Insecure APIs Threaten Mobile App Security – What To Do

For most mobile apps, it’s not much of an exaggeration to describe them as a collection of APIs all tied together with a wrapper.


In fact, without connectivity, many mobile apps can’t function at all, because they depend on APIs to connect to back-end services. And that’s a big problem for developers, because, unfortunately, these APIs are frequently insecure — even in very sensitive apps.


A study of banking, fintech and cryptocurrency exchanges found that practically every single one of the mobile apps researchers reverse engineered contained hardcoded API keys and tokens. The exact number was a whopping 99%!  This includes usernames and passwords to third-party services.  


Worse yet: All the APIs tested had vulnerabilities that enabled researchers to change PIN codes and transfer funds in and out of accounts. And if apps that control end-users’ money are this insecure, the situation is not going to be any better for apps that work with far less sensitive data and assets than people’s bank accounts.


Certainly, cybercriminals are paying attention.


By this year in 2022,Gartner predicts APIs will become the largest attack vector. It stands to reason. API keys in mobile apps and code repositories provide hackers with the means they need to attack back-end servers and access valuable assets, such as customer accounts and production servers.


But securing APIs is not simply a matter of willpower. Developers haven’t neglected API security because they are lazy or unconcerned. API security is complex, difficult and time-consuming. It requires highly specialized skills that are in short supply. And while much of the DevOps cycle is automated, mobile API security implementation is largely manual.


Simply put, in the aggressive mobile app marketplace, publishers must churn out new apps and features at a rapid pace to remain competitive. Implementing strong API security would substantially extend development cycles and break budgets.


A recent global survey of 10,000 mobile consumers found that a solid majority (63%) value security and malware protection of equal or even greater importance than they do features.  This shows…