The App Security Vulnerability Google Can't Check
February 13, 2020

Harshit Agarwal

The apps we download from reputable outlets, such as Google Play or Apple's App Store, aren't always what they seem. As recently as September 2019, 172 harmful apps — with an immense 335 million installs — were found to contain issues such as adware, malware, and even credit card phishing.

Ensuring the safety of the apps we use every day is essential. Consumers need to know their app stores are offering vetted downloads. At the same time, personal discretion is essential — knowing not to allow access permissions on a simple flashlight app, for example, is part of technological literacy.

Yet even when common sense is taken into account, developers, consumers, and anyone with a smartphone still remains at risk. When the issue lies in the very APIs an app uses, the publishers cannot tell which ones are risky to download and which ones are safe. Virtually all apps use APIs, sometimes as many as dozens or hundreds.

To understand where the problem lies, we have to look toward where the issue begins — and how to bring an end to these potential risks without sacrificing everything APIs have allowed us to do in the 2020s.

Rise Of The Shadow APIs

If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.

The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.

It's this proliferation that causes security professionals to worry, with Gartner predictingAPIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.

Bringing Light To APIs

Shadow APIs accumulate the same way our homes become cluttered. Gifts and gadgets we no longer need end up on shelves and in closets, rarely (if ever) in use, gathering dust.

The only way to declutter is to get rid of unwanted items. In the same way, app developers need to make an assessment: which APIs are necessary for the application to function?

Taking stock of what APIs are integrated into a release is the first step in reducing risk. Too often, developers overlook the danger associated with having an app's functionality affected by an API that isn't fully vetted or secure.

After discovery, the next step is diagnosis. Rigorously testing and researching APIs to ensure their safety may add time to an app's overall development, yet it's a small price to pay for the ease of mind. The last thing any developer wants is to release an app that is exploitable by a third-party. Such an issue would not only nullify the app's utility, but also bring damage to the company's reputation.

Even as we look ahead to 2020, there are enterprises which believe their security protocols cannot be hacked. With the increasing proliferation of cloud computing, along with the increasing ease of app development, what may be a low-priority risk now can end up becoming a massive problem. Reducing risk today, through identifying and diagnosing potentially harmful APIs, ensures product safety well into the future — while leaving the most useful APIs intact, alongside a company's reputation for trusted security.

Harshit Agarwal is Founder and CEO of AppKnox
Share this

Industry News

August 15, 2022

Gadget announced Connections, a major new feature that gives app developers access to building blocks that enable them to build and scale ecommerce apps in a fraction of the time, at a fraction of the cost.

August 15, 2022

Opsera is on the Salesforce AppExchange to help enterprise customers shorten software delivery cycles, improve pipeline quality and security, lower operations costs and better align software delivery to business outcomes.

August 15, 2022

Virtusa Corporation earned the DevOps with GitHub on Microsoft Azure advanced specialization, a validation of a services partner's deep knowledge, extensive experience and proven success in implementing secure software development practices applying DevOps principles and using Azure and GitHub solutions.

August 15, 2022

Companies looking to reduce their cloud costs with automated optimization can now easily procure CAST AI via Google Cloud Marketplace using their existing committed spend.

August 11, 2022

Granulate, an Intel Company, announced the upcoming launch of its latest free cost-reduction solution, gMaestro, a continuous workload and pod rightsizing tool for Kubernetes cost optimization.

August 11, 2022

Rezilion announced the availability of MI-X, a newly created open-source tool developed by Rezilion's vulnerability research team.

August 11, 2022

Contrast Security announced its enhanced application programming interface (API) security capabilities within the Contrast Secure Code Platform.

August 10, 2022

Mirantis made it even easier to integrate Mirantis Container Cloud into developer workflows and provide developers and operators with easy access and visibility into the Kubernetes clusters with the Mirantis Container Cloud Lens Extension announced today.

August 10, 2022

ArmorCode announced an integration with Traceable AI which will bring its data into the ArmorCode platform and improve Application Security Posture from code to cloud.

August 10, 2022

Quali unveiled enhanced features for its Torque platform to unify infrastructure orchestration and governance.

August 09, 2022

Veracode announced the enhancement of its Continuous Software Security Platform with substantial improvements to its integrated developer experience.

August 09, 2022

Normalyze announced General Availability for its Freemium offering, a self-serve, free platform that democratizes data discovery and classification in all three public clouds, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

August 09, 2022

Traceable AI announced enhanced capabilities to address more specific types of API attacks, including API abuse and misuse, fraud and malicious API bots, all of which contribute to serious data security and compliance challenges within organizations today.

August 08, 2022

Contrast Security announced that software composition analysis (SCA) is now available for free in CodeSec.

CodeSec offers free application security testing and SCA in a single, developer-friendly interface.

The new SCA feature will enable developers to easily identify vulnerable third-party libraries quickly and accurately, getting secure code moving in minutes.

August 08, 2022

CloudBees announced Anuj Kapur as President and CEO.