Shielding APIs that Serve Mobile Applications: Part 4 – When?

In the final part of this four-part series, we’ll recommend what actions you should take and when you should take them in order to implement effective shielding of your mobile app and the APIs it uses.

Cybersecurity Live - Boston

In part 1 we looked at threats to APIs and mobile apps; in part 2 we examined the active attack surfaces available to hackers on a mobile-centric platform; and in part 3 we looked at some methods you could use to defend your platform against attacks of all kinds.

Here is a reminder of some of the main observations from previous articles in the series:

  • Protecting a business that relies on mobile apps to interact with its customers requires end-to-end security, as multiple attack surfaces are at play.
  • Defending against API vulnerabilities is not enough on its own; protection against API abuse via scripts that *not* exploit vulnerabilities must also be deployed.
  • By ensuring that only genuine instances of your mobile application can use your API, you insulate your mobile business from API abuse and the exploitation of API vulnerabilities.

So what should your approach be to protecting a mobile-first business, and in what order should you take the necessary steps? It’s tempting to focus on finding vulnerabilities in your APIs first so you can remove them and sleep better at night. However, setting up a basic shield first should be your immediate priority.

We suggest the following steps, in order of priority, to start immediately:

  1. Implement a shield for your mobile app and its APIs. In this context, a shield is something that can protect your data at rest and/or in transit from leaks and large-scale exploitation.
  2. Implement the basics of security in your mobile platform if they are not already in place, i.e. obfuscation of mobile app code and certificate pinning.
  3. Implement a regular pentesting program, using external resources to scan for vulnerabilities and verify the abuse resilience of your APIs.
  4. Implement a plan, based on pentesting results, to patch vulnerabilities in your API and adopt a secure-by-design development methodology to reduce the risk of introducing future vulnerabilities.

We hope you have found this blog series informative and useful. If anything is unclear, if you would like to ask a question, or if you would like to speak to one of our Mobile Application/API Security Experts, please get in touch.

Start with Approov!

*** This is a syndicated Security Bloggers Network blog from Approov Blog written by David Stewart. Read the original post at:

Casey J. Nelson