The discovery of a flaw that allows would-be hackers to reuse old security tokens to to access Snapchat services and send bulk messages crippling user’s iPhones (AKA denial-of-service attacks) shows that security problems with Snapchat’s API run deeper than first thought. The flaw was discovered by security researcher Jaime Sanchez earlier this year and highlighted the ease with which vulnerabilities can be exploited in applications and APIs that don’t have a proper security measures in place.

While Snapchat’s API vulnerabilities have been exposed publicly, there will be countless other applications with similar issues. The fact is it is almost impossible to build any application that is entirely secure.

With Gartner’s estimate that 102 billion mobile applications were downloaded in 2013 and Portio Research expecting that number to exceed by 200 billion per year by 2017, this is not an issue that can be ignored. The revenue tied to mobile apps is equally impressive, with Portio expecting mobile app revenues to reach $63 billion by the same year. And as companies start to introduce mobile apps supporting wearable devices and connected appliances and vehicles, the consequences of application insecurities become greater.

However, building traditional safeguards such as authentication, single sign-on and authorization capabilities into individual applications is neither economical nor scalable. Rather than trying to build the perfectly secure application, developers should instead look to manage app vulnerabilities at the API level. The Snapchat experience has taught the value of securing APIs.

In order to properly manage vulnerabilities at the API level, organizations and developers need to be using an API management tool. API management tools provided by companies like Axway help organizations monitor API use, manage access, enforce policies around API use, protect user data and keep a record of all API calls. In particular, an API Gateway is an important part of an API Management solution, and acts as a filter and enforcement point where API management policies and security updates are applied.

Managing vulnerabilities through API upkeep

 .

So how does an organization manage vulnerabilities through API Management?

Monitor use: You can’t fix what you can’t see. API management tools give you the ability to see who is using your API and identify unusual use patterns with real-time visibility. These tools alert administrators and assist with investigations to get to the bottom of suspicious use. In the Snapchat example, people were bypassing the app and connecting to the API directly to look up phone numbers. This type of large-scale data harvesting would have been easy to spot with API monitoring tools.

Manage access: Once you’ve identified a suspicious user, you can either limit their access or block them entirely. It’s not always black and white and sometimes malicious behavior can be harder to identify with apps that have less predictable use patterns. For this reason, you may want to apply soft limits and give disruptive users a ‘cooling off’ period to bring them back into line. For example, sending a warning email and limiting access through API throttling. In more severe cases, the best option will be to block the user outright. API gateways give you the ability to manage access and block or restrict access for specific users. In the case of Snapchat, as soon as the data harvesting attack was spotted, the user would have been instantly blocked.

Implement policies: API gateways also give you the ability to set policies and automate much of the API management process to block attacks before they occur. In the Snapchat example, the phone numbers that were being exposed could have been dynamically removed at the API level through the addition of content checking policies. Applying policies and rules about the nature of data that can be accessed, such as credit card numbers, contact details and addresses can ensure the security and privacy of all application users. Furthermore, settings such as ‘Deny by Default’ automatically block suspicious API calls, preventing security breaches from occurring. These policies can be set to only block, or apply soft limits to malicious behavior and unusual usage, without interfering with normal use cases.

Protect data:  Encryption, patching and virus protection can all be applied at the API level to increase the security of an application and protect user data. Rather than relying on consumers to download important updates with added security enhancements, patching and virus protection can instead be applied at the API gateway to protect user data. Data can also be encrypted to ensure only those at authorized endpoints can access information.

Record use: As more organizations open APIs to companies and developers, having a clean audit log will become increasingly important for the legal department. In many industries, sharing personal data or not adequately protecting user information can have serious legal consequences. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to notify patients if anyone accesses their records. And as APIs are increasingly used for B2B collaboration and information access, an audit trail for APIs will in many cases equal an audit trail for people accessing information. API Management tools record who is using APIs, keeping an audit trail and providing evidence of exchanges between an attacker and the API. With leading API management tools, every single API call and interaction is recorded – nothing slips under the radar. These 24/7 recording capabilities  ensure that accurate evidence of API usage is recorded and logged in a convenient and accessible manner. In the emerging API economy, legal battles may be won or lost on forensic data from API management tools.

Preventing unwanted and unauthorized access to applications and data is critical, and the consequences of a security breach can be extremely costly in both financial and business terms. The best way to compensate for the inevitable flaws in applications is to manage these vulnerabilities at the API level. What are you doing to protect your applications? And what sort of API management capabilities does your organization possess?

About the Author

Mark O’Neill – Vice President, Innovation for API and Identity Management, Axway

Mark was founder and CTO at Vordel, a leader of REST and Web Services Security, acquired by Axway in 2012. Mark is the author of the book Web Services Security, contributing author of  Hardening Network Security, both published by McGraw-Hill/Osborne Media. He provides guidance on REST and Web Services Security to Fortune 100 and Global 500 firms and is a frequent speaker at key industry events such as the RSA Security Conference and Oracle Open World.

photo credit: Yuri Yu. Samoilov via photopin cc