API security leaves apps vulnerable: 5 ways to plug the leaks
Stacy Collett |
Aug. 10, 2015
Many Starbucks customers got a jolt in May when cyberthieves were discovered stealing money from their credit cards and payment accounts by first tapping into their Starbucks mobile apps. The culprit was believed to be a hole in an application-programming interface (API), though perhaps not on Starbucks' site but on another app where overused passwords were stolen and reused, according to reports.
5. Expose only required information to your API
Developers will often take all the information they have on a user and give it to the API because they don't know what data is required, Fay says. "Make sure you're only moving the data that you need to," he says. "It's more of a privacy issue than a security one," but it could be used in social engineering schemes.