The Hidden Security Risks of Cloud APIs

Friday, December 02, 2016

Sam Rehman

18d2ccc39431a1f63d67dd3252263400

With the cloud market becoming increasingly crowded, developers are under mounting pressure to create more innovative solutions and reduce their costs. It's little wonder then that APIs (Application Program Interfaces), which can drastically reduce development time, have become one of the most prized tools in any developer's arsenal. However, the benefits are tempered with an increased risk of cyber attacks.

An API is essentially a set of instructions or routines to complete a specific task, or interact with another system, from servers to other applications. Because APIs are able to perform tasks such as retrieving data or initiating other processes, developers can integrate different APIs into their software to complete complex tasks.

Transforming cloud software development

Where this has become a real game-changer for the industry is, rather than spending countless hours writing every aspect of the software from scratch, developers can simply pick from an increasingly large selection of best-of-breed APIs developed by specialists, and plug them straight in. This transforms the development process from a time-intensive grind to something more akin to building with Lego.

Using ready-made components enables developers to considerably reduce costs and time-to-market, and perhaps more importantly also frees up time and resources to pour into the innovative and unique features that will cause their application to stand out.

APIs are so useful that some of the world's largest companies are now making the majority of their revenue through them. Research from the Harvard Business Review found that Salesforce generates around half of its revenue through APIs, while Expedia uses them to create almost 90 per cent of its income. Alongside the big players are an endless selection of specialists, meaning that developers can access high quality APIs for almost any task.

Some of the most useful examples for cloud developers are APIs for Platform-as-a-Service that can integrate with databases, portals, and messaging components, and APIs for Software-as-a-Service that connect the application layer to the IT infrastructure. Additionally, Infrastructure-as-a-Service APIs can help with tasks such as quickly provisioning or de-provisioning cloud resources, or managing workload management and network configurations.

The hidden threat

With so many benefits, APIs do come with downsides however - exposing the cloud to a new attack vector that can be used to access the back-end server the cloud is communicating with.

The weakness is the simple authentication that is widely used by most API Management Solutions to confirm that the client app on a device is genuine and has been authorized to utilise server assets. Typically, this is done using a simple challenge-response exchange, as the client app tries to connect to the API server. This exchange is usually a cryptographic operation, which means that the mobile client generally contains a secret key for an asymmetric cipher like RSA or ECC.

If attackers are able to break the application's security and decompile its code, they can root out the encryption keys. Any application that is available for download is particularly vulnerable to this, as they can be attacked indefinitely until a weakness is found.

Once the keys have been found, attackers can use them to trick the system into recognizing them as a legitimate client and enabling them to access anything the API was authorised to connect with. An API that accesses data on the back end server for the cloud application, for example, could provide attackers with the ability to break in and steal sensitive data or perform other malicious activity.

Keeping APIs secure

The vulnerability introduced by APIs can be overcome by taking extra security measures alongside challenge-response based authentication. The most effective approach is to centre defences on protecting the cryptographic keys.

White-box cryptography is a particularly strong method for securely hiding cryptographic keys, even if a hacker has full access to the software. Using this technique, the original key material is converted to a new representation in a one-way, non-reversible function. This new key format can only be used by the associated white-box cryptographic software, preventing the hacker from finding it and using it for the challenge-response.

However, white-box cryptography can still be circumvented if the hacker is able to decompile the original application and modify the app or lift out the entire white-box software package, and include it in their cloned version of the application.

Particularly relentless attackers can be stopped with anti-tampering techniques that prevent code-lifting attacks or the app being tampered with. Anti-tamper techniques, which also have RASP (Runtime Application Self-Protection) built-in, can respond to runtime attacks with customisable actions and notify the app owner that app is being modified.

By putting security measures like these in place to protect the cryptographic keys, developers can ensure APIs are able to communicate safely with networks and other applications. With the inherent security flaws taken care of, cloud software can take full advantage of the benefits of APIs without exposing themselves or their clients to attack.

About the author: Sam Rehman, who serves as CTO for Arxan Technologies, is a proven technology leader with over 25 years of experience in both leading product development and professional services companies.

Possibly Related Articles:
21981
Cloud Security Vulnerabilities
Cloud Security API RASP cloud software development
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.