APIs are the “next frontier in cybercrime.” By 2022, API abuse will be the most frequent and impactful attack vector that involves web applications.
The APIs that feed your mobile apps are rich pickings for fraudsters, scrapers, and criminals. In fact, reverse engineering your mobile app to discover the backend APIs is the first thing any serious adversary would do. Why? Well, more often than not, mobile API protection is inadequate from these types of attacks. You’ve left the door open, and hackers can just walk in and take your data.
In the battle to protect your mobile APIs, the odds are stacked in your adversaries’ favour as your:
- Conveniently structured data ensures high levels of scraping efficiency, which lowers their operating costs.
- Traditional AppSec toolkit is ineffective – WAFs, rate limiting, JS inspection, etc.
- API footprint presents a broad attack surface with rapid development cycles and a long tail of legacy APIs. Let’s be honest: there is most likely a graveyard of tech debt hidden in there with little to no controls in place.
- Upgrade cycles for your apps are slower, giving you less opportunity to dynamically defend against fast-moving attackers.
- Visibility of security threats against your API endpoints is limited. The unexpected behaviour patterns of an attack will easily be hidden amongst the noise.
- Mobile apps are a low effort / high reward hacking exercise. It’s cheap, easy, and the tools are readily available.
The API Hacking Toolkit:
The software that your app developers use to design your app can also be used to hack it. It’s a simple process that a junior developer could complete whilst drinking their morning coffee. Here’s what’s needed:
- Your app
- A Man-in-the-Middle (MITM) proxy: Charles, Fiddler, Anyproxy


