As mobile apps become increasingly paramount to operating successfully in today’s markets, a big question mark over API security is raised. Gartner has previously predicted that by 2022, “API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” Since every mobile app out there is powered by APIs, securing them is clearly a top priority.

APIs are a necessary and central part of the strategy of any digital business that wants to stay competitive and monetize its assets. Additionally, end users’ form factor of choice when using digital services is now firmly mobile. The trend towards APIs and mobile devices has moved the attack surface in a significant way and digital businesses must adapt and evolve their security policies accordingly.

Our first batch of business level attacks are Data Scrapers and Account Hijack. We also take a look at the lucrative business of Fake Account Factories.

An article on wired summarises 25 data breaches that made headlines during 2017. The implication in the article, and the general impression of those who take an interest, is that 2018 will bring more of the same in an ever accelerating trend of discovery and disclosure. The growth in attacks indicates that companies of all sizes should continually raise the defensive bar and Approov raises that bar significantly. In this short post I will provide a high-level view of what Approov does and how it works.

Yesterday morning security forums reported news that an AI researcher had published a dataset of 40,000 photos that had been scraped from the dating app Tinder. The purpose was simply to extract a real world data set that can be used for training Convolutional Neural Networks (CNN) to tell the difference between men and women. This seems innocent enough, although the author's choice of variable naming caused a bit of a stir. He quickly changed the variable name "hoe" to "subject" soon after the story broke. Apparently this original naming was inherited from the Tinder Auto-Liker code.

Suppose your mobile app relies on a back-end server that holds sensitive data or just data that you do not want to be manipulated or copied freely. You trust your own app to do everything right, but what about bots exploiting your API or if someone steals and subverts your app?

Bots are everywhere, crawling all over the internet. Some are good, cataloguing websites and enabling you to search for pictures of cats with ease. Others are all about information gathering, theft and fraud, are known as API abuse, and are bad news. More and more time is being spent accessing the Internet from mobile devices, and apps are becoming increasingly important as the software performing this access. Apps are a new and challenging arena for existing bot mitigation techniques and attackers are starting to shift their focus from the mobile web channel to mobile apps to try and circumvent current protection mechanisms.