Solution Briefs

The Rise of API Threats Due to Modern App Development

Issue link:

Contents of this Issue


Page 0 of 1

Solution Brief | The rise of API threats due to modern app development The rise of API threats due to modern app development The advent of API-based services provides developers the ability to create mobile and web-based apps faster with seamless user experiences. The adoption of API-based application development can clearly be seen in the dramatic shift in internet traffic — 83 % of current traffic is API related, compared to 40 % in 2014. 1 Why modern apps and APIs are so vulnerable Any app published publicly can be vulnerable to reverse engineering and follow-on attacks because of poor code-level security and coding mistakes. A major source of API identity-based attacks can be attributed to mobile and web apps that unwittingly expose API secrets, including URLs, tokens, encryption keys, and login credentials. Unfortunately, lapses in mobile and web app security that expose organizations to risk are more common than should be tolerated. Organizations which experienced material cyber-attack because of compromised apps 3 Websites compromised by Magecart lacked source code protection 4 Mobile apps tested lacked any form of binary protection 5 Apps contained hard-coded API URLs, API keys, and other API secrets 5 Executed weak communication encryption methods 5 Did not mask database parameters or SQL queries 5 Application-level security breaches enable secondary attacks against APIs because the information embedded in application code can provide a road map to the way APIs work. Not all API traffic is legitimate White traffic — legitimate traffic used to conduct business comprising a majority of all API traffic. Black traffic — clearly dangerous traffic, usually directed at a web server to break through layers of network security. Common attack vectors are bots using brute force techniques (e.g., DDoS attacks) or more focused automated credential stuffing attacks. Grey traffic — likely dangerous traffic, but on the surface it appears legitimate. Grey traffic is hard to recognize because it can utilize stolen, legitimate account IDs and tokens to gain access. 1 Akamai State of the Internet Security Report, Retail Attacks and API Traffic, Volume 5 Issue 2, 2019 2 "API Security: What You Need to Do to Protect Your APIs," Gartner, August 28, 2019 3 Cost of a Data Breach Report 2019, Ponemon Institute and IBM Security 4 In Plain Sight II: On The Trail of Magecart, Aite Group, August 2019 5 In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps, Aite Group, April 2019 6 OWASP API Security Top 10 According to Gartner, by 2021 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI. 2 API Mobile Devices Connected Car Websites Connected Appliance Partners Web App Gaming Console Enterprise Apps 74 % 100 % 97 % 25 % 80 % 60 %

Articles in this issue

Links on this page

view archives of Solution Briefs - The Rise of API Threats Due to Modern App Development