If You Have A Publicly Available Mobile App You Have a Public API
27 Oct 2014
I’ve had several browser tabs open around the recent Snapchat security breach, hoping to craft an API-centric story around the whole affair. I think SmartBear covers the security lesson around the Snapchat breach well, my motivation in writing a story would be more about incentivizing popular mobile platforms like Snapchat to establish a robust approach to APIs, and provide a platform for everyone discuss the tech, business, and politics of application integration, rather than keeping it all in the dark.
Your Application Programming Interface Surface Is Publicly Available
As I play with tools like Charles, Runscope, API tools, and other proxy and application traffic management tools, I can easily map out the surface area of any iPhone application I have installed—providing me with a blueprint of an API, and potentially its underlying data model. If I can do this for your mobile app, you have a public API, regardless of how you view the world.
Bring More Awareness, Control, Security, And Stability To Platform
The benefits of have a public API approach to delivering a public mobile application gives you a new layer to understand how not just your mobile app is using resources, it gives you a central channel for al mobile, web, and Internet of Things apps to use. An API focus gives you a central point to log how resources are being access and put to use, introduce analytics, monitoring, and other vital security components into operations. There are a wealth of API management services available on the Internet, and having an API management strategy can open up a company to a wealth of vital resources across an application's lifecycle.
Legitimize 3rd Party Developers With A Modern API Platform
The 3rd party developer who was responsible for the latest Snapchat breach was not given official access to Snapchat APIs, because there is not formal API program. If there was a Snapchat API platform program, users could request access, and the platform could still deny acess to anyone they wished, and all applications would have to adhere to a standardized approach to dealing with identity, and access management for all resources. With a modern approach to API management, developers can be legitimized, while also providing a more secure perimeter to keep rogue applications from gaining access, and compromising privacy and security.
Empower End-Users With Identity And Access Control (oAuth)
If you have a public mobile app available today, you owe it to your end-users to provide them with the latest in account management, and tools for managing who has access to their data. If you need a model for where the bar should be set, go look at what Google does. Modern approaches to API management, along with a common approach to using oAuth, provides the tools all mobile application users should have, allowing them to help contribute to their own security. End-users need to be aware that they should only use mobile applications that provide API access, and oAuth controls, allowing them to take control over their digital footprint, and play an active role.
APIs are not a cure-all. I'm not prescribing APIs because they fix everything. I’m prescribing APIs because it provides a layer where a platform, its users, 3rd party developers, and the public can come together and make sure any platform is seriously addressing security and privacy. APIs aren't just about innovation and all that bullshit you hear from us in Silicon Valley, they are about providing the access, and tools necessary to strike a balance in providing remote access (aka mobile) to wide variety of partners, 3rd party developers, all in support of end-users.
It does take time to build an open and trustworthy third-party application ecosystem, but with the proven blueprints already in existence, and a growing number of API service providers, it doesn't take a lot of resource. What Snapchat and other mobile providers lack is a healthy awareness of not just the tech of APIs, but also the critical business and political aspects of API operations, and just putting their head in the sand and pretending like these issues do not exist.
If you have a publicly available mobile application, you have a publicly available API, and you should possess a modern API management strategy to protect the privacy and security of your end-users. How open you make access to this API is up to you, but I encourage you to make it as open as possible, providing transparency into security, and platform operations. I don't feel like this is something state or federal government should be enforcing, but is something that should be the acceptable approach to delivering public applications, something that is enforced by end-users be educated about avoiding web and mobile applications that do not have an API, and this transparent approach, demonstrating they have each users privacy and security in mind.
What has happened to Snapchat will continue to happen to other companies, with an increased frequency. You can greatly mitigate the risks of having a public web or mobile application, with a formal API strategy, and listening to security advice from providers like SmartBear, as well as protecting the interests of your end-users. If you do not have the expertise on staff at your company or organization, let me know, I can help point you in the right direction to find the resources you will need.