Signed, Sealed, Defended: The Case for Secure Services

Cloud-based APIs and services are super-charging apps and revolutionizing software architecture and development practices. One of the most significant shifts has been the migration of critical application logic away from the application itself and into remotely-hosted services. Given the speed of software development needed to support emerging mobile and cloud demands, this only makes sense: the more you leverage services that someone else maintains, the less development you have to do.

But while these services offer great functionality, they don't all offer great security. Some prioritize speed over safety, while others lack proper testing. Some ignore potential weak spots; others are victims of newly-discovered flaws. For developers, choosing services isn't just about features, it's also about ensuring the security of the app, the users, and the corporate network.

What kind of damage can an unstable or poorly tested service cause?

Consider the case of search giant Google. As noted by ZDNet, a bug in the Google+ API that could have exposed the data of more than 52 million users was discovered by internal testers. Thankfully, the vulnerable code never went live and the social network was discontinued earlier this year.

Testing and code analysis cannot guarantee that every flaw or vulnerability will be identified before being released into production. This seems especially true with open source projects that may be subject to varying degrees of governance. Open-source software Kubernetes, used for managing Linux applications in containers, offers one such example. According to Computer Weekly, a code flaw permitted any user to escalate their privileges and access admin controls via the Kubernetes API server. While there have been no reports of serious compromise, this vulnerability was live for several weeks before being identified and patched.

Worst-case scenario for third party APIs? The USPS “Informed Visibility" API that allowed bulk mail senders to track data in real time. As reported by Engadget, poor programming of the API allowed tech-savvy users to conduct wildcard searches with no restrictions. As a result, the data of more than 60 million users was exposed.

Evaluating the benefits & risks of incorporating an API

If you're considering adding a third-party service to your app, it's worth thinking through the possible risks. Let's start with a simple checklist:

  1. Suitability of the API to solve the problem
  2. Stability of the API (i.e. it doesn't change unexpectedly, and when it does change, it is handled well)
  3. Sustainability of the service (how long it will remain available, and be maintained)
  4. Technical security of the API itself
  5. Trust in the vendor's platform, people, and processes
  6. Adherence to various standards and regulations

For example, if your business workflow requires incorporating e-signatures into your own apps and systems, and you think it is foolish to write your own (smart choice!), then you need to evaluate the APIs and services available.

Let's assume you have evaluated the first three items on the checklist (suitability, stability and sustainability) and settled on an API provider. Now let's go through the last three items on the checklist.

Technical security of the API

It is easy for a vendor to develop an API that isn't strict about security, and such APIs are often easy to start using. Unfortunately, in the long run, the lax security hurts you and your users as much or more as it hurts the vendor. It's your responsibility to ensure the services you use do two major things:

  1. Limit the service to only the data and rights that it needs.
  2. Protect the data and all communication from interception

Two major technologies used to solve these problems are OAuth and TLS.

OAuth is used in a three-party situation where one party (the user) wants to grant another party (the third-party service) access to some of a third party's data about that user (like a document in your app that needs a signature), without having to share credentials or give broad access to all data. Through OAuth, each party can ensure they have access to what they need, without giving the other parties more access than they need.

TLS (Transport Layer Security) and its now-deprecated predecessor, SSL (Secure Socket Layer) is the core encryption technology for data transmission on the internet. These days, all network transmissions should be protected by a recent version of TLS. Earlier versions of TLS and SSL are not secure, so it is worth checking if the version is supported – as described by GlobalSign. Make sure your vendor's services only use TLS versions 1.1 and above (as of this writing).

Be sure to verify that any service you add to your app will use OAuth for three-party data authorization and requires TLS 1.1 and above.

Reputation

In addition to looking at the reliability, efficiency and consistency of 3rd party APIs, also investigate the reputation of the vendor. Look into their support policies, service level commitments, and for any visible discussion groups or Stack Overflow posts that give you a sense of how other users experience their services. Also check to see if there have been any breaches connected to their services in the past, and if so, make sure you (and they!) understand the root causes and how they addressed the issue(s).

