Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach

Currently, Application Programming Interfaces (APIs) are becoming increasingly popular to facilitate data transfer in a variety of mobile applications. These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer misimplementation. In this paper, a custom, modular endpoint vulnerability detection tool was created and implemented to present current statistics on the degree of information leakage in various mobile Android applications. Our endpoint vulnerability detection tool provided an automated approach to API testing, programmatically modifying requests multiple times using specific information attack methods (IAMs) and heuristically analyzing responses for potentially vulnerable endpoints (PVEs). After analysis of API requests in an encompassing range of applications, findings showed that easily exploitable Broken Access Control (BAC) vulnerabilities of varying severity were common in over 50% of applications. These vulnerabilities ranged from small data leakages due to unintended API use, to full disclosure of sensitive user data, including passwords, names, addresses, and SSNs. This investigation aims to demonstrate the necessity of complete API endpoint security within Android applications, as well as provide an open source example of a modular program which developers could use to test for endpoint vulnerabilities.