third-party-api-security

third party api security

Most app contain the third party api service, there are security issue releated to it.

uage of third party api

  • log file upload(upload the app error)
  • App Analytics
  • online map api
  • upload the image
  • payment
  • search API
  • Language Translation and Content Localization Solutions

security issue

  • misconfigure api key access(the secret_key or access_key can read or modify other endpoint data)
  • upload the log file contain the sensitive information(token,session,password)

some api service may had the security issue

upload the image
  • aliyun OSS
    aliyun OSS if just for upload the file, coder should set just write privilege not the read. But, most common problem is set as both.
    aliyun OSS secret key can read or write the file
    oss-browser
map
amap(高德地图开放API)(https://lbs.amap.com/)
  • yuntuapi.amap.com
    the api should not use at client side(APP or WEB), the endpoint is for manage the data.
baidu map sdk
  • api.map.baidu.com
Mapbox

branch.io

api.amplitude.com

document

track user and improve the customer Experience

quantummetric.com

[no document yet]

braze.com

docuemnt

kochava.com

docuemnt

app error log

appcenter.ms

app-measurement.com(google ad services)

crashlytics.com(google firebase service)

  • settings.crashlytics.com
  • e.crashlytics.com

New Relic

docuemnt

Language Translation and Content Localization Solutions

smartling.com

  • https://www.smartling.com/
    this service is really suck, because will send the front code to their server.
    if the user visit the page contain the sensitive data(api secret key,bank account,email, phone number etc) the data will also send to their server.

payment

search API

algolia

stripe.com

api.stripe.com

App Analytics(China)

mob.com

  • m.data.mob.com

umeng