RSAC Fireside Chat: The need to stop mobile apps from exposing API keys, user credentials in runtime

By Byron V. Acohido

As digital transformation accelerates, Application Programming Interfaces (APIs) have become integral to software development – especially when it comes to adding cool new functionalities to our go-to mobile apps.

Related: Collateral damage of T-Mobile hack

Yet, APIs have also exponentially increased the attack vectors available to malicious hackers – and the software community has not focused on slowing the widening of this security gap.

Mobile apps work by hooking into dozens of different APIs, and each connection presents a vector for bad actors to get their hands on “API secrets,” i.e. backend data to encryption keys, digital certificates and user credentials that enable them to gain unauthorized control.

I learned this from Ted Miracco, CEO of Approov, in a discussion we had at RSA Conference 2023. For a full drill down, please give the accompanying podcast a listen.

Guest expert: Ted Miracco, CEO, Approov

He also explains how hackers are carrying out “man in the middle” attacks during a mobile app’s runtime in ways that enable them to manipulate the communication channel between the app and the backend API.

Hackers know just how vulnerable companies are at this moment. Approov recently did a deep dive study of 650 financial services mobile apps of financial institutions across Europe and the US. The results were startling: the researchers could access API secrets in 95 percent of the apps, including “high value” secrets” in 25 percent of them.

Until API security generally gains a lot more ground, and next gen solutions achieve critical mass, the risk level will remain high. So be careful out there. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone