Appdome Makes Mobile API Security Easy for Developers

How to Make Mobile API Security Easier for Developers

Mobile API Security is difficult. Learn how Appdome’s no-code mobile API security solution makes it easy for mobile developers to secure mobile APIs in any iOS and Android app across any API provider – no matter how you build your app.

Building a Rich User Experience with Mobile APIs

Appdome’s SecureAPI does exactly what the name implies: it enables mobile developers to secure Mobile APIs inside Android and iOS applications. As with all of Appdome’s implementations, SecureAPI is built into mobile apps instantly without any code or coding.

Mobile developers build applications using dozens if not hundreds of APIs. These APIs are used to create rich and compelling user experiences for mobile end users. As a class, APIs do everything from user sign in, rich authentication, location, payment, analytics, and more. When new functionality is added to an app, more APIs are also added. As a result, mobile apps can make thousands of API calls per day.

What’s the Problem with Mobile APIs?

In general, in-app REST APIs are not protected in mobile apps. Recent news about mobile API vulnerabilities at Uber and Venmo among countless other examples underscores this point. Unless you embed security, Each REST API in your app represents a separate and potentially unique attack vector for hackers to exploit. Here’s a screenshot of a Mobile API without any security or protection in the app.  Notices how none of the API strings are encrypted. Sadly, this is quite common in mobile apps. Security is often overlooked when it comes to REST APIs in mobile apps.

Mobile REST API Security - don't leave unencrypted mobile api strings in your app

As you can see, a hacker can obtain the REST API Service URL, API Key, API Secret and more simply by looking into an app with freely available tools. Finding security vulnerabilities in REST APIs inside mobile apps really isn’t that hard.

Building Mobile API Security is Not Easy

First, there is no API standard. Every API works differently. For example, some may have a key while others may not. Some may use TLS and others don’t. Some may require the developer to store cookies locally, while others don’t.

How and where the developer retrieves, stores and protects the payload of the API is out of the hands of the API provider.  To secure the substance of the Mobile API, a developer not only has to understand how to code security into an app and needs to know when and how to protect the API sequence and data in the mobile app. For example, you need to know if the payload information is unencrypted and sent in the clear. Payload information is sent back and forth between the mobile app and the back-end server thousands of times per day.

Using Appdome Developers Can Build Complete API Security in all Mobile Apps – FAST

Appdome’s SecureAPI enables mobile developers or non-developers to protect APIs in Android and iOS mobile apps in minutes, regardless of API vendor or architecture of your app. No API gateway is required. Likewise, no specialized security training or development expertise is needed.

SecureAPI does several things for the mobile developer that uses APIs in their apps:

  • Encrypt API keys, the API secrets and the strings that denote the use of the API
  • Obfuscate app structure, control flow and logic of the API.
  • Shield the API from tampering, debugging and reversing.
  • Protect the communication between REST APIs and the backend server – with things like TLS security, CA validation, certificate pinning, etc
  • Segment the API workflows so that only the authorized users can access specific REST API resources – REST APIs need to be considered in your security best practices.

Using a no-code, AI coding engine, Appdome quickly adds AES 256 encryption or FIPS 140-2 certified encryption modules to any mobile app in seconds. In addition, you can obfuscate critical parts of your app and APIs. For example, you can obfuscate REST API URLs, API Keys and API Secrets. Appdome also adds advanced app shielding to eliminate the risk of Mobile API tampering, reverse engineering and malicious debugging. Needless to say, trying to do this on your own is quite difficult and requires an immense amount of mobile security knowledge.  Appdome does not require any specialized skills. Using Appdome, you can automate the entire security model for REST APIs used in your app as well as optimizing performance, handling API errors, key revocation and reset, and more.

Let’s take a few examples to illustrate just how difficult it is to secure REST APIs in your mobile app if you try to do this yourself. Securing the connection and payload of the API is a much harder challenge if you’re not a security expert. Every API call may have different headers, a different syntax, different sequencing, etc. The key challenge is to ensure that the API calls, and mainly the responses coming from the REST API vendor, are all valid. Using Appdome, there are 2 ways to secure the payload.

  • Without involving the API vendor (most common) – SecureAPI uses Appdome’s Trusted Session Inspection and Certificate Validation to provide MiTM protection, stale sessions, proxy detection and more to all API calls. This ensures that the API is communicating securely with the backend server, without depending on the security of the API vendor.
  • With the support of the API vendor – SecureAPI can also be used to establish an enhanced security channel between the in-app API functions and the backend. These features leverage mutual certificate validation between the app and the API backend servers. As a result, the app will always communicate with a secure point inside the secure infrastructure of the API vendor, and from there it will establish the final communication link with the API backend server.

As our AI-coding engine gets more experience in securing APIs, Appdome will learn new ways to secure Mobile APIs across all apps.

Recommendations for Mobile App Developers

Failing to secure Rest APIs used in mobile apps has consequences. The API vendor may restrict or block access to its service from your app. The app itself may not trust the responses from the REST API service and stop working (crash). Or, worse, end users could be compromised and stop using the app. The moral of the story is simple – Secure Mobile APIs or lose API, App or User trust.

Until today, you (the developer) were responsible for building security for the APIs used in your apps. Appdome SecureAPI releases you from that responsibility. Now you can secure all the Mobile REST APIs used in your mobile app in a few clicks with no code or coding required. For every REST API, the security of the connection is critical. This includes the authentication and the intent of every API used in your app. This ensures that everyone who uses your app and depends on APIs to get information can trust that the information is actionable and trustworthy.

Don’t wait, secure your APIs now. Get started with Appdome today and check out this KB article for more details.

Thanks for reading! This blog is part of a series focused on Mobile Security Basics, which is appropriate for readers of any level looking to increase their overall mobile security knowledge.

Tom Tovar

Tom is the co-creator and CEO of Appdome. He builds mobile apps and loves all things mobile. At Appdome, he says “we use technology to make the difficult mobile development projects simple.”

Have a Security Project?

We Can Help!

AlanWe're here to help
We'll get back to you in 24 hours to schedule your demo.

Quick Links for This Blog

Want to learn more?

Stay up to date with the DevSecOps Evolution.

Subscribe to our Mobile DevSec Blogs

More To Explore

Build What You Love Automate What You Don’t

Drop us a line and keep in touch

Search Appdome Solutions

3f0fcc71 0fcd 4d11 8187 0554f04e965e

How to Comply with the OWASP MASVS Standard

The OWASP MASVS (Mobile Application Security Verification Standard) is a standard that establishes mobile app security requirements for developers to build secure mobile apps and security teams to test mobile apps. On Appdome, brands can easily comply with the OWASP MASVS standard.

Spear Phishing Attacks Blog

AI Has Democratized Spear Phishing Attacks, Now What?

Spear phishing attacks used to be limited to high-profile targets such as CEOs, politicians, and other influential individuals. These attacks required extensive research, preparation, and coordination, making them a…