Co-authored by Prashanth Thandavamurthy.

A server API, or application programming interface, is a set of instructions that applications running on desktops, websites, mobile devices or connected devices use to interact with server-side applications in the Internet of Things (IoT).

APIs are transforming the way we develop applications and do business. APIs:

  • Make development more like building blocks, easily integrating numerous shared modules and reducing time to market;
  • Enable developers to tap into best-of-breed, off-the-shelf functionalities that they otherwise might have had to write from scratch (e.g., supporting navigation and translation); and
  • Are enabling new ecosystems and partnerships.
    • IBM, for example, now allows access to Watson via APIs and is thus opening up access to Watson’s cognitive computing prowess to millions.
    • Popular apps have integrated APIs such as Square, Stripe, PayPal and others to process in-app digital payments.

API Usage Is Skyrocketing

Given the strategic value of APIs, adoption of APIs is growing at an unprecedented rate:

  • There are over 14,000 APIs offered by companies today, according to ProgrammableWeb.
  • A recent Harvard Business Review report noted that Salesforce generates 50 percent of its revenue through APIs, Expedia generates 90 percent and eBay sits at 60 percent.
  • The Centers for Medicare & Medicaid Services, a division of the U.S. Department of Health and Human Services, is introducing policies to make APIs a mandatory industry standard for health care interoperability. This requires health care providers and professionals to open up APIs as a way to facilitate transmission of sensitive patient data.

APIs Introduce New Risks That Cybercriminals Are Capitalizing On

Attackers often use client apps as an attack gateway to back-end servers by creating unofficial APIs and using them to build unauthorized apps for malicious purposes. This can result in exposed applications and sensitive data on those back-end servers.

Scott Crawford, research director for information security at 451 Research, said, “Many organizations are embracing APIs with speed and agility in mobile app development in mind, but if they do not seriously consider the security controls required to secure connections, they may be exposing themselves to more risk than they realize.”

How Do Attackers Gain Unauthorized Access to Your Server Assets Via API Calls?

Let’s review an example of a mobile client app that utilized an API to access functionality residing on a back-end server.

The client app on a mobile device communicates to its app server using APIs to authenticate each user and to send/receive relevant data. Attackers who wish to make their own version of the client app can reverse engineer the app, analyze the APIs and implement them in a new program that can communicate with the same servers. The cracked version of the original app may have altered functionality or could gain access to the API server for malicious purposes.

Download the 2016 state of application security report from IBM Partner Arxan

How Can You Prevent Unauthorized Access?

The good news is there are steps you can take to secure APIs and protect the crown jewels that reside on your servers or are managed by your applications.

Authentication is widely used by most API management solutions to confirm that the client app is genuine and authorized to utilize server assets. This is typically done using a simple challenge-response exchange as the client app tries to connect to the API server. A challenge-response exchange is a cryptographic operation, which means the mobile client generally contains a secret key for an asymmetric cipher such as RSA or ECC.

The following steps are typically involved in the process:

  1. The client sends a request for access to the server.
  2. The server performs the cryptographic operation on a random set of data and sends the challenge to client.
  3. Client performs cryptographic operations on server-provided data using its secret key and sends the resulting response back to the server.
  4. Server authenticates and grants access to the client if the data sent is validated.

Is Authentication Sufficient to Secure APIs?

Most API management solutions offer authentication and access control policies as the only security measures. These measures act as a good first line of defense, but they are not sufficient.

An attacker can decompile the original client app and lift the cryptographic key within it, using that same key in the cloned or cracked version of the app in order to pass the challenge-response test.

Unfortunately, there are many examples of API attacks. In one hack of a popular messaging service app, information from thousands of users was stolen and published on 4chan. The company had not released an official API for public use, but that didn’t stop cybercriminals from reverse engineering the APIs to create unofficial programs of their own. The unofficial APIs were eventually used to build rogue apps. One developer even posted the unofficial API, which could be used to communicate with the messaging service’s servers.

These examples clearly illustrate the need for comprehensive API security measures, in addition to simple challenge-response based authentication, in order to mitigate APIs’ security risks.

We recommend the following steps:

Step 1: Secure Authentication Using White-Box Cryptography

White-box cryptography is a method for securely hiding cryptographic keys even if a cybercriminal has full access to the software. The original key material is converted to a new representation using a trapdoor function, which is a one-way and nonreversible shift.

This new key format can only be used by the associated white-box cryptographic software, effectively hiding the key. By using white-box cryptographic software, the attacker cannot find the key being used for the challenge-response process.

However, use of white-box cryptography alone is not enough. White-box cryptography hides keys securely, but a malicious actor could still decompile the original application, lift out the entire white-box software package and include it in the cloned version of an app. This code lifting technique is akin to removing the engine from one car and bolting it into another; no specialized knowledge of how the internals of the engine (or white-box implementation, in our hacking example) is required.

Step 2: Apply Tamper Resistance Techniques to Prevent Code Lifting and App Attacks

Tamper resistance techniques, coupled with self-defense measures, can detect if the white-box software is running in the correct, unmodified application or in a new environment. They also make decompiling an app extremely difficult.

Tamper resistance techniques, which have runtime application self-protection (RASP) built in, can respond to runtime attacks with customizable actions and notify owners when apps are being modified.

These steps and the risks of APIs are further explained in the short video below:

Educate Yourself on New API Risks

APIs transform the way we develop applications and provide enormous business value to those who take advantage of them. But if not properly protected with comprehensive security controls, they can also represent a significant risk.

When it comes to API protection, comprehensive security involves white-box cryptography solutions augmented by tamper resistance techniques in addition to basic challenge-response based authentication.

In an increasingly connected digital world, you don’t want to be the one infamous for your weak connections.

To Learn More

To learn more about effectively managing application security risk, read our “2016 State of Application Security” report.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…