Understand APIs to save your data from hackers

Security has always been an important aspect of our lives -- whether physical or now data-related. In modern times we input data online to perform various tasks – from basic to complex. Apps do them all in a jiffy, but through a very complex process, which is hidden under the shadows from our direct gaze. 

What works under the hood is an Application Programming Interface or API. So, what is an API, and does it guarantee us safety from the malignance of hackers and data thieves? Take a simple example of ordering food from an online app. 

Have you ever thought about how a food delivery app works? Log in, select your favourite food, track the order and pay – this is the simple process you are concerned with. But, what works under the hood is more complex and it is called API.

APIs are like mediators between the app and the source, which means, the app requests the information from the source via API and the API asks the source for the sharing of the data, and returns the response back to the app. Therefore, any website or application cannot access the system directly. In simple terms, we can say the systems talk to each other with the help of APIs.

The app requests information such as credentials and authentications of the user at the login stage. The database of larger servers is accessed by the API and returns the authentication with the acknowledgment of the source server. As the login is completed, there comes a process of selection (of food items, etc). 

The API provides options of restaurants and the way to their respective sites/apps. As data sharing is approved by the system, the app or the site can access the data. Each app does not have a separate satellite connection, which means, these apps use APIs of established third-party applications such as Google Maps, Mapkit, etc for the real-time tracking of the package we ordered.

The payment is the last stage. The apps either use the ‘cash on delivery’ option, which is handled directly by the user or it uses ‘online payment’ option. Once the user selects the online payment option, it initiates the request to access the servers. The app uses the payment APIs for the payment methods of the users who have saved their credentials on the various gateways such as GooglePay, PayPal, etc. and can be accessed by the app for the payment for the services.



Since we use these large servers, our data is stored in the databases of these third-party applications, which are accessible to various other applications. Does this mean that our data is not safe? The API provides a protection layer through API keys, which are unique security codes that are given by the system to the developer -- the app. By using the API we allow the app to access some of our data. The app can silently have access to your personal data even though the app is not in use for months.



The FIVE Factors:

The tampering of the data shared by the API is done because of various reasons -- (1) Injections: Insertion of malicious code because of which the hacker can access the database. 

(2) Weak Authentication: Having weak passwords, or sharing the API keys to an unauthentic user or relying on the API keys as the only level of security. 

(3) Exposing sensitive data: When the APIs provide excessive data to the client which can lead to comprising of the data provided by the user. 

(4) Security flaw -- when the data is not encrypted properly and the cloud storage is left open and

accessible to the hacker resulting in data leakage. 

(5) Denial of Service attack: This is a type of cyber-attack where the perpetrator floods the machine with overloading traffic resulting in the machine to shut down or triggering a system crash depriving legitimate users of access to the site. Because of attacks of such kind, it is difficult to identify the attackers perforating into the system.

So, how do we keep our data safe? 

Firstly, by making sure that what API we share our data with and ensuring that the APIs we use are developed by genuine third-party apps, that ensure end-to-end encryption of data. Besides, we must make sure to provide a limited number of details and avoid important data that can be misused by hackers. Providing excessive data exposure can lead to data hazard and leakage of the data to malefic sites. 

Finally, revoking access of the data from the apps that are not in use anymore is also recommended.

(TICE contributor Hiya Jayaswal is B.Tech CSE (AI&ML) student of SRM University)