The Security Risks of Open APIs

APIs benefit companies in a variety of ways including allowing outside developers to build off of the code to create new integrated applications. For example, “Google did not consider Google Maps to be a core asset until a third-party application allowed Google Maps to show real estate locations on a map, causing its popularity to skyrocket,” says Harvard Business Review. APIs also put speed and efficiency at the forefront. “APIs are enabling businesses to enter new markets, speed up product development and make better use of data,” says Mark Boyd of ProgrammableWeb. However, there is a distinct difference between public or open APIs and private APIs. That difference is security.

Private and Open APIs

Private APIs only allow the backend data, code, and application functionality to be accessed or used by the developers working for that company or organization. APIs usually begin as private and later make the move to partner or open APIs. Essentially, the application is available to the public, but the code is not. “Private APIs can significantly reduce the development time and resources needed to integrate internal IT systems, build new systems that maximize productivity and create customer-facing apps that extend market reach and add value to existing offerings,” states API Academy. The main advantages of private APIs are reduced costs, increased flexibility, and improved internal operations. Private API apps are usually flexible and intuitive. Updates for apps built on Private APIs are easy and seamless because third-party IT teams are not involved or needed. Private APIs are also more secure because they are not open to third-party developers or people not permitted to access the applications. This distinct difference between private APIs and open APIs are the security risks involved for companies.

The fundamental difference between private and open APIs is that the code or data is designed to be easily accessed by the public for use by web and mobile developers. “This means an open API may be used both by developers inside the organization that published the API or by any developers outside that organization who wish to register for access to the interface,” adds API Academy. Ultimately, open APIs allow companies to publicly expose information and functionalities to third parties that are not associated with the company or organization. This creates increased reach, more traffic, and opportunity for developers to promote their work and build off of a successful company’s code. Although open APIs can create a greater community of developers, users, and associated applications, open APIs sometimes suffer from poor user experience and deficient updates. According to API Academy, “With many third-party client apps active in the field, it can be very challenging to ensure that interface updates do not break application functionality.” API Academy also goes on the say that apps built on open APIs may not offer a positive user experience or ensure that those apps will maintain a certain standard for corporate branding. However, the most notable downside to the infrastructure of open APIs are the security risks.

Security Risks of Open APIs

Cybersecurity threats are at the forefront of social, political, and corporate discussions every day, and for good reason. We are also becoming regularly cognizant of how our data is gathered, stored, and shared with other applications, companies, and individuals. Unfortunately, open APIs are one source of how our data is breached and shared with third-parties. API Academy says, “Not only does publishing an open API theoretically means that any developer can access exposed backend systems, it also risks bringing the existence of the exposure to the attention of hackers who might never have noticed a private API.” In the past, applications were quite simple and secure. However, with the emergence of the internet of things (IoT), open APIs can be found in everything from mobile devices, smart TVs, and gaming consoles. Today, hackers do not have to test applications for vulnerabilities. Because the code is essentially public, hackers can just integrate a virus or malware directly into the code of an open API.

The security risks of open APIs are not limited to hackers and malware. Open data and codes can lead to data sharing among applications. The amount of personal information attained by open APIs can undoubtedly be shared with third-parties. This is evident in Facebook’s recent vow to better secure personal information and Panera Bread’s recent API breach. CSO reports that Mike Cook, a governance, risk and compliance specialist says, “APIs come in and can read all your data or they read the data from another application that you have.” He continues to say that security features for open APIs, such as API gateways, should provide users with the utmost protection. “Can you make sure that that API, that other party, the information going out there is just the information they need and that they’re allowed to have? Or that…the company on the other end of API is really that company?” These are all serious questions, especially when sensitive documents and data pertaining to corporate governance are concerned.

When searching for a product to house and secure sensitive documents, it is imperative that companies and users are informed about the inherent risks of open APIs. APIs are a key integration for the growth and development of an organization. It is essential that all developers and users are aware of the security risks and the actions required to protect and defend their personal privacy, data, and documents.