Developers are Embracing APIs – and for Good Reason
APIs are transforming the way we develop applications and do business. APIs make development easier by integrating many common / shared modules via API calls, and in turn reduce time-to-market. They also enable developers to tap into best of breed “off the shelf” commodity and often complex functionalities, which they might otherwise have to write from the scratch.
Given the strategic value of APIs, adoption of APIs is growing at an unprecedented rate. Along with rapid API adoption comes inherent security risks.
APIs Introduce New Risks That Should Be Addressed
While APIs offer many benefits, they also introduce new risks that hackers are starting to capitalize on. The following video:
- Describes how APIs work at a high level
- Outlines ways that hackers are exploiting APIs to gain access to confidential data and assets on back-end servers
- Controls you can leverage to holistically protect your APIs
To read a transcript of this video, click here
“Many organizations are embracing APIs with speed and agility in mobile app development in mind, but not leveraging any additional security controls to secure the connections.” – Scott Crawford, Research Director for Information Security, 451 Research
79% of mobile apps scanned were subject to API Abuse – HPE Cyber Risk Report 2016
Comprehensive API protection goes beyond simple Authentication offered in most API Management Solutions
Simple Authentication is being widely used by most API Management Solutions to confirm that the client app on a mobile device is genuine and authorized to utilize server assets. This is typically done using a simple challenge-response exchange, as the client app tries to connect to the API server. Challenge-response exchange is typically a cryptographic operation, which means that the mobile client generally contains a secret key for an asymmetric cipher like RSA or ECC.
As described in the above short video, this approach leaves many openings for hackers, which is why leaders are leveraging comprehensive API security measures, in addition to simple challenge-response based Authentication, to mitigate the risks associated with APIs. These measures include:
Step 1: Secure Authentication using White-box Cryptography
is a method for securely hiding cryptographic keys even if a hacker has full access to the software.
– The original key material is converted to a new representation using a trapdoor function (a one-way, non-reversible function).
– This new key format can only be used by the associated white-box cryptographic software, effectively hiding the key.
– By using white-box cryptographic software, the hacker cannot find the key that is being used for the challenge-response.
However, this is still not enough – white-box cryptography hides the key securely, but the hacker could, still, decompile the original application and modify the app or lift out the entire white-box software package and include it in their cloned version of the app.
Step 2: Anti-tamper techniques to prevent code-lifting attacks and modifying/tampering the app
, which also have RASP (Runtime Application Self-Protection)
built-in, can respond to runtime attacks with customizable actions and notify the app owner that app is being modified.