APIs – friend or foe?

APIs are everywhere in modern day life. We rely on them to access services on mobiles, tablets and laptops. Without them our day-to-day life wouldn’t be the same. Yet they are also increasing the attack surface. Are they really a friend to e-commerce or to cybercrime?

e-Commerce’s friend
APIs are not new. They’ve been around a long time. APIs are key to building scalable web-based applications as they allow and manage the interaction between 2 online connected services.

As we become more and more of a connected world, APIs have become an essential and an increasingly prolific aspect of online commerce. After all, APIs enable companies to share core assets and business processes for others to integrate with. They help businesses reach more consumers; launch innovative services and enter new markets.

APIs are at work when you are watching Netflix; chatting on social network sites; when you’re using an online payment mechanism, such as Paypal and even when you’re re-setting your forgotten password from the link in your email.

Cybercrime’s friend
Not only are APIs a conduit for consumers to access devices and online services, they are also an entry point for hackers and cybercriminals.

Depending on the lack of diligence of the developer, APIs are often a weak point. They’re easily exploited to expose customer data or backend server applications by gaining unauthorized access. How is this possible?

Hackers take advantage of vulnerabilities such as the lack of tiered authorization, with the developer leaving it as “administrator” or being able to use the same ID token on a repeat session. Hackers do their research. And with more developers relying on cloud-based tools to automate building code and deploying insecure services, this makes it easier for the hackers. Hackers use algorithms to search these sites for exposed APIs. Using attacks such as parameter-, identity- or man-in-the-middle attacks; hackers then steal tokens or keys to sock puppet the website or app and perform actions as if they were you.

Security’s friend
Imagine another scenario. The program becomes the key. It is essentially blended into the device or application. A bit like a ship in a bottle –once in, it can’t be removed. And even if someone tries to smash the bottle, the program is self-defending. Such a scenario is possible.

With Irdeto’s cloaked.JS & cloaked.Apps you have a secure area to execute code, store data. It’s possible to be alerted of any tampering from the extension or software on the consumer’s device. On top of that, there would an extra layer of encryption can be added to the traffic between the browser and provider.

It’s time that the view that you can’t trust the browser is changed. With the right technology APIs don’t need to be weak link in the connected world.