- Report warns that attackers can intercept API calls on iOS devices and make legitimate appear
- Traditional security tools cannot protect applications against attacks on the device
- Committed mobile devices significantly increase the risk of API exploitation
A new research from Zimperium has affirmed that mobile applications are now the main battlefield for API -based attacks, creating serious fraud and data theft for companies.
The research shows 1 of every Android applications and more than half of the data sensitive to iOS applications, offering attackers direct access to critical business systems.
Even more worrying, the report claims three out of every 1,000 mobile devices that are infected, with 1 out of 5 Android devices that find malware in nature.
The scale of mobile API vulnerabilities
Unlike web applications, mobile applications send API final points and call logic to non -reliable devices, exposing them to possible inverse manipulation and engineering.
This allows the attackers to intercept traffic, modify the application and make the malicious API calls look legitimate.
Traditional defenses, such as Firewalls, Liaison doors, Proxies and the key validation of API, cannot completely protect these threats in the application.
“API not only feed mobile applications, but expose them,” said Krishna Vishnubhotla, vice president of product solutions in Zimperium.
“Traditional security tools cannot prevent attacks from occurring.
The customer side manipulation is common, since attackers can intercept and alter the so -called API before reaching backend systems.
Even SSL fixation, designed to avoid man attacks in the middle, has gaps: almost 1 in 3 Android finance applications and 1 in 5 iOS travel applications remain vulnerable.
Beyond exposure to API, many applications handle confidential data on devices, since Zimperium revealed the registration of the console, external storage and insecure local storage are common problems.
For example, 6% of the 100 Android applications write personal identification information (PII) in console records, and 4% write it in external storage accessible by other applications.
Even local storage, although not shared, can become a responsibility if an attacker gains access to the device.
The analysis also shows almost a third (31%) of all applications and 37% of the 100 main ones send PII to remote servers, often without adequate encryption.
Certain applications incorporate SDK capable of exfiltrating in data secret, registering user interactions, capturing GPS locations and sending information to external servers.
These hidden activities increase business exposure and show that even the applications of official stores can carry important security risks.
“As mobile applications continue to promote commercial operations and digital experiences, ensuring API from inside out is essential to prevent fraud, data theft and service interruption,” added Vishnubhotla.
How to stay safe
- Inspect applications for the inappropriate registration of confidential information to avoid data leaks.
- Verify that local data storage is encrypted and not accessible by other applications.
- Monitor network traffic to detect applications that send personal information without encrypting.
- Identify and eliminate malicious SDKs or third -party components integrated into applications.
- Check the application permits to ensure that they are aligned with the planned functionality.
- Perform regular audits of application behavior for possible violation vulnerabilities.
- Implement executions of execution time to avoid manipulation or reverse engineering of applications.
- Use the obfuscation of the code to protect the commercial logic and the final points of the attackers API.
- Validate that API calls come only from legitimate applications and without obstacles.
- Establish incident response procedures in case a commitment to the mobile application occurs.
- Use mobile safety software that protects against malware and ransomware attacks.
