We here at ProgrammableWeb see a lot of APIs. Many of them are pretty secure, and some sadly are not. So, what makes an API secure? Well, I’m glad you asked. There are a lot of things one can do to improve the security of an API. Below I’ll outline three simple practices that make up a good start for a secure API.
Although it’s hard to do justice to the topic of API security in the space of a blog post, the topic is important because it affects every API architect creating a new web service. Advice that has come from experience may be of particular value—and that’s what follows here.
Google, in what appears to be a new initiative to make their APIs more secure for end users and easier to for developers to work with, has begun rolling out OAuth 2.0 support for its APIs. This brings about two major changes in how apps integrate with Google APIs.
Security is of paramount importance in applications. APIs are the cornerstone of most applications today and ensuring that the data flowing through the API calls is secure cannot be overemphasized. Secure Sockets Layer (SSL) has been available to us for years now and Google has made the first moves in using SSL across its suite of products with a plan to rolling out SSL for most of its developer APIs in the latter part of the year.
For a few days, Facebook was providing a user’s phone number and address available, with the user’s permission, via its Facebook Graph API. Likely fueled by distrust of Facebook’s previous approaches to privacy, users and press reacted negatively to the concept. Based on this feedback, Facebook reversed its decision and neither phone or address is returned to applications at this time. Privacy is a big concern, especially for APIs, but Facebook took appropriate steps for gaining user permission. The reaction to Facebook’s platform change was an overreaction, which points to a need for more granular privacy controls and a better method of granting access.
A Digg community member, suspicious of some top links, used the site’s Digg API to uncover a 159 fake accounts. By comparing the stories voted on by these accounts to other stories, he discovered what appeared to be directed fraud and what Digg now calls “tests to find spam vulnerabilities.” We spoke to the community member to learn how he used the site’s API and what he learned.
Network administrators have many responsibilities. Is the server up? Are e-mails bouncing? Now, in addition to these low-level issues, Google’s Safe Browsing Alerts for Network Administrators allow sysadmins to get alerts for web sites in their network which may be hosting malicious content.
Facebook added an application settings dashboard to give users a way to see what information is available to apps. The move makes very clear what was previously murky. The result should be users who are more likely to trust your applications, because it’s harder for others to get away with tricking them into permission.
We’ve covered location stalking through apps like Foursquare, Gowalla, and Facebook Places as a potentially hazardous concept for the truly paranoid. Well, it’s not so much a laughing matter, anymore. A ring of burglars in New Hampshire used social websites, and potentially tracked location sharing app checkins, to find when their soon-to-be victims were away from [...]