API Security, Developers And Users Responsibility
The world of software development today is flooded by APIs (Application Programming Interface). We can think of whatever web service provider today, and surely that vendor offers APIs for their systems for developers to interface with. This happens given that vendors are competing not only for their products and services but also the “mindshare” of IT and development teams, for the purpose of integrating these APIs to the internal systems of the organizations. For decades, the name of the game is “compatibility” and “popularity; both traits enable the vendor to automatically capture bigger markets, with the side-effect of opening it to cybercrime.
The requirement for an API to be universally compatible and popular across platforms was the reason why the world is in trouble due to never-ending Flash Player vulnerabilities. The used to be valuable browser-plugin which introduced multimedia on browsers prior to HTML5, became the API where hackers have taken advantage of for more than two decades. For many decades, we even witnessed the growth of Flash-only websites, where the visitor is forced to download the plugin in order for the specific website they visit to load properly.
It is only the pressure from browser vendors, particularly of Apple which prevented further spread of Flash Player plugin in the mobile space. Now, Flash Player’s demise is guaranteed to happen in 2020, as Adobe assured the public in its own blog site. Imagine how many websites were fully Flash-based only prior to the public statement of Apple, rejecting the offer of Adobe in developing a Flash Player plugin for iOS devices. “Several industries and businesses have been built around Flash technology – including gaming, education and video – and we remain committed to supporting Flash through 2020, as customers and partners put their migration plans into place. Adobe will continue to support Flash on a number of major OSs and browsers that currently support Flash content through the planned EOL,” explained an Adobe representative.
The irresponsible overuse of APIs (and the issue of API Security) by many websites do later bite them sooner, as an open alternative becomes available. It took Netflix quite a while to abandon Microsoft’s Silverlight plugin for playing back their content on a browser window, but the public clamor to adopt an open standard created an opportunity for the video-sharing giant. The combination of HTML5 and WebAssembly features on modern web browsers made Flash Player and Silverlight Player become redundant, and only served the purpose of widening the attack surfaces of both the user’s browser and the vendors’ servers which host the contents.
Not all plugins available for web developers need to be implemented, in order to prevent another Flash Player or Silverlight plugin cyber security controversy. With the growth of IoT devices and further penetration of mobile devices to the rest of the population, many people that used to have 0 access to the Internet go online for the first time using these devices. This comes with the growth of adoption of Google services, which gives the search giant more influence on how apps should behave. Google itself knows this, that is why smartphones using the Android operating system comes with the Google Play Protect system as part of the Google Play Services app. With it, Google has a virtual kill switch for apps that the company determines sooner or later as malicious.
Of course, the process of determining what is needed on a device or not is the users themselves. It is their personal device after all, but vendors such as Google and Apple should continue their campaigns in securing their devices, either through remote takedown of malicious apps or simply user education.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.