APIs are placing your enterprise at risk

On a surface level, APIs help businesses connect applications and share data with each other. This creates an easier, more seamless experience for customers and users. If you’ve ever used your Google Account to sign in to various sites or apps, chances are you’ve used a Google-developed API to do so. APIs like these work in the background to power many of the streamlined user experiences that are taken for granted. Therefore, we need to ensure stronger API security across mobile apps, otherwise all their benefits will be for naught.

Stolen API keys are the culprit behind some of the biggest cyber attacks to date. We see the headlines and we read the news stories, but we often don’t realize the broad ramifications – especially the significant impact on mobile enterprise security. Consider the news earlier this year of 3,000+ mobile apps leaking Twitter’s API keys, meaning bad actors could compromise thousands of individual accounts and perform a host of nefarious activities.

Imagine if it was your company and the roles were reversed and hundreds or even thousands of mobile apps leaked the API keys to your corporate Gmail, Slack or OneDrive accounts. If these or similar scenarios were to happen, employee devices and sensitive company data would be extremely at risk.

The recent push to focus on API security comes at a critical time where more enterprises are relying on enterprise mobility, which means more reliance on mobile application connectivity. A recent survey of US and UK-based security directors and mobile app developers found that 74% of respondents felt mobile apps were critical to business success. Furthermore, mobile apps have also been found to help businesses earn revenue and enable customers to access services.

Additionally, 45% of respondents in the same survey said that an attack against APIs that took a mobile app offline would have a significant impact on their business. These results only confirm what we already know – mobile apps are critical to enterprise mobility and productivity.

API security risks can lead to full device takeover

Although APIs have many advantages, their ubiquitous use in mobile applications is also an obvious disadvantage. This is especially true when you consider that many enterprises rely on third-party applications and APIs. If you think these third parties have the same security concerns and procedures as you and your business, think again. Third parties are often to blame for data breaches, as was recently proven when a third-party hack caused Australia’s largest telecommunications firm to suffer a major data breach – the impact costs are still being quantified.

Complicating matters for enterprises is that mobile apps – and especially the APIs that power them – are often more susceptible to cyber attacks than web pages on a desktop. Every time an app is used, even if it’s running in the background, it’s sending and receiving data through calls, and that’s when your device is most vulnerable.

A threat actor can exploit these API calls or requests to and from the device to the application to steal data. Since an app resides on the device itself, a threat actor has the potential to hijack the entire device, compromising the information stored on it. It doesn’t matter if the device is corporate owned or personal (BYOD), I can guarantee that there is probably some form of corporate data stored on every device that an employee has access to.

Protect enterprise mobile devices and data from API vulnerabilities

These vulnerable APIs are not only a threat to companies’ profits, reputation and viability, but also their sensitive data and that of their customers and partners.

Fortunately, there are ways to protect against these threats. First, focus on creating a shared understanding of the threats facing enterprise applications, which is important for leveling. This will generate greater awareness of the fact that corporate mobile apps that employees have on their phones open up corporate data to excrement – ​​unless these apps are managed or clearly segregated.

A good step to take to better protect against vulnerable APIs is to develop a strategy where the data is separated from the device itself. This process is better known as containerization. Using advanced encryption capabilities and ensuring that data is secured at the stage of its journey, in transit and at rest is another critical factor. I recommend using AES 265-bit encryption.

In addition, organizations should try to incorporate stronger authentication processes to protect sensitive data.

Closure

There are numerous challenges posed by threat actors seeking to exploit API vulnerabilities, these challenges will only increase as the API attack surface continues to grow. While these concerns may seem daunting at first, enterprises can proactively take steps to secure their enterprise applications and devices.

Building additional security into the development process is a big step, but it’s sometimes a luxury that businesses that rely on third-party applications can’t afford or have the insight into. Therefore, it is imperative that enterprises think strategically about how these applications interact with enterprise data and create additional authentication steps that protect it.