scroll it
synack-mobile-apps+APIs-blog-banner (1)

API Security: A Vital Piece of Mobile App Pentesting

0% read

Whether you are checking your flight, the weather or an account balance, today’s mobile applications are largely powered by application programming interfaces (APIs). 

According to the Postman 2023 State of the API report, 57% of respondents said they consumed APIs to “integrate with external applications,” and 22% specifically said that APIs were “enabling mobile applications.” In another report from marketsplash, 90% of developers said they “incorporate APIs in their work.”

APIs Save Development Time by Working Across Apps

For the use cases mentioned at the beginning, users also expect to perform the same task seamlessly with the desktop experience. For this reason, many APIs that are used by mobile apps are also used by their analogous web applications.

In fact, you can think of the API as the location of an app’s functionality, with the web and mobile applications having appropriate presentation layers sitting on top of the API. Why build the same functionality twice, when you can build it once and have it be called from multiple places via the API? It is for these reasons that modern mobile apps are increasingly API-dependent.

Testing APIs Is an Integral Part of Mobile Pentesting

When looking to perform pentesting on a mobile app, testing the APIs powering the app are top priority. To not check for common API vulnerabilities would be to ignore a vital aspect of the app’s security posture. According to a 2022 API research report by Google, more than 50% of respondents experienced an API incident in the prior 12 months. Because the API is likely being used by a web app or other third parties, testing it improves the security posture of other apps and assets, too.

The Open Web Application Security Project (OWASP), defines 10 common and critical API vulnerabilities that developers should be mindful of. Each of these vulnerabilities can have a big impact. For example, a popular exercise bike’s app leaked customer data via its API in 2021.

This isn’t to say that there aren’t other kinds of vulnerabilities to check for in a mobile app outside of the API, such as those called out in the OWASP mobile application security project. However, as APIs grow in popularity and usage, it’s important to make sure they get a deliberate piece of the security testing pie.

Synack API Pentesting for Mobile Applications

Through the Synack Platform, users can submit documentation on API endpoints that serve a mobile app. These endpoints don’t need to be exclusive to the mobile app; they can be used by a variety of entities. 

Once the scope is defined, Synack distributes the endpoints among a global community of researchers called The Synack Red Team (SRT). Researchers with proven API testing expertise will look for critical vulnerabilities, such as those listed in the OWASP API Top 10. 

Feeling confident about what was checked is just as important as knowing what was found, so you’ll receive a report for all API endpoints tested, detailing what aspects were checked and the testing methodology used. 
Contact us today to get started.