As mobile APIs become more full-featured and rich, they become more dependent on data, key stores and connectivity profiles that can result in new vectors of attack. This drives the need for better security and best practices to patch up those vulnerabilities.
Gartner expects that API abuse will be the number one attack vector for data breaches by 2020 in their research and Now Secure said in a post that a whopping 85% of mobile applications fail to secure at least one of OWASP’s Mobile Top 10 criteria.
Tom Tovar, the CEO of Appdome, a no-code mobile solutions security platform, told SD Times that 5-10 years ago, the onus was on consumers to protect their own data. Now, developers are picking up the flag of security and doing this on behalf of the user.
“Proper security is always a layered approach. There’s no silver bullet to block all of the threats, and you have to release apps into the public market,” Tovar said, adding that there are four key practices to help block the biggest vulnerabilities of mobile APIs.
The four key tasks include:
- Protecting the connection: cybercriminals can spoof a connection or intercept communications, they can perpetrate a devastating man-in-the-middle attack.
- Include jailbreak and root protection: Jailbreaking gives cybercriminals complete control over the app. APIs must have protection to prevent being abused in this way.
- Secure authentication and access: Many apps don’t use APIs that require secure authentication, giving anyone access to sensitive data.
- Encrypting the data: Data used by APIs must be encrypted to protect against interception and manipulation.
Tovar added that there is a great demand for security engineers, and the current pace of app development is introducing new no-code tools to secure those applications.
“Mobile app security is a highly specialized skill. There are really amazing, knowledgeable security engineers out there in the world. But there’s not enough of them and if you’re a mobile developer, you might have 2k developers building the app, and 2 people to securing it,” Tovar said. “We want to solve this human problem with technology to code these four layers of security into an app without relying on humans writing code.