Co-authored by Prashanth Thandavamurthy.

A server API, or application programming interface, is a set of instructions that applications running on desktops, websites, mobile devices or connected devices use to interact with server-side applications in the Internet of Things (IoT).

APIs are transforming the way we develop applications and do business. APIs:

  • Make development more like building blocks, easily integrating numerous shared modules and reducing time to market;
  • Enable developers to tap into best-of-breed, off-the-shelf functionalities that they otherwise might have had to write from scratch (e.g., supporting navigation and translation); and
  • Are enabling new ecosystems and partnerships.
    • IBM, for example, now allows access to Watson via APIs and is thus opening up access to Watson’s cognitive computing prowess to millions.
    • Popular apps have integrated APIs such as Square, Stripe, PayPal and others to process in-app digital payments.

API Usage Is Skyrocketing

Given the strategic value of APIs, adoption of APIs is growing at an unprecedented rate:

  • There are over 14,000 APIs offered by companies today, according to ProgrammableWeb.
  • A recent Harvard Business Review report noted that Salesforce generates 50 percent of its revenue through APIs, Expedia generates 90 percent and eBay sits at 60 percent.
  • The Centers for Medicare & Medicaid Services, a division of the U.S. Department of Health and Human Services, is introducing policies to make APIs a mandatory industry standard for health care interoperability. This requires health care providers and professionals to open up APIs as a way to facilitate transmission of sensitive patient data.

APIs Introduce New Risks That Cybercriminals Are Capitalizing On

Attackers often use client apps as an attack gateway to back-end servers by creating unofficial APIs and using them to build unauthorized apps for malicious purposes. This can result in exposed applications and sensitive data on those back-end servers.

Scott Crawford, research director for information security at 451 Research, said, “Many organizations are embracing APIs with speed and agility in mobile app development in mind, but if they do not seriously consider the security controls required to secure connections, they may be exposing themselves to more risk than they realize.”

How Do Attackers Gain Unauthorized Access to Your Server Assets Via API Calls?

Let’s review an example of a mobile client app that utilized an API to access functionality residing on a back-end server.

The client app on a mobile device communicates to its app server using APIs to authenticate each user and to send/receive relevant data. Attackers who wish to make their own version of the client app can reverse engineer the app, analyze the APIs and implement them in a new program that can communicate with the same servers. The cracked version of the original app may have altered functionality or could gain access to the API server for malicious purposes.

Download the 2016 state of application security report from IBM Partner Arxan

How Can You Prevent Unauthorized Access?

The good news is there are steps you can take to secure APIs and protect the crown jewels that reside on your servers or are managed by your applications.

Authentication is widely used by most API management solutions to confirm that the client app is genuine and authorized to utilize server assets. This is typically done using a simple challenge-response exchange as the client app tries to connect to the API server. A challenge-response exchange is a cryptographic operation, which means the mobile client generally contains a secret key for an asymmetric cipher such as RSA or ECC.

The following steps are typically involved in the process:

  1. The client sends a request for access to the server.
  2. The server performs the cryptographic operation on a random set of data and sends the challenge to client.
  3. Client performs cryptographic operations on server-provided data using its secret key and sends the resulting response back to the server.
  4. Server authenticates and grants access to the client if the data sent is validated.

Is Authentication Sufficient to Secure APIs?

Most API management solutions offer authentication and access control policies as the only security measures. These measures act as a good first line of defense, but they are not sufficient.

An attacker can decompile the original client app and lift the cryptographic key within it, using that same key in the cloned or cracked version of the app in order to pass the challenge-response test.

Unfortunately, there are many examples of API attacks. In one hack of a popular messaging service app, information from thousands of users was stolen and published on 4chan. The company had not released an official API for public use, but that didn’t stop cybercriminals from reverse engineering the APIs to create unofficial programs of their own. The unofficial APIs were eventually used to build rogue apps. One developer even posted the unofficial API, which could be used to communicate with the messaging service’s servers.

These examples clearly illustrate the need for comprehensive API security measures, in addition to simple challenge-response based authentication, in order to mitigate APIs’ security risks.

We recommend the following steps:

Step 1: Secure Authentication Using White-Box Cryptography

White-box cryptography is a method for securely hiding cryptographic keys even if a cybercriminal has full access to the software. The original key material is converted to a new representation using a trapdoor function, which is a one-way and nonreversible shift.

This new key format can only be used by the associated white-box cryptographic software, effectively hiding the key. By using white-box cryptographic software, the attacker cannot find the key being used for the challenge-response process.

However, use of white-box cryptography alone is not enough. White-box cryptography hides keys securely, but a malicious actor could still decompile the original application, lift out the entire white-box software package and include it in the cloned version of an app. This code lifting technique is akin to removing the engine from one car and bolting it into another; no specialized knowledge of how the internals of the engine (or white-box implementation, in our hacking example) is required.

Step 2: Apply Tamper Resistance Techniques to Prevent Code Lifting and App Attacks

Tamper resistance techniques, coupled with self-defense measures, can detect if the white-box software is running in the correct, unmodified application or in a new environment. They also make decompiling an app extremely difficult.

Tamper resistance techniques, which have runtime application self-protection (RASP) built in, can respond to runtime attacks with customizable actions and notify owners when apps are being modified.

These steps and the risks of APIs are further explained in the short video below:

https://www.youtube.com/watch?v=ey27m9sycwI

Educate Yourself on New API Risks

APIs transform the way we develop applications and provide enormous business value to those who take advantage of them. But if not properly protected with comprehensive security controls, they can also represent a significant risk.

When it comes to API protection, comprehensive security involves white-box cryptography solutions augmented by tamper resistance techniques in addition to basic challenge-response based authentication.

In an increasingly connected digital world, you don’t want to be the one infamous for your weak connections.

To Learn More

To learn more about effectively managing application security risk, read our “2016 State of Application Security” report.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today