Securing APIs in an Open Banking Platform
"SecureAPI solves the challenge of mobile client trust, safeguarding the integrity of mobile APIs against hacks and leaks."
Open-banking application programming interfaces enable financial institutions, retailers and fintech companies to share account details and transactions, but there are serious concerns over the safekeeping of information passing through them.
A recent Trend Micro study, “The Risks of Open Banking” found more than 50 institutions’ APIs with serious security flaws and reported, “Financial institutions have had a history of exposing personally identifiable information in the URLs of their existing APIs and legacy systems.”
The situation at smaller fintech startups, who have limited security resources, is even worse, pointed out Tom Tovar, CEO and co-creator of Redwood City, Calif.-based Appdome, which provides a no-code mobile solutions platform.
Appdome, recently announced the availability of SecureAPI, a no-code, client-side solution to secure APIs inside mobile apps. According to Tovar, mobile apps contain hundreds of APIs that make thousands of calls to back-end servers daily. When unsecured APIs attach to mobile apps, they often allow cybercriminals to compromise the mobile app and the API backend, and make it easier for them to steal transaction and personal information.
Some of the API security problems Appdome pointed out involve privacy-sensitive and transaction data, and authentication parameters in URLs; outdated protocols enabling attacks on third-party servers; and allowing unsecured APIs to take over mobile apps.
Tovar explained two things are common in the consumer mobile universe. Number one, as highlighted in a report from the Open Web Application Security Project, or OWASP, an international non-profit organization dedicated to web application security, 85% of mobile applications, do not protect against any of their listed top 10 security risks. These hazards consist of injection attacks, broken authentication vulnerabilities, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. “That’s just a staggering notion out there,” Tovar admitted.
SecureAPI lets developers guard API workflows inside Android and iOS apps including protecting keys, access tokens, secrets, URLs, connections and all data retrieved via the API inside the app using multi-layer security features such as encryption, obfuscation, shielding and transport layer security enforcement.
“The growth of mobile app APIs, API economy, and open mobile banking initiatives leave developers looking for better ways to secure APIs inside mobile apps,” Tovar said. “SecureAPI solves the challenge of mobile client trust, safeguarding the integrity of mobile APIs against hacks and leaks.”
Tovar pointed out financial information is valuable if it is open to third party developers. With that comes some challenges and real concerns for the financial institution opening up data via an API. “You’ve spent your life protecting this data, or you’ve spent millions of dollars protecting consumers’ information, accounts, etc.” The App developer has responsibilities to protect that data and the financial institution customer. Tovar suggested, “It raises some, fairly straightforward, security issues. How do you maintain the integrity of the data? How do you maintain the security of the connection? How do you maintain the keys to the kingdom?”
The Appdome CEO recommended making sure to encrypt the data, shield the credentials of the API itself and how the mobile application or the mobile system connects to the API; and protecting the connection between the mobile experience and the back end.
Tovar added another vulnerability is the capability of a user or malicious app to perform a jailbreak (for iOS devices) or rooting (for Android devices), where an exploit removes the manufacturer or carrier restrictions from a device. The Appdome CEO called this masquerading of the operating system “perhaps one of the biggest threats out in the consumer world today.”
Tovar underlined the top four golden rules for credit union using APIs in mobile apps:
- Have jailbreak and root prevention in the app.
- Have protected authentication and access.
- Encrypt the data that comes through the API.
- Protect against man in the middle attacks, where people can spoof the communication from the client to the server.
“The good news is Appdome solved these challenges. We provide the data encryption and trusted connection, secure credentials storing, as well as a variety of APIs, shields, even security and optimization, capabilities,” Tovar said. “Our primary advantage is that we provide this in a no-code instant delivery format. If you are looking to bring an API into your app, or if you are looking simply to secure mobile app data or mobile app users, you can achieve that outcome on Appdome, in about 30 seconds or less with nobody doing any coding whatsoever.”
Tovar also proposed two other security mechanisms, which is code obfuscation, which prevents hackers from getting the code; and app shielding, which prevents an attacker from changing the application.
Tovar said, “From a credit union’s perspective, you could use SecureAPI to move APIs onto Appdome so mobile developers when they implement their API on your platform get all the security features. As a credit union, I don’t have to think about [app security] anymore.”