Do you have an unprotected web or mobile API? You might, whether you realise it or not. Web APIs are often used to connect mobile and web application to a backend database from a JavaScript front-end. These APIs, while not published on your website, still need to be protected from malicious attacks.
Let’s examine the five common risks encountered as a result of publishing unprotected APIs, and then identify how to mitigate them.
Risk #1: Uncontrolled API Access
Did you know that private, hidden APIs aren’t really hidden? Any developer can often reverse-engineer APIs used by web and mobile applications to understand how they work. Then they can simply use them for their own purpose, often unbeknownst to your business. When this happens, you:
Inability revoke API access: Since these ‘Accidental APIs’ often don’t require authentication tokens (or use shared tokens), there is no way to shutdown access for a specific application without disrupting all other web and mobile applications. Mobile apps will likely need to be updated to use a new key, and it may take some time before all installed versions are updated, causing downtime and loss of revenue.
Unlimited data/application usage: In addition, lack of proper authentication mechanisms allow developers to easily access any/all available data without restriction. Your valuable data is then exposed, without limitation, to anyone and without proper logging and auditing.
Mitigation: Implement API security to restrict access to the API, using standards such as OAuth 2.
Risk #2: Inability to Monitor, Monetize, and Scale
Accidental APIs lack monitoring capabilities, preventing any insight from who, and how, an API is used.
Lack of Usage Metrics/Insights: Lack of insight into what partners/applications are using the API, how they are using it, and where revenue opportunities may exist. This is most important for integration partners, as contract renewals may allow for an increase in revenue for partners that more heavily depend upon the API.
Lack of Consumption Awareness: APIs will change and without monitoring, you will have no idea which partners, internal departments, or integration partners use a particular part of the API that is being changed.
Lack of scalability: Lack of proper management prevent the ability to monitor and scale APIs. Often, APIs are co-deployed with other applications, which may limit the ability to easily deploy and scale quickly. This lack of rate limiting can overwhelm servers and reduce the performance of your application, or even render it unavailable.
Mitigation: Select and install an API management layer.
Risk #3 Added Maintenance Costs
Accidental APIs are often developed in a hurry, many times with little or no time spent to ensure that they have been designed to last. Issues often encountered as a result include:
Bad design: This results in slower development, hard-to-understand design, cryptic error messages (or none at all), and longer development time when debugging integration with mobile or web applications
Versioning issues: Lack of thoughtful design requires versioning an API, which will require dedicated time from mobile developers to fix and push one or more updates to mobile applications. This often requires maintaining multiple versions of the API for a longer period of time, costing the company 2-5x that of a well-designed product API
Lack of business value: Accidental APIs aren’t designed to deliver complete business value. Partner APIs will likely result in multiple, one-off partner or platform APIs for successful integration
Mitigation: Invest in a proper API design by applying practical design principles that will deliver high business value, reduce costs, and encourage reuse.
Risk #4: Lack of API Security
Until now, we have focused on risks that are related more to the business and daily operations. Now we enter the last two risks, where we see a more severe impact. These risks can not only affect business operations, they can also affect the longevity of the business and your customers. Accidental APIs open up a variety of security-related issues, including:
Insecure communications: Accidental APIs may be deployed without SSL, either if the primary application doesn’t require it or if the API is deployed haphazardly. This means that logins, passwords, and other sensitive data are sent in plain text and easily obtained.
Industry or business compliance failures: Lack of proper security precautions can often expose holes in the company’s PCI compliance, or other industry regulations.
Mitigation: Conduct a security audit of the API, implement the appropriate measures, and ensure TLS is used to encrypt API communication channels. You may wish to also consider an API management layer that implements authentication standards such as OAuth 2.
Risk #5: Malicious API Attacks and Compromised Data
The final risk is related to API attack vectors with the intent of compromising the system and its data. Accidental APIs tend to expose systems to the following vulnerabilities:
Denial of Service (DoS) attacks: Attackers can try to reduce or completely eliminate the system’s ability to service incoming calls by overwhelming the system with API calls, rendering the system unusable by internal, partner, and potentially public consumers of the API.
SQL injection attacks: SQL injection is a technique uses to try to access or modify data by attempting to alter SQL statements executed by the API endpoints, exposing data that was previously not available.
XML attacks: An XML attack is designed to compromise servers by sending large, invalid, or malformed XML content. Servers are often made unavailable due to memory leaks or high CPU usage when trying to process large or malformed content.
Mitigation: Conduct an operations audit of the API environment, a code review to prevent various attack vectors, and a thorough review of all data sent and received by the API.
How Protected Is Your API?
Without API protection, your API is vulnerable. It is time to install an API management layer in front of your API to protect your business and your digital assets. You can find out more about the various API attack vectors and how Tyk can protect your API in our previous article, “How Secure Is Your API?”.