Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wake up and smell the API

Wake up and smell the API

Mobile has spawned the growth of APIs, but many companies don’t make their APIs public and instead choose to take a private API approach often with disastrous outcomes. By working on an API in private you don’t get the mass feedback or input you get with a public API.Using mitmproxy or charlesproxy makes it a simple task to expose a mobile apps API calls, and with companies not using strong enough security or auto incrementing IDs it is a trivial task to hack these APIs. Why not just open your API up from the start and empower others to give you valuable feedback but also innovate on top of your platform in ways you may not have considered?

Simon Wood

July 14, 2015
Tweet

More Decks by Simon Wood

Other Decks in Technology

Transcript

  1. @hpoom Wake up and smell the API By Simon Wood

    1 Untangling the Web London - July 2015
  2. ” @hpoom When it comes to modern devices and cloud

    services, there’s no such thing as a private API.  George Reese ! bit.ly/private-API "Vintage Bank Vault" by Brook Ward. Licensed under Creative Commons.- https://flic.kr/p/dTo7wU
  3. ” @hpoom If You Have A Publicly Available Mobile App

    You Have a Public API.  Kin Lane ! bit.ly/public-API
  4. ” @hpoom we’re excited by the interest in developing for

    the Snapchat platform but we prohibit access to the private API we use to provide our service  ! bit.ly/snapchat-api
  5. ” @hpoom If it has an http:// in front of

    the address, it is a public API.  Kin Lane ! bit.ly/http-public
  6. ” @hpoom I've seen some half-arsed security messures in my

    time but this just takes the biscuit. Whoever architected this system needs to be water-boarded.  Paul Price ! bit.ly/moonpig-api
  7. @hpoom 24 {! "Address": "xxxxxx\r\nxxxxxxx\r\nxxxxxxx",! "AddressBookId": 414628930,! "AddressType": "CustomerAddress",! "AddressTypeId":

    1,! "Company": "Test",! "Country": "United Kingdom",! "County": "London",! "Firstname": "Test",! "Greeting": null,! "Lastname": "Test",! "Postcode": " LN1 3FN",! "PostcodeSystemUpdated": null,! "SortByLastName": false,! "Suffix": null,!
  8. @hpoom 25 <ArrayOfCustomerCreditCard ! xmlns=“http://schemas.datacontract.org/2004/07/! Moonpig.Model.CustomerAttributes.Accounting"! xmlns:i="http://www.w3.org/2001/XMLSchema-instance">! <CustomerCreditCard>! <CardType>Credit Card

    (Unspeci</CardType>! <CustomerId>11466749</CustomerId>! <ExpiryDate>12/18</ExpiryDate>! <LastFourDigits>5993</LastFourDigits>! <NameOnCard>Mr X XXX</NameOnCard>! <TransactionId>5983632541-1/TransactionId>! </CustomerCreditCard>! </ArrayOfCustomerCreditCard>
  9. ” @hpoom The government is determined to support a more

    competitive banking sector where banks and financial technology firms can thrive alongside the established players, competing to offer new and improved services to customers  George Osborne ! autumn-statement-2014
  10. @hpoom Thank you please contact me if you have any

    questions! ! Twitter: @hpoom logo 44 By Simon Wood Untangling the Web London - July 2015