When you use a mobile app, its intuitive and seamless interface masks the fact that there are a lot of API calls occurring under the hood. Although this architecture enables remarkable functionality, the APIs often suffer from security vulnerabilities. In fact, mobile APIs represent a major attack surface for cyber crime. This article examines the distinct aspects of mobile API security, explores why mobile presents distinctive vulnerabilities, and proposes a solution to mitigate the resulting risk.
What is a Mobile API?
A mobile API is an application programming interface to which a mobile app connects to access the functions and data that power the app. The mobile app clients initiate calls over the internet to APIs often hosted on cloud servers. Mobile APIs also tend to be built using the standardized representation state transfer (REST) protocol.
Mobile apps have numerous uses for APIs. A mobile app might have APIs for authentication, user sign in, location identification, payments, and more. Indeed, a mobile app could use dozens or even hundreds of APIs in order to perform its tasks.
Mobile APIs Versus Web APIs
APIs for mobile apps are similar to APIs used in other computing contexts, such as web applications accessed through a browser. Mobile APIs maintain a similar structure to traditional APIs in that they may use the REST architecture. However, there are common variances. Since Mobile Apps have the presentation logic already in-buit, mobile APIs calls can be very precise in making limited scope calls. Web APIs usually need to call much more information to both build a webpage as well as populate the data.
Mobile APIs tend also to be stateless, meaning that calls can be made independently of one another, in any order. In addition, each stateless call provides all of the data necessary to get the desired response. Web APIs can be stateless too, but it’s more common in mobile, with its higher volume of specific API calls.
A stateless API, in contrast to a stateful web browser session, has to convey a great deal of detail about the API call and response in each message. For example, each API call/response message might need to carry an API key, the service URL, login token information, and more. To understand why this is a risk to mobile API security, read on…
Mobile API Vulnerabilities
Stateless mobile APIs form a rich target for hackers because, if compromised, they convey information like the service URL and API key. If these pieces of data are not encrypted beyond SSL/TLS, then each API call literally contains instructions on how to mimic it in an attack. Using the contents of an intercepted message, a hacker can reverse engineer the API and perpetrate a variety of attacks on the server, while posing as an authenticated client. Stateless APIs also have fewer restrictions on sequencing, giving hackers a shorter learning curve and more freedom to operate.
All apps are subject to reverse engineering. However, the practice of decompiling software is often easier on a mobile app than on other types of software. This is partly due to the fact that code obfuscation and other advanced security practices are more common with web apps than with mobile apps. And, the tendency of mobile APIs to be more granular makes the calls less complex to reverse engineer and forge.
The FBI has taken notice of the risks of mobile API security. In a 2022 Private Industry Notification, the FBI stated, “Mobile applications, which often have weaker security protocols than traditional web applications, frequently permit a higher rate of login attempts, known as checks per minute (CPMs), facilitating faster account validation.”
Mobile API Exploits
If an attacker can forge an API call and reverse engineer the API, he or she can get up to all sorts of malicious mischief. They can make requests for account authentication, or change users’ passwords, which actually happened with Instagram in 2017. In that case, hackers inserted celebrities’ user IDs into the Instagram API for password resets. They could then lock the legitimate celebrity out of his account and take it over.
What’s arguably worse than posting unflattering celebrity photos online is the proliferation of programmatic, high-volume attacks that hackers can let loose on mobile APIs. By mimicking the API call, the attacker creates API traffic that looks legitimate, but it comes from a fraudulent source. With this setup, an attacker can engage in credential stuffing, by attempting to authenticate with thousands of stolen usernames and passwords. If the credential stuffing attack succeeds, the hacker can take over accounts—and proceed to steal money, private information, merchandise, and more.
Mobile APIs that can be forged are susceptible to the OWASP Top 10 list of security concerns for web applications. These include vulnerability to injection attacks, wherein hackers inject SQL code into an API call to extract data they are not authorized to see. Broken object level authorization (BOLA) vulnerability is another concern, which results from insufficient access privilege validation, leading to data breaches.
Brute force attacks and distributed denial of service (DDoS) attacks are also risks affecting mobile APIs. In a brute force attack on a mobile API, a hacker repeatedly tries different passwords to gain access. In contrast to a credential stuffing attack, which uses real credentials a brute force involves automated random guessing of credentials. A DDoS attack simply floods a mobile API with so many requests that it shuts down.
Consequences of Attacks on Mobile APIs
Successful attacks on mobile APIs can have serious negative consequences for a business. In addition to fraud, bad outcomes run the gamut from data breaches and system outages to violations of regulations covering consumer privacy. Regulators may impose fines or business restrictions in particularly severe circumstances.
Each API security incident will likely be a costly, time-consuming chore that diverts various organizational teams from more strategic functions. They rope in stakeholders from IT, security, compliance, privacy, legal, and so forth. Moreover, the security tools to mitigate attacks are expensive, and tend to require staffing to install, configure and manage.
A mobile API attack can also affect customer experiences. Apps may slow down or stop functioning, triggering calls to customer service that take time and money to handle. Account breaches can be alarming experiences for end users, or at least inconvenient, as they are usually locked out of their account. Disgruntled customers may simply abandon the app or disparage the brand.
Solution: Mobile API Security
Robust mobile API protection is now possible, using obfuscation. This approach requires software integration at both ends of the communication flow. As exemplified by the SecureCo solution, obfuscation reduces the risk of hackers gaining access to the API endpoint. This thwarts the threat actor’s ability to interrogate the API for reconnaissance purposes, or to stage a direct attack. If they can’t find or access the API, they will have a lot of trouble exploiting it.
SecureCo also create a private tunnel between the app and API, frustrating hacker attempts to intercept and decrypt API calls. This, too, does a lot to mitigate risks affecting mobile APIs. When the API call is obfuscated, it’s a lot harder to mimic. Making it harder for fraud actors to make authentic seeming API calls reduces all kinds of API abuse. More on SecureCo’s API security solutions here.
Conclusion
Mobile APIs are a source of risk for mobile apps and the organizations that own them. Attackers can reverse engineer mobile APIs and forge API calls. With these capabilities, hackers can engage in account takeovers, credential stuffing attacks, DDoS, and more. Negative impacts of such attacks include fraud, data breaches, and bad customer experience. If nothing else, they are distracting, expensive problems to sort out. With obfuscation and private tunneling, better mobile API security becomes viable.