The App Security Vulnerability Google Can't Check
February 13, 2020

Harshit Agarwal
AppKnox

The apps we download from reputable outlets, such as Google Play or Apple's App Store, aren't always what they seem. As recently as September 2019, 172 harmful apps — with an immense 335 million installs — were found to contain issues such as adware, malware, and even credit card phishing.

Ensuring the safety of the apps we use every day is essential. Consumers need to know their app stores are offering vetted downloads. At the same time, personal discretion is essential — knowing not to allow access permissions on a simple flashlight app, for example, is part of technological literacy.

Yet even when common sense is taken into account, developers, consumers, and anyone with a smartphone still remains at risk. When the issue lies in the very APIs an app uses, the publishers cannot tell which ones are risky to download and which ones are safe. Virtually all apps use APIs, sometimes as many as dozens or hundreds.

To understand where the problem lies, we have to look toward where the issue begins — and how to bring an end to these potential risks without sacrificing everything APIs have allowed us to do in the 2020s.

Rise Of The Shadow APIs

If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.

The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.

It's this proliferation that causes security professionals to worry, with Gartner predictingAPIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.

Bringing Light To APIs

Shadow APIs accumulate the same way our homes become cluttered. Gifts and gadgets we no longer need end up on shelves and in closets, rarely (if ever) in use, gathering dust.

The only way to declutter is to get rid of unwanted items. In the same way, app developers need to make an assessment: which APIs are necessary for the application to function?

Taking stock of what APIs are integrated into a release is the first step in reducing risk. Too often, developers overlook the danger associated with having an app's functionality affected by an API that isn't fully vetted or secure.

After discovery, the next step is diagnosis. Rigorously testing and researching APIs to ensure their safety may add time to an app's overall development, yet it's a small price to pay for the ease of mind. The last thing any developer wants is to release an app that is exploitable by a third-party. Such an issue would not only nullify the app's utility, but also bring damage to the company's reputation.

Even as we look ahead to 2020, there are enterprises which believe their security protocols cannot be hacked. With the increasing proliferation of cloud computing, along with the increasing ease of app development, what may be a low-priority risk now can end up becoming a massive problem. Reducing risk today, through identifying and diagnosing potentially harmful APIs, ensures product safety well into the future — while leaving the most useful APIs intact, alongside a company's reputation for trusted security.

Harshit Agarwal is Founder and CEO of AppKnox
Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.