Understanding the Security Risks and Solutions for Protecting Sensitive Data

There is a trend emerging for anyone launching a consumer business. Almost every business these days does two things: the first is to create an app and the second is to publish an API.

Publishing APIs allows third-party developers to access the app’s functionality and data and integrate that into other applications, expanding the reach and adoption of the original app’s services. It encourages innovation and can create a thriving ecosystem around the app and can provide additional monetization opportunities for the company. In some industries, publishing APIs may be necessary to comply with regulatory requirements, such as in healthcare for ensuring data interoperability.

We see this pairing of app+API everywhere: delivery apps, connected cars, e-commerce sites, healthcare service providers, … the list goes on. 

However, here at Approov we get a privileged opportunity to see what’s going on across multiple industries and one thing we are seeing clearly is that our customers are increasingly concerned about apps which are not theirs accessing their APIs. 

As we have seen, these kinds of apps may be providing a useful service and be encouraged or tolerated by the app owner. Or they may turn out to be totally illegal and disruptive. Often they operate in a gray area between the two extremes. But one thing is certain, enterprises are struggling to keep control over what is accessing their APIs. 

Examples of “Gray Area” Apps

Here are some examples of apps our customers want to control:

• Delivery Driver Optimization Apps: These unapproved apps might leverage official delivery app APIs to access information on deliveries (distance, payout, customer location etc.). They could then present this data in a way that helps drivers choose the most profitable deliveries, potentially giving them an advantage over drivers who rely solely on the official app.
• E-commerce Price Tracking Apps: Unapproved apps could potentially use e-commerce platform APIs to track real-time price fluctuations and notify users when deals appear. This could give them an edge over users who rely on the platform’s built-in notifications.
• Connected Car Apps: Unauthorized third-party apps often replicate the functionalities of official connected car apps and promote them directly to consumers. In addition a multitude of charging and home management apps also access connected car APIs. While some may add value, they also introduce risks. 

It’s important to note that using unapproved apps often violates the terms of service of the official app and could result in account suspension. Additionally, these unapproved apps may be buggy or insecure, posing risks to the user’s data. 

Malicious Apps

Sometimes it’s even worse, and apps accessing your API can be truly malicious in intent: 

• Adware: Some fake apps are designed to aggressively display advertisements to generate ad revenue.
• Credential Harvesting: Others aim to steal sensitive information such as login credentials and financial data.
• Malware Distribution: Fake apps can also infect devices with malware, including ransomware and spyware.
• Cryptocurrency Mining: In some cases, fake apps have been used to mine cryptocurrency using the device’s computing power.

What are the Risks of Unapproved Apps?

Apart from the direct impact of malicious apps, apps accessing your APIs can cause major issues: 

• Monetary Costs: Third-party apps can place excessive load on cloud systems by not adhering to careful coding practices and access policies, leading to excessive consumption of network and cloud resources and increased costs.
• Operational Distractions: Unauthorized  access of APIs can trigger alerts and alarms, causing additional, time-consuming work for DevOps teams.
• Reputation Damage: Lack of quality and poor performance of app copies can provide a degraded user experience, and this can have a negative impact on the overall reputation of the car brand.

Are Apps on App Stores Safe?

The simple answer is no. Both iOS and Android are affected by fake apps. HarmonyOS and the Samsung Galaxy Store are not immune to the issue. The problem is significant enough that it impacts users of all major mobile operating systems. Despite security measures, and claims to the contrary, fake apps can slip through on all mobile platforms. Even official app stores like Google Play and the Apple App Store are overwhelmed by  this issue, despite having extensive app review processes in place.

There are indications that the Apple App Store may have some vulnerabilities in its review process. For instance, some scammers have found ways to exploit the system by initially submitting apps in specific languages for certain countries, then gradually expanding to other markets. 

In addition, all platforms face challenges with fake reviews and artificially inflated app rankings, which can make it difficult for users to identify legitimate apps.

As regulations like the EU’s DMA (Digital Markets Act), the UK’s DMCC (Digital Markets, Competition and Consumers Act 2024), and Japan’s SSCPA (Smartphone Act) kick in, more apps will be available outside of official app stores and security based on official app stores will become even more irrelevant than it already is.  

So, fake and unauthorized apps are a significant and growing problem. To protect themselves, users of iOS, Android and HarmonyOS devices should remain vigilant, carefully review app permissions, be wary of suspicious reviews or download numbers. 

And of course, API owners must put solid security in place. 

Getting Control Over What is Accessing your APIs

Companies need to find a way to get visibility and fine grained control over what is accessing their APIs. And this means applying a zero trust approach, at runtime. Every request to the API should be checked to see if it is legitimate or unauthorized. In addition the following elements should be in place:

• Strong authentication and authorization mechanisms
• Easy and immediate API key rotation and management
• Rate limiting to prevent abuse
• Continuous monitoring for suspicious activity
• Fine-grained policy controls to allow access permissions to be changed rapidly

If this path is followed, publishing APIs can still help drive the ecosystem but also provide the control companies need. Instead of being a headache, a published API can help companies standardize security practices and enforce policy compliance and data protection standards. 

Approov Blocks Unauthorized Apps

Approov Mobile Security ensures only authorized apps can access backend APIs by validating the legitimacy of the requests through continuous deep inspection – you decide which apps are authorized. 

This prevents unauthorized third-party apps from abusing APIs, thereby reducing cloud costs, minimizing operational distractions, and protecting the brand’s reputation. 

Approov are the experts on the security of mobile apps and their APIs and we can help you get control of who is accessing your APIs and manage it effectively.

Schedule a discussion with one of our experts.

*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by George McGregor. Read the original post at: https://blog.approov.io/the-surge-of-unauthorized-apps-in-delivery-automotive-and-e-commerce