You have to make a risk assessment here – is this vendor living up to your expectations? Are existing customers satisfied?

Adherence to Standards and Regulations

When using third-party APIs or services to deliver key business functionality, you should also consider the impact of emerging app regulations and standards such as:

  1. GDPR - With the General Data Protection Regulation in effect, gaining control over customer data is mandatory. Be sure you understand what data will be passed to the service, how it will be used, and whether the service provider understands and will comply with GDPR.
  2. PCI DSS - Any application handling financial data should meet PCI DSS standards for storage and handling of consumer data and regular evaluation of app vulnerabilities via trusted outside sources.
  3. ISO 27001:2013 - Developers which earn the ISO 27001 certification demonstrate a clear understanding of current security issues and emerging concerns.
  4. SkyHigh Cloud Trust - Created in partnership with the Cloud Security Alliance (CSA), this standard sets out strict requirements for protecting, verifying and managing cloud-based data.

The caveat? While these standards, certifications and requirements can help boost API security, none are mandatory - ideally, all developers should follow these guidelines to help reduce the risk of application attack, but organizations may be on the hook to ensure the public APIs and applications they're using to drive business success meet basic security requirements.

Evaluating APIs

With security risks on the rise and API standards still in development, how can your company protect new code and applications from potential misuse?

Start with the checklist above and be sure to do thorough due diligence. You're trusting your app and your users to this service, so it's well worth the time to make a thorough evaluation.

But then don't just rely on the vendor's platform – apply the same rigorous security standards to the code you write that uses the service or APIs. Implement techniques such as static and dynamic vulnerability testing and understand the various standards and regulations that apply to your overall application.

Is your App itself running in an untrusted environment?

In addition to the checklist above, it is important to protect your organization's IP and brand at the very core of your application's existence – by protecting the source code. Through code obfuscation and app hardening you lessen your app's vulnerability before it reaches 3rd party integration. By protecting your app at the foundation, you create a fortified defense right within your build. When you add in additional layers of protection such as anti-debugging, anti-tampering and anti-emulator protection, your defense strengthens even more, alerting an administrator or shutting down the application if a vulnerability or hacker is detected.

And, if your apps are running in an untrusted environment, it is imperative to implement an app protection forward strategy - no matter what types of APIs are in your code. From obfuscation beyond symbolic renaming to creating real-time cross-platform defenses, the best defense is a multilayered one. Using both secure coding techniques and passive and active protection, you make your application more difficult to reverse engineer, and in some cases - bypass the need for licensing. There is no greater line of protection than the protection you can implement and control yourself.

Stay Current

Last but not least? Organizations must recognize the changeable nature of API security. Code that was once secure and untouchable may be rendered vulnerable thanks to new threat vectors or existing, previously undiscovered flaws. (A great example is the evolution of TLS security.) By keeping an eye on current trends and securing applications with industry-leading APIs and protection tools, companies can stay ahead of malicious actors and reduce total application risk. Look for APIs from that keep their APIs current and provide instant access to their security related alerts and updates.

Sign of the Times

Companies can't ignore the impact of APIs; modern apps depend on third-party code to meet both consumer and employee expectations. The combination of rapidly-developed apps and increasing attack sophistication, however, is a sign of things to come. As app threats ramp up, businesses must seek out providers that prioritize API security and stay current with the regulations and threat landscape.


Gabriel Torok is Founder and CEO of PreEmptive Protection, a premium app shielding and hardening solution's provider. He has spent his career pioneering passive and active in-app protection solutions that help secure apps running in untrusted environments protecting the customer's brand, IP, data and revenue. PreEmptive's DashO is a very popular in-app protection Java and Android obfuscator. PreEmptive's Dotfuscator is the #1 .NET obfuscator and in-app protection solution and a light version of has been included in in Microsoft's Visual Studio.NET since 2003. And PreEmptive is now releasing PreEmptive Protection for JavaScript - a JavaScript obfuscator plus in-app protection. Learn more at http://www.preemptive.com.