- Reports warn attackers can intercept API calls on iOS devices and make them appear legitimate
- Traditional security tools do not protect apps from attack in device
- Compromised mobile devices increase the risk of API utilization significantly
New research from Zimperium has claimed that mobile apps are now the primary battlefield of API-based attacks, creating serious risks of fraud and data theft for businesses.
The research shows 1 out of 3 Android apps and more than half of iOS apps delicious sensitive data, which offers attackers direct access to business-critical systems.
Even more worrying report claims three of every 1,000 mobile devices Area Ready Infected, with 1 in 5 Android devices encountering malware in the wild.
The scope of mobile API -vulnerabilities
Unlike web applications, Mobile Apps sends API end points and calls logic on non-confidence to devices that expose them to potential manipulation and vice versa engineering.
This allows attackers to listen to traffic, change the app and make malicious API calls to seem legitimate.
Traditional defense such as firewalls, gateways, proxies and API-Køgelevelidation cannot fully protect against these threats in the app.
“APIs don’t just run mobile apps they expose them,” said Krishna Vishnubhotla, vice president of product solutions at Zimperium.
“Traditional security tools cannot stop attacks happening inside the app itself. Protection of APIs now requires defense in the app that ensures the client page.”
A manipulation of the client side is common as attackers can intercept and change API calls before reaching backend systems.
Even SSL pinching, designed to prevent the man-in-the-mid-attack, has holes: almost 1 in 3 Android Finance apps and 1 out of 5 iOS travel apps remain vulnerable.
In addition to API exposure, many apps are losing sensitive data on devices as Zimperium revealed console logging, external storage and uncertain local storage.
For example, 6% of the Top 100 Android apps write personally identifiable information (PII) to console logs, and 4% write it for external storage available by other apps.
Even local storage, even if not shared, can become a responsibility if an attacker has access to device access.
The analysis also shows almost a third (31%) of all apps, and 37% of the 100 best sends PII to remote servers, often without proper encryption.
Certain apps contain SDKs that are able to secretly exfilter data, detect user interactions, capture GPS locations and send information to external servers.
These hidden activities increase exposure to companies and show that even apps from official stores can carry major security risks.
“As mobile apps continue to run business operations and digital experiences, it is to secure APIs from the inside out, to prevent fraud, data theft and service disorder,” Vishnubhotla added.
How to remain safe
- Investigate apps for incorrect logging of sensitive information to prevent data leaks.
- Make sure local data storage is encrypted and not available by other apps.
- Monitor network traffic to detect apps that send non -encrypted personal information.
- Identify and remove malicious SDKs or third -party components embedded in apps.
- Review app permits to make sure they adapt to intentional functionality.
- Make regular audits of app behavior for potential violation essentials.
- Implement Runtime protection to prevent manipulation or reverse construction of apps.
- Use code -connection to shield business logic and API points from attackers.
- Valids that API calls only come from legitimate, non -inserted applications.
- Create event response procedures in the event of a mobile app coming.
- Use mobile security software that protects against malware and ransomware attacks.
