Skip to content


At the surface level, APIs help businesses connect applications and share data with each other. This creates an easier and more seamless experience for customers and users. If you’ve ever used your Google Account to access multiple websites or apps, chances are you’ve used an API developed by Google to do so. These APIs work in the background to provide much of the streamlined user experience that is taken for granted. Therefore, we need to provide stronger API security in mobile applications, otherwise all their benefits will be wasted.

Stolen API keys are the biggest culprit of cyber attacks to date. We see the headlines and read the news, but often fail to realize the broad implications, especially the significant impacts on enterprise mobile security. Consider the news earlier this year of 3,000+ mobile apps leaking Twitter API keys, meaning bad actors could compromise thousands of individual accounts and carry out a variety of nefarious activities.

Imagine if this were your company, and the role was reversed, and hundreds or even thousands of mobile apps leaked API keys to your corporate Gmail, Slack, or OneDrive accounts. If these or similar scenarios occur, employee devices and sensitive company data will be at extreme risk.

The latest push to focus on API security comes at a critical time when more businesses are relying on enterprise mobility, which means increasing reliance on mobile app connectivity. A recent survey of security directors and mobile app developers in the US and UK found that 74% of respondents believe mobile apps are critical to business success. In addition, mobile applications have also been found to help businesses both generate revenue and provide services to customers.

Additionally, 45% of respondents to this same survey said that an attack against APIs that took a mobile app offline would have a significant impact on their business. These results only confirm what we already know. mobile apps are critical to enterprise mobility and productivity.

API security risks can lead to complete device hijacking

While APIs have many advantages, their widespread use in mobile applications is also a clear disadvantage. This is especially true when you consider that many enterprises rely on third-party applications and APIs. If you think these third parties have the same security concerns and procedures as you and your business, think again. Third parties are often to blame for data breaches, as evidenced recently when a third-party hack caused Australia’s largest telco to suffer a major data breach; impact costs are still quantifiable.

Making matters more difficult for enterprises is that mobile apps, and especially the APIs that power them, are often more vulnerable to cyberattacks than desktop web pages. Every time the app is used, even if it is running in the background, it sends and receives data through calls, making your device more vulnerable.

A threat actor can use these API calls or requests to and from the device to the application to steal data. Because the application lives on the device itself, a threat actor has the potential to hijack the entire device, putting the information stored on it at great risk. It doesn’t matter if the device is corporate or personal (BYOD), I can guarantee that there is most likely some form of corporate data stored on every device that an employee has access to.

Protecting enterprise mobile devices and data from API vulnerabilities

These vulnerable APIs are not only a threat to businesses’ profits, reputation, and viability, but also to their sensitive data, as well as customers and partners.

Fortunately, there are ways to protect against these threats. First, focus on getting an overview of the threats facing enterprise applications, which is important for leveling. This will create greater awareness of the fact that corporate mobile apps that employees have on their phones expose enterprise data to disclosure, unless those apps are managed or clearly segregated.

A great step to better protect against vulnerable APIs is to develop a strategy where data is separated from the device itself. This process is better known as containerization. Using advanced encryption capabilities and ensuring data security during its travel phase, in transit and at rest is another important factor. I recommend using AES 265 bit encryption.

Additionally, organizations should strive to incorporate stronger authentication processes to protect sensitive data.

Conclusion

There are many challenges presented by threat actors seeking to exploit API vulnerabilities, and these challenges will only increase as the API attack surface continues to grow. While these concerns may seem daunting at first, businesses can take proactive steps to protect their enterprise applications and devices.

Building additional security into the development process is a great step, but sometimes it’s a luxury businesses that rely on third-party applications can’t afford or have insight into. That’s why it’s imperative that enterprises think strategically about how these applications interact with enterprise data and create additional authentication steps that protect it.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *