At a surface level, APIs help businesses to connect applications and share data with one another. This creates an easier, more seamless experience for customers and users. If you have ever used your Google account to log into multiple sites or apps, chances are you are using a Google-developed API to do so. APIs like this work in the background to power much of the streamlined user experience that is taken for granted. Therefore we need to ensure stronger API security across mobile apps, or all of their benefits will be for naught.
Stolen API keys are the culprit behind some of the largest cyberattacks to date. We see the headlines and we read the news stories, but we often fail to realize the broad consequences – particularly the notable impacts on enterprise mobile security. Consider the news earlier this year of 3,000+ mobile applications leaking Twitter’s API keys, meaning bad actors could compromise thousands of individual accounts and conduct a slew of nefarious activities.
Imagine if this was your company and the role was reversed and hundreds or even thousands of mobile applications were leaking the API keys to your corporate Gmail, Slack or OneDrive accounts. If this or similar scenarios were to happen, employee devices and sensitive company data would be at extreme risk.
The recent push to focus on API security comes at a critical time where more enterprises are relying on enterprise mobility, meaning increasing a reliance on mobile app connectivity. A recent survey of US and UK-based security directors and mobile applications developers found that 74% of respondents felt mobile apps were critical to business success. Further, mobile apps were also found to help businesses both earn revenue and enable customers to access services.
Additionally, 45% of respondents in this same survey said that an attack against APIs that took a mobile app offline would have a significant impact on their business. These results only affirm what we already know – mobile apps are critical to enterprise mobility and productivity.
API security risks can lead to full device takeover
While APIs have many advantages, their ubiquitous use in mobile applications is also a glaring disadvantage. This is especially true when you consider that many enterprises rely on third-party apps and APIs. If you think these third parties have the same security concerns and procedures as you and your enterprise, think again. Third parties are often the culprit for data breaches as evidenced recently when a third-party hack caused Australia’s largest telecommunications firm to suffer a major data breach – the impact costs are still being quantified.
Making matters more difficult for enterprises is that mobile applications – and especially the APIs that power them – are often more susceptible to cyberattacks than web pages on a computer. Every time an app is used, even if it is running in the background, it sends and receives data through calls, which is when your device is most vulnerable.
A threat actor can exploit these API calls or requests to and from the device to the app to steal data. As an app lives on the device itself, a threat actor has the potential to hijack the entire device, putting the information stored on it at great risk. It doesn’t matter if the device is corporate-owned or personal (BYOD), I can guarantee that there is likely some form of corporate data stored on every device an employee has access to.
Protecting enterprise mobile devices and data against API vulnerabilities
These vulnerable APIs are not only a threat to enterprises’ profits, reputation and viability, but also their sensitive data and those of their customers and partners.
Fortunately, there are ways to protect against these threats. First, focus on creating a shared understanding of the threats facing enterprise applications, which is important to level-setting. This will generate greater awareness of the fact that corporate mobile apps that employees have on their phones opens enterprise data up to exfiltration – unless these applications are managed or clearly segregated.
A great step to take to better protect against vulnerable APIs is to develop a strategy where the data is separated from the device itself. This process is better known as containerization. Leveraging advanced encryption capabilities and ensuring data is secured at stage in its journey, in-transit and at rest is another critical factor. I recommend utilizing AES 265 bit encryption.
Additionally, organizations should look to incorporate stronger authentication processes to protect sensitive data.
There are numerous challenges posed by threat actors looking to exploit API vulnerabilities, these challenges will only increase as the API attack surface continues to grow. While these concerns might seem daunting at first, enterprises can proactively take steps to secure their enterprise applications and devices.
Building additional security into the development process is a great step, but it is sometimes a luxury that enterprises who rely on third-party applications cannot afford or have insight into. That is why it is imperative that enterprises should think strategically in how these applications interact with enterprise data and create additional authentication steps that safeguards it.