application connects to the Internet and sends data to a server. The server then retrieves that data, interprets it, performs the necessary actions and sends it back to your phone. The application then interprets that data and presents you with the information you wanted in a readable way. This is what an API is - all of this happens via API.
Let's use an analogy to further explain this process.
Pretend that an alien from outer space wants to send you a message, but you do not speak their language so they will need to go to a translator first.
The alien tells the translator to translate their message for them and pass it on to you. The translator accepts their request and passes on the message to you.
Finally, you have received the alien's message via the translator, and can decide what you want to do with that information and if you want to send a message back.
The importance of APIs should not be overlooked
Businesses use APIs to connect services and transfer data. This allows customers to connect their bank to a business's mobile app to make purchases from them.
For example, you decided to use the Etsy mobile app and purchase goods on it after finding a few things you liked. So you tapped the "buy" button with your thumb, and selected PayPal as your method of payment to purchase those goods. Subsequently, PayPal communicated with the Etsy mobile app to make that transaction possible. This is an API in action.
We use APIs all the time!
Therefore, the importance of APIs should not be overlooked. Especially when we consider that cybercriminals' primary goal is frequently to attain financial gain, and this means they will easily take advantage of an insecure API in a heartbeat.
Prioritize API security
API security must be prioritized. Businesses are using APIs everywhere. Therefore, it's important to ensure that an API does not get hacked. A hacked API often leads to a data breach which usually results in dire financial consequences that not only can affect organizations, but also people and their families.
The digital shift is happening already as we know it. More and more businesses are turning to the utilization of mobile apps and APIs.
Last year, there was a whopping 218 billion mobile apps downloaded worldwide in 2020. This statistic reveals a high likelihood of APIs becoming exploited which is worrisome, especially since businesses are increasingly becoming impacted by ransomware attacks and data breaches.
In 2012, a study revealed that 9 out of 10 popular mobile apps have been hacked. That was almost 10 years ago! Can you imagine how many more popular mobile apps are getting hacked on a daily basis since the onset of the pandemic?
Think about the APIs involved in those mobile apps.
Learn how to secure APIs
To address the ever-increasing number of organizations that are deploying potentially sensitive APIs, OWASP has created API Security Top 10 in 2019 as a guideline to secure APIs. It was designed to underscore the potential risks in insecure APIs, as well as illustrate how these risks may be mitigated.
Below is a list of the OWASP API Security Top 10.
- API1:2019 Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.
- API2:2019 Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall.
- API3:2019 Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
- API4:2019 Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
- API5:2019 Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
- API6:2019 Mass Assignment
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on an allowlist, usually leads to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
- API7:2019 Security Misconfiguration
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
- API8:2019 Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
- API9:2019 Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
- API10:2019 Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
As an increase of mobile app users and businesses utilizing APIs continues to rise, it is very important that we raise API security awareness by learning more about APIs and the importance of API security, as well as ensure that the proper steps are being taken to secure APIs on mobile apps by following the OWASP API Security Top 10 guidelines. APIs are very critical to secure, but are usually overlooked and rarely talked about. We can start that conversation today.