API Security In A Mobile World


The world is going mobile, be it with regards to applications or websites! Almost every company has plans for a mobile app and a website, or already has one each. And to help them innovate quickly as well as bring content from outside, most mobile apps and web apps make the use of APIs (Application Programming Interfaces). With the growing need for two factor authentication while registering for new apps or while making payments or related stuff, several companies are even using APIs for telephone number verification of the end users.

These APIs run on web servers, and hence they are available to anyone over the internet. In fact, they also get crawled by hackers and search engine bots, just like websites do. The extensive usage of APIs, has made them the targets of a number of hackers. A recent incident in the US about the stealing of money from credit cards and payment accounts of several Starbucks mobile app users, just proves that API security is under serious threat. Similarly, there was the incident of several bogus accounts being created on a reputed chat application, due to a security breach on its API which exposed millions of user names and phone numbers.

Clearly, API security needs tightening up and this needs to be done at the enterprise level, where developers are involved in the creation of mobile or web applications. You cannot expect the developers to be experts from the security perspective, and hence companies or agencies need to give them enough time to test their applications and identify and API security loopholes. A major reason for several API security breaches is that several companies are in a hurry to get their apps to the market, thereby, ignoring security in the bargain.

Let us understand a basic scenario, where the API server gets used in real-time.

1. A user opens a mobile app.

2. The app asks the user to enter ID and password.

3. The user enters the details, and the app sends a ‘POST’ request with those credentials to the API server.

4. The API server validates those credentials against the username and password stored in the database.

5. The API generates the token with user permissions and sends them to the app, which eventually stores it on the mobile device.

6. The app is now able to access the API securely with POST requests that contain the authorization.

Some common tips for beginners (developers and enterprises) for API security are as under:

· To ensure secure usage of APIs, it is necessary for companies to use a standardized protocol for authorization of the user and the authentication of the app. Only authenticating the app may be an open invitation for unauthorized user access. So, both authorization and authentication is crucial for secure APIs.

· For ensuring secure transactions using your app, you need to have several layered connections; perhaps in the form of SSL or VPN. You may even opt for digitally signed tokens (character strings), that help to identify users. These strings can be stored in a database and access to it can be allowed only when the user enters the correct ID and password.

·  If you are a developer, you should only allow that information to be shared with the API, that is required. Basically, only the relevant data needs to be moved using an API, instead of exposing all the data, which could even be a threat to your privacy.

·   As an enterprise, make sure that your API developers across different departments communicate well with each other. For example, your shipping API development team needs to have a good understanding of the APIs used by the payment team, and vice versa.

In a nutshell, secure usage of APIs is of prime importance for the security of your web apps or mobile apps. And as an application development business, it is your responsibility to ensure that your app developers and the API team give a high priority to the mobile API security.