Login

API Security

Why is API security important?

API security is important because the whole communication between the host company, third party application and client user is happening on a server on the network.

That communication is easily accessible to hackers who may access the server or infiltrate it, which is becoming common. So, it is important that the communication, which includes sensitive information like the client’s user ID or passwords, highly important data of the host application which should be paid for, should be encrypted and transferred without being easily hacked.

Also, the ease of access to this communication channel is what brings a threat to the valuable information being transferred.

Risk with API

1. Client-end risks

a. App source code exposure

Source code may be accessible to hackers when companies publish it on open-source repositories like Github or they could reverse engineer the code when it’s running on a smartphone.

a. Shared passwords

Usage of the same passwords or IDs on different service platforms leads to increased susceptibility of getting hacked.

2. Backend risks

a. Rate limiting

Many APIs forget to set a limit on the number of times or the frequency with which a user or hacker can try to access the API up till the free point. This leads to the encouragement of hackers to quickly try out multiple passwords to get through to the secure API network.

b. Improperly secured endpoints

Many APIs forget to set a limit on the number of times or the frequency with which a user or hacker can try to access the API up till the free point. This leads to the encouragement of hackers to quickly try out multiple passwords to get through to the secure API network.

c. Phishing

Phishing attacks on the developer of the source code can lead to compromise of the source code followed by the compromise of the API.

3. Network risks

a. Credential theft

If sensitive information like credentials is being transmitted over the network in clear text, it can fall into the hands of a hacker who finds a way into the network and lifts that information.

OAuth and its Importance

Third-party applications would have immense accessibility to the client’s account if the credentials were directly provided to it, instead, the host application gives them a token. A token is specifically designed key to the API of the host application which works in a way that it is unique to one specific client user, one specific third party application, with access to carry out one or more specific actions (specified by the end-user) on the user’s behalf on the host application only.

These tokens can, at any time and for any security or wishful reasons of the host application or client user, be revoked instantly. This allows complete restriction of access to the APIs and host application data to hackers even if they get access to a token which can be revoked at any time or may expire on its own if it is a one time issued token (like if we allow access of location to taxi applications for “only this time”).

This process is called OAuth.

Need of Constant Vigilance

API security is a very difficult task. Once established security is like a still standing target, it may hide but it will be found sooner or later. The best of the companies who continuously try to update the security and make it stronger also have issues. OAuth makes your company’s API a moving target. A security-first approach should be established while building OAuth interface by encrypting long-term tokens, especially the ones which are at rest.