Every year more and more consumers use mobile devices to access online services. This means that every service business, and not only in the case of B2C but also B2B services, must cater to the needs of mobile device owners. However, mobile device users prefer dedicated mobile applications to web applications that work with mobile browsers. In conclusion, businesses need to develop their own mobile apps or interface with existing applications.

This platform shift makes mobile application security crucial to businesses. To avoid security breaches, businesses focus on safe mobile app development and the security of their code. They pay the most attention to such potential security issues as insecure data storage, insecure network connections, and protecting apps against malicious code. However, many of them forget that the security of the app is as much about client-side security as server-side security.

Mobile Security and Web APIs

Every mobile application that is an interface to an online back-end service must somehow communicate with that service in real-time. Almost all apps, independent of the mobile operating system (both iPhones and Android devices), use REST APIs for that purpose. There are many reasons for it. REST is a common and well-developed standard and there are a lot of tools that can be used to design and develop REST APIs. REST APIs can be used for other purposes, too, for example, accessing the same services from multiple platforms.

Therefore, it is not an exaggeration that almost every enterprise app is prone to web vulnerabilities. REST APIs are susceptible to almost all the vulnerabilities that typical web applications may have. This means that a mobile app can be subject to an SQL Injection or an XML External Entity (XXE) attack with the same potential consequences that such an attack vector would have on a regular web application. And these consequences may be dire, including theft of sensitive data (e.g. credit card information).

How to Secure Your Mobile App API

The process of developing a secure mobile app API must follow the same security principles as the process of developing a web application:

  • Developers who build the back end must be trained on how to avoid introducing typical web vulnerabilities in the API source code. One of the most effective general IT security measures is maintaining suitable security awareness in the business.
  • The API should undergo regular automated security testing using a web vulnerability scanner. Best practices are to schedule scans for the production environments, include mandatory scans of all staging environments before proceeding to production, as well as implement early scans in CI/CD pipelines.
  • Automated tests should be followed by less frequent manual penetration testing. No vulnerability scanner is perfect and there are certain classes of vulnerabilities such as business logic vulnerabilities that require a human touch.

To maintain data security and eliminate major security threats, every business should realize the importance of API security. In the case of client-side intrusion, the scope of the potential attack is limited to users who come across malware. However, in the case of an API compromise, the sensitive information of all your mobile users is at risk.


Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.