Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

API security leaves apps vulnerable: 5 ways to plug the leaks

Stacy Collett | Aug. 10, 2015
Many Starbucks customers got a jolt in May when cyberthieves were discovered stealing money from their credit cards and payment accounts by first tapping into their Starbucks mobile apps. The culprit was believed to be a hole in an application-programming interface (API), though perhaps not on Starbucks' site but on another app where overused passwords were stolen and reused, according to reports.

What's more, developers are under pressure to innovate faster, which can also create vulnerabilities in the process, Kumaraswamy says. "You have an opportunity to make mistakes in exposing data inadvertently, or you're not putting the right controls in the API."

Plugging the leaks

App development shows no signs of slowing down, but companies can take steps to plug the leaks in APIs.

When it comes to securing applications versus APIs, "in Web apps you typically only have to authenticate the end user. In the API world you also have to authenticate the app," Kumaraswamy says. For instance, "If you're using the AirBnB or the Uber app, these apps are calling their APIs so those apps are being authenticated."In the case of Moonpig -- authentication was enforced, but authorization was not, he adds.

Using a standardized protocol that exists for both authentication and authorization are the jumpstart to using APIs securely, Fay adds. "If you do them the right way, the amount of security built in is based on the standard" and won't vary from app to app.

2. Encrypt transports

Always encrypt sensitive data, Heffner says. Never create a security hole by using plain text transfers. Developers should use SSL certificates on web APIs that transfer sensitive data between the end-point program and the web service interface because hackers can sniff this data. If you make your API a subdirectory in your current web application, you can use the same security certificate that you have for your website.

3. Protect credentials 

Know how credentials are managed for the app and how critical they are for the particular kind of business scenario, Heffner adds.

"If I were a bank doing financial transactions with a partner, there's a number of layered connections I would want to have, like a VPN to SSL or I would have digitally signed tokens -- SAML or the like, as part of the full security scheme." With multiple security mechanisms in place, "it's raising the bar on the number and kind of things someone would have to do to spoof any connection."

Digitally signed tokens can also be one part of the security scheme. Tokens are character strings that uniquely identify a user. You can store these strings in a database and only give access if the user enters the correct user name and password. The token is then used by the API user to access an API's methods.

4. Avoid static or embedded passwords

When logic is built into an app, it's very difficult to change, Fay says. When you want to change a policy or update security, having all of that logic built into mobile apps is not a good thing. So developers sometimes take shortcuts with easy passwords or by caching IDs and passwords locally on a mobile app, and that's a huge problem from a security standpoint. "Static passwords are to be avoided," Fay says.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.