Sign up to save your podcasts
Or
Share The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust Defences
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust Defences
Episode Title: The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust DefencesEpisode Notes:In this episode of Upwardly Mobile, we delve into the escalating challenges surrounding API security for both web and mobile applications. We explore recent alarming trends, including the leakage of 39 million secret API keys and credentials from GitHub in 2024, highlighting the persistent threat of exposed authentication data such as API keys, credentials, and tokens. This situation has prompted GitHub to launch new security tools to combat this issue. According to GitHub, numerous secrets are blocked every minute with push protection, yet accidental exposure remains a significant cause of security incidents. Experts like Erin Havens from GitHub emphasize that developers handle numerous secrets daily, which can be unintentionally exposed. Even seemingly low-risk secrets can provide attackers with a foothold for lateral movement.We also examine a real-world security lapse involving API testing firm APIsec, which exposed customer data due to a misconfigured internal database connected to the internet without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about the security posture of APIsec's corporate customers. Security research firm UpGuard discovered the leak. Initially downplayed by APIsec founder Faizel Lakhani, the exposed data was later confirmed to include sensitive customer information and even private keys for AWS and credentials for Slack and GitHub accounts. This incident underscores the severity of even unintentional security lapses in the API ecosystem.The episode further explores why mobile APIs are particularly vulnerable compared to web APIs. Client-side validation in mobile apps can be bypassed, reverse engineering is easier, granular API endpoints increase the attack surface, and mobile apps may lack advanced security measures. Device-specific risks, such as rooted or jailbroken devices, also compromise app integrity. To counter these threats, the integration of a Mobile SDK with attestation is crucial. Such SDKs provide runtime integrity checks, authenticate API calls, detect tampering, and enable dynamic token binding.We discuss how traditional backend app security solutions, like Web Application Firewalls (WAFs), may not be sufficient for mobile app protection as they lack contextual information from the client environment. A Mobile SDK can provide continuous verification of contextual information from the app and the client environment, which is essential for reliably countering mobile threats. Two main types of Mobile SDKs for bot detection exist: those analysing user behaviour signals and those focusing on software-identity signals.Approov emerges as a leading solution for mobile app and API security, providing visibility and protection through a positive authentication model that validates legitimate app and device actions while blocking bots and other threats. The Approov SDK seamlessly integrates with mobile apps and continuously validates the app and device at runtime, allowing the app to present an authorised identity to the server. Approov also offers a unique way to protect API keys used by mobile apps, delivering them just-in-time only to validated apps and environments. Approov can easily integrate with any backend API gateway, WAF, or WAAP solution by using standard JWT tokens in requests.The Q1 2025 State of API Security Report from Salt Security reveals critical insights into the broader API security landscape. Key findings include that 99% of organisations have encountered API security issues in the past year and 55% have slowed the rollout of new applications due to API security concerns. The report highlights that 95% of attack attempts originate from authenticated users and 98% target external-facing APIs. The most frequently exploited vulnerability is API8 (Security Misconfiguration), accounting for 54% of attacks, followed by API1 (Broken Object Level Authorization) at 27%. Alarmingly, only 20% of organisations continuously monitor their APIs in real-time, and a significant number lack confidence in their API inventories. The report also addresses the emerging risks associated with Generative AI (GenAI) in API security, including concerns about the quality and security of AI-generated code.Key Takeaways:
- API security is a critical and evolving challenge, with significant risks arising from leaked credentials, security misconfigurations, and sophisticated attacks.
- Mobile APIs present unique vulnerabilities that require dedicated security measures beyond traditional web application security.
- Mobile SDKs with attestation, such as Approov, are essential for providing robust protection for mobile APIs by ensuring app and device integrity.
- Organisations need to adopt a proactive API security strategy that includes continuous monitoring, strong authentication and authorisation, proper configuration management, and adherence to security frameworks like the OWASP API Top Ten.
- Addressing the security risks associated with Generative AI in API development is becoming increasingly important.
- 39M Secret API Keys & Credentials Leaked from GitHub: https://cybersecuritynews.com/39m-secret-api-keys-credentials-leaked-from-github-new-tools-to-revamp-security/
- API testing firm APIsec exposed customer data during security lapse | TechCrunch: https://techcrunch.com/2025/03/31/apisec-security-lapse-customer-data-exposed/
- Enhancing Mobile App API Security: Closing Gaps with a Robust SDK: https://approov.io/blog/mobile-app-api-security-closing-the-protection-gap-with-a-mobile-sdk
- Mobile APIs are more vulnerable.pdf: (This is a local file and cannot be directly linked. Search for "Mobile APIs are more vulnerable" to find similar resources.)
- Q1 2025 State of API Security: (This is a local file and cannot be directly linked. Search for "Salt Security State of API Security Report Q1 2025" to find it.)
