- The report warns that attackers can intercept API calls on iOS devices and make them legitimate
- Traditional safety tools do not protect applications against attacks on the device
- Compromise mobile devices considerably increase the risk of exploitation of the API
New Zimperium research has said that mobile applications are now the main battlefield for API -based attacks, creating serious risks of fraud and data theft for businesses.
Research shows that 1 Android applications out of 3 and more than half of iOS applications disclose sensitive data, offering attackers direct access to critical systems.
Even more worrying than the report says that three in 1,000 mobile devices are infected with 1 in 5 Android devices meeting malware in the wild.
Mobile API vulnerability scale
Unlike web applications, mobile applications ship termination points of the API and the call of logic on unreliable devices, by exposing them to potential alteration and retro-engineering engineering.
This allows attackers to intercept traffic, modify the application and make the calls of malicious APIs legitimate.
Traditional defenses such as firewalls, bridges, proxies and validation of API keys cannot completely protect against these integrated threats.
“APIs are not content with mobile supplies, they exhibit them,” said Krishna Vishnubhotla, vice-president of product solutions at Zimerium.
“Traditional safety tools cannot prevent attacks from occurring inside the application itself. API protection now requires defenses in the application that secures the customer side. ”
Customer side falsification is common because attackers can intercept and modify API calls before reaching Backend systems.
Even the SSL pin, designed to prevent human attacks in the environment, has gaps: nearly 1 on 3 Android financing applications and 5 out of 5 IOS travel applications remain vulnerable.
Beyond exposure to the API, many poorly managed applications the sensitive data on the devices, because Zimperium revealed the console journalization, external storage and unsure local storage are common problems.
For example, 6% of the 100 best Android applications write personally identifiable information (PII) to console newspapers and 4% write it in external storage accessible by other applications.
Even local storage, although not shared, can become a responsibility if an attacker access the device.
The analysis also shows almost a third (31%) of all applications and 37% of the first 100 send PIIs to remote servers, often without appropriate encryption.
Some applications include SDKs capable of secretly exfiltrating data, recording user interactions, capturing GPS locations and sending information to external servers.
These hidden activities increase exposure to businesses and show that even official store applications may include major security risks.
“While mobile applications continue to stimulate commercial operations and digital experiences, the security of interior APIs is essential to prevent fraud, data theft and services of services,” added Vishnubhotla.
How to stay safe
- Inspect applications for poor commitment of sensitive information to avoid data leakage.
- Check that local data storage is encrypted and not accessible by other applications.
- Monitor network traffic to detect applications sending unacyed personal information.
- Identify and remove malicious SDKs or third -party components integrated into applications.
- Review application authorizations to ensure that they align with the planned features.
- Perform regular audits of the application behavior for potential vulnerabilities on violations.
- Implement execution protections to prevent falsification or reverse applications.
- Use the obscure of the code to protect business logic and the termination of the attackers’ API.
- Validate that API calls only come from legitimate and inacculy requests.
- Establish incident response procedures in the event of mobile application compromise.
- Use mobile security software that protects from malware and ransomware attacks.
