API Security for Mobile Apps

Mobile apps are by far the fastest-growing ecosystem. The number of app users, who include customers, consumers, casual users, and others, keeps on increasing exponentially. Hence it is critical to ensure the data flow and ecosystem are protected from malicious agencies seeking to exploit whatever loopholes that might exist at multiple stages.

Incidentally, Mobile APIs (Application Programming Interface) is one of the easiest channels of exploitation. Hence, API Security is no longer the sole responsibility of the cloud service providers. App development companies must employ the latest tools and agencies that specialize in performing deep-scanning and threat analysis to ensure the entire app ecosystem remains impenetrable or unexploitable.


What is API Testing and What Is Its Prominence in Today’s Landscape?

Application Programming Interface or API is being rapidly designed and deployed by software, app platform providers like Apple and Google, as well as eCommerce giants, to simplify building apps and services.

In fact, Gartner predicts that through 2020, the top 10 enterprise application vendors will expose over 90% of their app capabilities through APIs.

Simply put, API can be considered the critical backbone of the majority of software and apps.

APIs simplify and accelerate the design, development, and deployment of an app or software. The majority of the apps have multiple APIs running in the background. Needless to add, a large number of APIs offer malicious attackers multiple potential entry points to discover and exploit. Hence conducting API Security Testing is critical to ensure the entire app, and its data is safe from hackers.

API Security Testing comprises of the multiple scanning processes that thoroughly test the server-side of an application. The testing process digs deep to find exploitable flaws or vulnerabilities that can be potentially employed to steal data. Apps use multiple APIs and hence, they usually offer the fastest and easiest entry points to hackers. Any vulnerability, if unpatched, can lead to several severe problems. Incidentally, all apps that rely on the faulty API can then be exploited in a similar manner.



How API Security Automation Is Beneficial?

As service providers expand, so do their APIs increase in number and complexities. New features and services demand their own APIs. Individual APIs are beneficial for app creators as they can selectively incorporate them into their creations depending on the functionalities sought. Additionally, any developer can create an API and even publish it on the internet. Interestingly, there won’t be any resistance or scrutiny when the developer is using public cloud services such as Amazon, Microsoft, and Google.

Manual penetration testing of each service prior to release or production can be a very complex, and time as well as resource-consuming task. In the same manner, manually conducting API Security Testing is very tedious. Not to mention, such a process can significantly delay the move of the service along with the production schedule.

It is imperative to evolve API Security into an automated process. Companies and app developers relying on APIs for the apps and services simply cannot ignore conducting security and penetration testing. Moreover, it is critical that such processes are automated to free up resources and ensure the ecosystem remains impenetrable.


Open Source and Commercial API Security Automation Tools

There are several Open Source (Free) as well as Commercial (License) tools to conduct automated API Testing. However, there are only two major types of API: SOAP (Simple Object Access Protocol), and REST (Representational State Transfer). Hence app developers will have to decide which category of testing tools must be chosen.

It is important to understand the requirement and threats the app and its data will face, before opting for a security testing tool. It is critical the chosen tool conducts the majority of the tests. Otherwise, the entire process can fall short if the testing platform skips out on some of the parametric testings. Additionally, while evaluating the performance and efficiency of the API Security Automation Tools it is important to know how effectively the platform conducts testing and how well it offers a resolution to possible security vulnerabilities.

While there are dozens of Open Source platforms, some of the commonly used include SOAP UI, Postman, Postwoman, Fiddler, Taurus, etc. While these are great tools to conduct automated preliminary API testing, there are a few licensed or paid alternatives that usually offer some more options and benefits. They include ReadyAPI, ACCELQ, REST-Assured, Swagger.io, Katalon Studio, etc.


Challenges of Securing APIs in the Mobile Ecosystem

As discussed earlier, there are several challenges faced while attempting to secure a mobile application. These are compounded by the unavailability of full-fledged standard tools for security testing. Different automation tools are used for mobile apps and web applications altogether despite the fact that many might be using the same backend services and APIs.

Platforms like Appium, Robotium, and Ranorex are common tools in this field. However, it is critical to have a holistic approach that fits the needs and security requirements of an app in the rapidly emerging world of social apps where data flows freely and extensively.

Modern-day apps and the rapidly altering global smartphone app deployment and geopolitics have once again reminded developers about the need to conduct a thorough security audit of the APIs they use. Some of the most common and notorious platforms like Tik Tok and the dozens of other apps that were recently banned are an excellent example. These platforms and their APIs proved just how important is securing APIs in the mobile ecosystem to ensure data integrity and security.

Some of the most common threats in the modern smartphone app ecosystem, especially with the liberal use of APIs, include excessive data exposure, security misconfiguration, improper asset management, poor logging and monitoring, broken or poorly implemented object-level authorization, and inadequate authentication protocols. Add the severe limitation of funds and time, and the trouble becomes very big and concerning.


API Security Framework for Your Security Teams

API Security Framework for Your Security Teams


Given the rising threats as well as the increasing use of APIs, every organization needs an API Security Framework. This will ensure that everyone on the team follows a few simple but critical protocols pertaining to the usage of APIs. The framework consists of three steps as below:

1) Continuous API discovery and specification creation.
2) Continuous API specification analysis and inspection.
3) API policy enablement and enforcement.

There is a need to continuously monitor and analyze new as well as old APIs for the many changes and feature additions to understand their current state of specifications. Simply put, it is important to know what the API is doing. An organization using APIs needs to create specifications of all the APIs. Public-facing APIs hosted in the cloud are even more critical. Incidentally, there are tools that can automate the process of discovering new APIs and even track changes to existing APIs.

The next step entitles conducting the right type of security testing such as verifying if the updated API has the right data encryption, is relying on proper authentication and authorization policy, which data sources are being accessed, etc. Such security testing helps prevent data breaches. Incidentally, this is where API Security Automation Tools truly shine as they are able to quickly and dynamically find potential vulnerabilities within the authentication and encryption layers of the API.

The final step is policy creation and enforcement which basically entitles deciding on the two questions:

Who should be able to utilize the API?

What level of sensitivity, regulatory oversight, and/or privacy concerns does the API have?

Careful management of aspects such as authentication, authorization, encryption, and availability of that API will not only secure the app and data but also potentially eliminate undesired data exposure. Traditionally, API policy enforcement was often done at the network gateway layer. However, modern and dynamic architectures such as mobile and cloud have forced developers to provide the security aspects through SDKs as well as cloud service platform providers’ dashboards.


With the rapid adoption of cloud, web, and mobile apps, the use of APIs has increased exponentially. Hence the complexity, as well as time and resource restrictions, have forced API security testing to take a completely different phase. Simply put, every business should realize the importance of API security in order to maintain data security and strive to eliminate major security threats.

API Security Automation Tools are the ideal solution. The majority of these platforms silently and dynamically monitor for security vulnerabilities and routinely conduct security and penetration testing so that developers can focus on adding new features and fixing bugs.



Published on Aug 13, 2020
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now