Today, we announced a new service on Appdome called SecureAPI™.
SecureAPI does exactly what the name implies: secure Mobile APIs inside Android and iOS applications. As with all of Appdome’s implementations, SecureAPI is built into mobile apps instantly without any code or coding.
Building a Rich User Experience with APIs.
Mobile developers build applications using dozens if not hundreds of APIs. These APIs are used to create rich and compelling user experiences for mobile end users. As a class, APIs do everything from user sign in, rich authentication, location, payment, analytics, and more. When new functionality is added to an app, more APIs are also added. As a result, mobile apps can make thousands of API calls per day.
What’s the Problem with Mobile APIs?
In general, in-app APIs are not protected. Recent news about mobile API breaches at Uber and Venmo proves this point. Each API represents a separate and potentially unique attack vector that hackers can abuse. Here’s a screen shot of a Mobile API without any protection in the app:
As you can see, a hacker can obtain the API Service URL, API Key, API Secret and more simply by looking into an app with industry standard tools. Finding Mobile API vulnerabilities really isn’t that hard.
Building Mobile API Security is Hard
Building in-app Mobile API Security is difficult. First, there is no API standard. So, each API works differently. For example, some may have a key while others may not. Some may use TLS and others don’t. Some may require the developer to store cookies locally, while others don’t.
No matter what, how and where the developer retrieves, stores and protects the payload of the API is out of the hands of the API provider. To secure the substance of the Mobile API, a developer not only has to understand how to code security into an app and needs to know when and how to protect the API sequence and data in the mobile app. For example, you need to know if the payload information is unencrypted and sent in the clear. Payload information is sent back and forth between the mobile app and the back-end server 1000s of times per day.
SecureAPI Delivers Complete Mobile API Security Fast
Appdome’s SecureAPI secures APIs in Android and iOS mobile apps in minutes, regardless of API vendor or architecture of your app. No API gateway is required. Likewise, no specialized security training or development expertise is needed.
SecureAPI does several things for the mobile developer that uses APIs in their apps:
- Encrypt the API keys, the API secrets and the strings that denote the use of the API.
- Obfuscate the structure, control flow and logic of the API.
- Shield the API from tampering, debugging and reversing.
- Protect the communication between the API and backend server.
- Segment the API workflows so that only the right users can access specific API resources.
Using a no-code, AI coding engine, Appdome quickly adds AES 256 encryption or FIPS 140-2 certified encryption algorithms as well as Obfuscation to protect API essentials like API URLs, API Keys and API Secrets. Appdome also adds advanced app shielding to eliminate the risk of Mobile API tampering, reverse engineering and malicious debugging. Needless to say, knowing how to code these protections into an app, if you’re trying to do this yourself, takes a highly specialized skill set. On Appdome, the entire process of building the API security model, optimizing performance, handling API errors, key revocation and reset, and more are all built by Appdome automatically.
Securing the connection and payload of the API is a much harder challenge if you’re not a security expert. Every API has different header info, calls, etc. The key challenge is to ensure that the API calls, and mainly the responses coming from the API vendor, are valid. Using Appdome, there are 2 ways to secure the payload.
- Without involving the API vendor (most common) – SecureAPI uses Appdome’s Trusted Sessions to provide MiTM protection, stale sessions, proxy detection and more to all API calls. This ensures that the API is communicating securely with the backend server, without depending on the security of the API vendor.
- With the support of the API vendor – SecureAPI can also be used to establish an enhanced security channel between the in-app API functions and the backend. These features leverage mutual certificate validation between the app and the API backend servers. As a result, the app will always communicate with a secure point inside the secure infrastructure of the API vendor, and from there it will establish the final communication link with the API backend server.
As our AI-coding engine gets more experience in securing APIs, Appdome will learn new ways to secure Mobile APIs across all apps.
Appdome at APIWorld
We’re launching SecureAPI at APIWorld (San Jose, Oct 8-10). We are a partner sponsor and will be exhibiting @ booth #100. Additionally, Appdome has two speaking sessions during the conference:
- Keynote with Tom Tovar, Appdome CEO and Inon Shkedy, co-chair of the OWASP API Security workgroup: “Securing Mobile APIs: Preserving Developer Intent Without a Gateway” — Oct. 10 at 11:30am
- Workshop with Paul Levasseur, Appdome VP of Service Delivery: “Securing APIs in a Mobile-First World’ — Oct. 10 at 10:00am
Recommendations for Mobile App Developers
Failing to secure Mobile APIs has consequences. The API vendor may restrict or block access to its service from your app. The app itself may not trust the responses from the API service and stop working (crash). Or, worse, end users could be compromised and stop using the app. The moral of the story is simple – Secure Mobile APIs or lose API, App or User trust.
Until today, you (the developer) were responsible for building security for the APIs used in your apps. Appdome SecureAPI releases you from that responsibility. With one click, you can secure all the APIs used in your mobile app. Secure the connection, the authentication and the intent of every API used in your app. Thus, ensuring that everyone who uses your app and depends on APIs to get information, can trust that the information is actionable and trustworthy.
Don’t wait, secure your Mobile APIs now. Get started with Appdome today.