Mobile API Security is difficult. Learn how Appdome’s no-code mobile API security solution makes it easy for mobile developers to secure mobile APIs in any iOS and Android app across any API provider – no matter how you build your app.
Building a Rich User Experience with Mobile APIs
Appdome’s SecureAPI does exactly what the name implies: it enables mobile developers to secure Mobile APIs inside Android and iOS applications. As with all of Appdome’s implementations, SecureAPI is built into mobile apps instantly without any code or coding.
Mobile developers build applications using dozens if not hundreds of APIs. These APIs are used to create rich and compelling user experiences for mobile end users. As a class, APIs do everything from user sign in, rich authentication, location, payment, analytics, and more. When new functionality is added to an app, more APIs are also added. As a result, mobile apps can make thousands of API calls per day.
What’s the Problem with Mobile APIs?
In general, in-app APIs are not protected in mobile apps. Recent news about mobile API breaches at Uber and Venmo among countless other examples underscores this point. Each API represents a separate and potentially unique attack vector for hackers to abuse. Here’s a screenshot of a Mobile API without any protection in the app. Notices how none of the API strings are encrypted.
As you can see, a hacker can obtain the API Service URL, API Key, API Secret and more simply by looking into an app with freely available tools. Finding Mobile API vulnerabilities really isn’t that hard.
Building Mobile API Security is Not Easy
First, there is no API standard. Every API works differently. For example, some may have a key while others may not. Some may use TLS and others don’t. Some may require the developer to store cookies locally, while others don’t.
How and where the developer retrieves, stores and protects the payload of the API is out of the hands of the API provider. To secure the substance of the Mobile API, a developer not only has to understand how to code security into an app and needs to know when and how to protect the API sequence and data in the mobile app. For example, you need to know if the payload information is unencrypted and sent in the clear. Payload information is sent back and forth between the mobile app and the back-end server thousands of times per day.
Appdome SecureAPI Delivers Complete Mobile API Security Fast
Appdome’s SecureAPI enables mobile developers or non-developers to protect APIs in Android and iOS mobile apps in minutes, regardless of API vendor or architecture of your app. No API gateway is required. Likewise, no specialized security training or development expertise is needed.
SecureAPI does several things for the mobile developer that uses APIs in their apps:
- Encrypt API keys, the API secrets and the strings that denote the use of the API
- Obfuscate app structure, control flow and logic of the API.
- Shield the API from tampering, debugging and reversing.
- Protect the communication between APIs and backend server.
- Segment the API workflows so that only the authorized users can access specific API resources.
Using a no-code, AI coding engine, Appdome quickly adds AES 256 encryption or FIPS 140-2 certified encryption algorithms to any mobile app in seconds. In addition, you can obfuscate critical parts of your app and APIs. For example, you can obfuscate API URLs, API Keys and API Secrets. Appdome also adds advanced app shielding to eliminate the risk of Mobile API tampering, reverse engineering and malicious debugging. Needless to say, trying to do this on your own is quite difficult and requires an immense amount of mobile security knowledge. Appdome does not require any specialized skills. On Appdome, the entire process of building the API security model, optimizing performance, handling API errors, key revocation and reset, and more are all automated.
Let’s take a few examples to illustrate just how difficult Mobile API security can be if you try to do this yourself. Securing the connection and payload of the API is a much harder challenge if you’re not a security expert. Every API call may have different headers, a different syntax, different sequencing, etc. The key challenge is to ensure that the API calls, and mainly the responses coming from the API vendor, are all valid. Using Appdome, there are 2 ways to secure the payload.
- Without involving the API vendor (most common) – SecureAPI uses Appdome’s Trusted Sessions to provide MiTM protection, stale sessions, proxy detection and more to all API calls. This ensures that the API is communicating securely with the backend server, without depending on the security of the API vendor.
- With the support of the API vendor – SecureAPI can also be used to establish an enhanced security channel between the in-app API functions and the backend. These features leverage mutual certificate validation between the app and the API backend servers. As a result, the app will always communicate with a secure point inside the secure infrastructure of the API vendor, and from there it will establish the final communication link with the API backend server.
As our AI-coding engine gets more experience in securing APIs, Appdome will learn new ways to secure Mobile APIs across all apps.
Recommendations for Mobile App Developers
Failing to secure Mobile APIs has consequences. The API vendor may restrict or block access to its service from your app. The app itself may not trust the responses from the API service and stop working (crash). Or, worse, end users could be compromised and stop using the app. The moral of the story is simple – Secure Mobile APIs or lose API, App or User trust.
Until today, you (the developer) were responsible for building security for the APIs used in your apps. Appdome SecureAPI releases you from that responsibility. Now you can secure all the APIs used in your mobile app in a few clicks with no code or coding required. Secure the connection, the authentication and the intent of every API used in your app. This ensures that everyone who uses your app and depends on APIs to get information can trust that the information is actionable and trustworthy.
This blog was first published in July 2019 and was updated in July 2020.