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- Approov: https://approov.io/
View all episodes
By Approov LimitedEpisode Title: The Growing Threat to Mobile APIs: Leaks, Lapses, and Robust DefencesEpisode Notes:In this episode of Upwardly Mobile, we delve into the escalating challenges surrounding API security for both web and mobile applications. We explore recent alarming trends, including the leakage of 39 million secret API keys and credentials from GitHub in 2024, highlighting the persistent threat of exposed authentication data such as API keys, credentials, and tokens. This situation has prompted GitHub to launch new security tools to combat this issue. According to GitHub, numerous secrets are blocked every minute with push protection, yet accidental exposure remains a significant cause of security incidents. Experts like Erin Havens from GitHub emphasize that developers handle numerous secrets daily, which can be unintentionally exposed. Even seemingly low-risk secrets can provide attackers with a foothold for lateral movement.We also examine a real-world security lapse involving API testing firm APIsec, which exposed customer data due to a misconfigured internal database connected to the internet without a password for several days. The exposed data, dating back to 2018, included names, email addresses, and details about the security posture of APIsec's corporate customers. Security research firm UpGuard discovered the leak. Initially downplayed by APIsec founder Faizel Lakhani, the exposed data was later confirmed to include sensitive customer information and even private keys for AWS and credentials for Slack and GitHub accounts. This incident underscores the severity of even unintentional security lapses in the API ecosystem.The episode further explores why mobile APIs are particularly vulnerable compared to web APIs. Client-side validation in mobile apps can be bypassed, reverse engineering is easier, granular API endpoints increase the attack surface, and mobile apps may lack advanced security measures. Device-specific risks, such as rooted or jailbroken devices, also compromise app integrity. To counter these threats, the integration of a Mobile SDK with attestation is crucial. Such SDKs provide runtime integrity checks, authenticate API calls, detect tampering, and enable dynamic token binding.We discuss how traditional backend app security solutions, like Web Application Firewalls (WAFs), may not be sufficient for mobile app protection as they lack contextual information from the client environment. A Mobile SDK can provide continuous verification of contextual information from the app and the client environment, which is essential for reliably countering mobile threats. Two main types of Mobile SDKs for bot detection exist: those analysing user behaviour signals and those focusing on software-identity signals.Approov emerges as a leading solution for mobile app and API security, providing visibility and protection through a positive authentication model that validates legitimate app and device actions while blocking bots and other threats. The Approov SDK seamlessly integrates with mobile apps and continuously validates the app and device at runtime, allowing the app to present an authorised identity to the server. Approov also offers a unique way to protect API keys used by mobile apps, delivering them just-in-time only to validated apps and environments. Approov can easily integrate with any backend API gateway, WAF, or WAAP solution by using standard JWT tokens in requests.The Q1 2025 State of API Security Report from Salt Security reveals critical insights into the broader API security landscape. Key findings include that 99% of organisations have encountered API security issues in the past year and 55% have slowed the rollout of new applications due to API security concerns. The report highlights that 95% of attack attempts originate from authenticated users and 98% target external-facing APIs. The most frequently exploited vulnerability is API8 (Security Misconfiguration), accounting for 54% of attacks, followed by API1 (Broken Object Level Authorization) at 27%. Alarmingly, only 20% of organisations continuously monitor their APIs in real-time, and a significant number lack confidence in their API inventories. The report also addresses the emerging risks associated with Generative AI (GenAI) in API security, including concerns about the quality and security of AI-generated code.Key Takeaways:
- API security is a critical and evolving challenge, with significant risks arising from leaked credentials, security misconfigurations, and sophisticated attacks.
- Mobile APIs present unique vulnerabilities that require dedicated security measures beyond traditional web application security.
- Mobile SDKs with attestation, such as Approov, are essential for providing robust protection for mobile APIs by ensuring app and device integrity.
- Organisations need to adopt a proactive API security strategy that includes continuous monitoring, strong authentication and authorisation, proper configuration management, and adherence to security frameworks like the OWASP API Top Ten.
- Addressing the security risks associated with Generative AI in API development is becoming increasingly important.
- 39M Secret API Keys & Credentials Leaked from GitHub: https://cybersecuritynews.com/39m-secret-api-keys-credentials-leaked-from-github-new-tools-to-revamp-security/
- API testing firm APIsec exposed customer data during security lapse | TechCrunch: https://techcrunch.com/2025/03/31/apisec-security-lapse-customer-data-exposed/
- Enhancing Mobile App API Security: Closing Gaps with a Robust SDK: https://approov.io/blog/mobile-app-api-security-closing-the-protection-gap-with-a-mobile-sdk
- Mobile APIs are more vulnerable.pdf: (This is a local file and cannot be directly linked. Search for "Mobile APIs are more vulnerable" to find similar resources.)
- Q1 2025 State of API Security: (This is a local file and cannot be directly linked. Search for "Salt Security State of API Security Report Q1 2025" to find it.)
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- Approov: https://approov.io/