DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #18

API Security Weekly: Issue #18

Review a new tool to audit your API security, look into vulnerabilities of kids' smartwatches, dating apps and firewalls, and more.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Feb. 15, 19 · News
Like (3)
Save
Tweet
Share
15.31K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we are reviewing a new tool to audit your API security, look into vulnerabilities of kids' smartwatches, dating apps and firewalls, and Google's new policies for Gmail API access.

Vulnerabilities

We have reported on API vulnerabilities in kids’ smartwatches before. The watches remain vulnerable to API attacks, these stories just keep pouring in:

  • The European Union is recalling Enox Safe-Kid-One smartwatches because of vulnerable APIs. The APIs have no authentication or encryption, so attackers can access them, retrieve any information on them (like location), change settings, initiate calls.
  • PenTestPartners found a serious API vulnerability in the Gator smartwatches. The API was using an undocumented parameter User[Grade] to identify the user level. The web UI had the parameter set to 1, but if attackers changed the value to 0, they got full admin access to the whole platform and all devices. Security by obscurity does not work.

APIs behind dating apps can be quite bad, too. The APIs of Jack’d, a dating app for gay and bisexual men, do not require any authentication or authorization, only the mobile app does. The image IDs seem to be sequential and thus open to enumeration. This means that anyone knowing the API URL can just go and retrieve these private images of the application users one by one.

Even devices meant to protect your network can have vulnerable APIs: CUJO AI firewall device got hacked through its APIs. The firewall exposed APIs that did not require authorization. The APIs were meant to be used by the mobile app to communicate with the cloud service. However, lack of authorization meant that any user with a valid x-auth-token could enumerate other users, access their policies, and even change them.

Tools

If you have OpenAPI (formerly known as Swagger) definitions, APISecurity.io now offers API Contract Security Audit. This is an online security audit tool you can use to check your APIs for security and other issues:

  1. Go to https://apisecurity.io/tools/audit.
  2. Upload your OpenAPI file, and wait while Security Audit checks it.
  3. Check the audit report for the overall grade and drill down into individual sections.Image title
  4. Click the found issues for detailed descriptions, possible exploit scenarios, and recommended remediation for them.Image title

Best Practices

Speaking of OpenAPI, see the introduction to schema-first API design and OpenAPISpecification write-up by Yos Riady. His focus is on developer efficiency, but he also talks about how contract-based APIs help to design and enforce security.

Governance

Google is now charging developers hefty fees for a security audit if they want to use Gmail APIs. If your application is using Gmail API, tomorrow (Feb 15, 2019) is your last day to submit it to a security review.

The cost is $15K-$75K. If not passed (or not submitted), Google will cut your API access. Interesting API security governance step…

You can subscribe to this weekly newsletter at https://APISecurity.io.

API security mobile app

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Spring Cloud: How To Deal With Microservice Configuration (Part 1)
  • How To Use Terraform to Provision an AWS EC2 Instance
  • Java Development Trends 2023
  • Automated Performance Testing With ArgoCD and Iter8

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: