The App Security Vulnerability Google Can't Check
February 13, 2020

Harshit Agarwal
AppKnox

The apps we download from reputable outlets, such as Google Play or Apple's App Store, aren't always what they seem. As recently as September 2019, 172 harmful apps — with an immense 335 million installs — were found to contain issues such as adware, malware, and even credit card phishing.

Ensuring the safety of the apps we use every day is essential. Consumers need to know their app stores are offering vetted downloads. At the same time, personal discretion is essential — knowing not to allow access permissions on a simple flashlight app, for example, is part of technological literacy.

Yet even when common sense is taken into account, developers, consumers, and anyone with a smartphone still remains at risk. When the issue lies in the very APIs an app uses, the publishers cannot tell which ones are risky to download and which ones are safe. Virtually all apps use APIs, sometimes as many as dozens or hundreds.

To understand where the problem lies, we have to look toward where the issue begins — and how to bring an end to these potential risks without sacrificing everything APIs have allowed us to do in the 2020s.

Rise Of The Shadow APIs

If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.

The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.

It's this proliferation that causes security professionals to worry, with Gartner predictingAPIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.

Bringing Light To APIs

Shadow APIs accumulate the same way our homes become cluttered. Gifts and gadgets we no longer need end up on shelves and in closets, rarely (if ever) in use, gathering dust.

The only way to declutter is to get rid of unwanted items. In the same way, app developers need to make an assessment: which APIs are necessary for the application to function?

Taking stock of what APIs are integrated into a release is the first step in reducing risk. Too often, developers overlook the danger associated with having an app's functionality affected by an API that isn't fully vetted or secure.

After discovery, the next step is diagnosis. Rigorously testing and researching APIs to ensure their safety may add time to an app's overall development, yet it's a small price to pay for the ease of mind. The last thing any developer wants is to release an app that is exploitable by a third-party. Such an issue would not only nullify the app's utility, but also bring damage to the company's reputation.

Even as we look ahead to 2020, there are enterprises which believe their security protocols cannot be hacked. With the increasing proliferation of cloud computing, along with the increasing ease of app development, what may be a low-priority risk now can end up becoming a massive problem. Reducing risk today, through identifying and diagnosing potentially harmful APIs, ensures product safety well into the future — while leaving the most useful APIs intact, alongside a company's reputation for trusted security.

Harshit Agarwal is Founder and CEO of AppKnox
Share this

Industry News

June 17, 2021

Bitrise announced the release of its new enterprise-grade Mobile DevOps platform.

June 17, 2021

Perforce Software announces a partnership with Microsoft to deliver the free Enhanced Studio Pack, providing development tools in a click-to-start model on the Azure cloud.

June 17, 2021

Tigera announced the availability of Calico Cloud in the Microsoft Azure Marketplace.

June 16, 2021

Red Hat announced the general availability of Red Hat’s migration toolkit for virtualization to help organizations accelerate open hybrid cloud strategies by making it easier to migrate existing workloads to modern infrastructure in a streamlined, wholesale manner.

June 16, 2021

BrowserStack announced it has secured $200 million in Series B funding at a $4 billion valuation.

June 16, 2021

Harness announced significant platform updates that address gaps in today's developer and DevOps market.

June 15, 2021

Broadcom announced new capabilities for Value Stream Management (VSM) in its ValueOps software portfolio, seamlessly combining the proven investment planning features of Clarity™ with the advanced Agile management capabilities of Rally® software.

June 15, 2021

Copado announced its Summer 21 Release, opening up its platform for true multi-cloud DevOps for enterprise SaaS and low-code development.

June 15, 2021

SmartBear released a new plug-in for SwaggerHub API design to support IntelliJ IDEA, the popular Java-based integrated developer environment (IDE).

June 14, 2021

Accurics announced a technology partnership with GitLab as well as the general availability of its integration with GitLab's Static Application Security Testing (SAST) solution.

June 14, 2021

SmartBear released new versions and add-ons of test management solution, Zephyr Enterprise, with major upgrades for businesses in critical industries.

June 14, 2021

ShiftLeft has released a tool enabling businesses to independently benchmark and validate the accuracy of ShiftLeft CORE using the Open Web Application Security Project (OWASP) Benchmark Project, a Java test suite designed to evaluate the accuracy of vulnerability detection tools.

June 10, 2021

Contrast Security announced the release of Contrast Scan that revolutionizes static application security testing (SAST) with pipeline-native static analysis to analyze code and detect vulnerabilities early on in the software development life cycle (SDLC).

June 10, 2021

CyberArk announced the availability of CyberArk Cloud Entitlements Manager, CyberArk Endpoint Privilege Manager and CyberArk Workforce Identity on Amazon Web Services Marketplace (AWS Marketplace).

June 10, 2021

Komodor announced a $21 Million Series A funding round led by Accel.