The Politics, Marketing, And Fear of API Security
27 Jan 2015
I cringe, when I think about the number of mobile applications out there, that people depend on in their personal and professional lives, that are using insecure APIs, allowing personally identifiable information (PII) to flow across the open Internet. I’m a big advocate for helping mobile developers understand the important role that a public API can play in this situation, but another side of the discussions that also scares me is the fear, uncertainty, and doubt (FUD) that also emerges as part of this conversation.
I’ve covered recent security and privacy involving mobile usage of APIs at Snapchat, and Moonpig, and was processing the API news this morning for inclusion on API.Report, when I came across this press release, Wandera Finds Official NFL App to be Leaking Users' Personal Data Just Days Ahead of The Big Game. I can get behind the NFL securing their users personal data, but have a hard time jumping on the bandwagon when this is used as PR for a mobile security service, in the lead up to the Superbowl.
Understanding how everyday mobile apps are using APIs to communicate in the cloud is important. Sharing stories about how to map out this very public surface area, and secure it properly, while giving end-users more awarness and control over their PII is critical. Doing this in the name of marketing, PR, or to ride a fear hype wave is not ok. Yet, I fear this will become commonplace in coming months and years, as security breaches, cybersecurity, and privacy are front and center in the media.