ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.
The apps we download from reputable outlets, such as Google Play or Apple's App Store, aren't always what they seem. As recently as September 2019, 172 harmful apps — with an immense 335 million installs — were found to contain issues such as adware, malware, and even credit card phishing.
Ensuring the safety of the apps we use every day is essential. Consumers need to know their app stores are offering vetted downloads. At the same time, personal discretion is essential — knowing not to allow access permissions on a simple flashlight app, for example, is part of technological literacy.
Yet even when common sense is taken into account, developers, consumers, and anyone with a smartphone still remains at risk. When the issue lies in the very APIs an app uses, the publishers cannot tell which ones are risky to download and which ones are safe. Virtually all apps use APIs, sometimes as many as dozens or hundreds.
To understand where the problem lies, we have to look toward where the issue begins — and how to bring an end to these potential risks without sacrificing everything APIs have allowed us to do in the 2020s.
Rise Of The Shadow APIs
If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.
The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.
It's this proliferation that causes security professionals to worry, with Gartner predictingAPIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.
Bringing Light To APIs
Shadow APIs accumulate the same way our homes become cluttered. Gifts and gadgets we no longer need end up on shelves and in closets, rarely (if ever) in use, gathering dust.
The only way to declutter is to get rid of unwanted items. In the same way, app developers need to make an assessment: which APIs are necessary for the application to function?
Taking stock of what APIs are integrated into a release is the first step in reducing risk. Too often, developers overlook the danger associated with having an app's functionality affected by an API that isn't fully vetted or secure.
After discovery, the next step is diagnosis. Rigorously testing and researching APIs to ensure their safety may add time to an app's overall development, yet it's a small price to pay for the ease of mind. The last thing any developer wants is to release an app that is exploitable by a third-party. Such an issue would not only nullify the app's utility, but also bring damage to the company's reputation.
Even as we look ahead to 2020, there are enterprises which believe their security protocols cannot be hacked. With the increasing proliferation of cloud computing, along with the increasing ease of app development, what may be a low-priority risk now can end up becoming a massive problem. Reducing risk today, through identifying and diagnosing potentially harmful APIs, ensures product safety well into the future — while leaving the most useful APIs intact, alongside a company's reputation for trusted security.