Sharing Our Ideas

Establishing Security With Social Media APIs

Security needs to be a priority for any software development effort. As countless data breaches and other cybersecurity incidents have demonstrated, though, aiming to secure software and actually achieving it are two very different things.

This is particularly true when it comes to social media APIs. Social APIs are becoming increasingly popular, and with good reason. Yet in order to effectively take advantage of these resources, businesses need to make security a priority. Failure to do so can have serious consequences.

Social API popularity growing
It's easy to see why so many companies are eagerly embracing social media APIs when developing their software applications. APIs in general are invaluable for enabling communication and interaction between two pieces of software, and the advantages of linking a company's app to one or more popular social media networks speak for themselves. Writing for Search Engine Journal, industry expert Christian Arno emphasized that "[t]he API economy is all about sharing and collaboration," and the same could be said of social media. This makes social media APIs a natural development.

Arno asserted that it's fair to say "social APIs are everywhere" today. He noted that among the most popular of these are the YouTube data API, the Embedded Tweets tool, Facebook Graph API and Google API.

There's little reason to expect the API trend to slow down anytime soon. On the contrary, it's quite likely that even more firms will start to embrace social APIs in the coming months and years.

"Companies have a responsibility to ensure their users' privacy when leveraging social APIs."

Security concerns
The widespread popularity of social APIs does not guarantee their security, however. The most obvious example of this potential pitfall is Snapchat's API and what was popularly called "the Snappening." As Wired contributor Woodrow Hartzog noted at the time, hackers managed to intercept hundreds of thousands of Snapchat users' videos and pictures, which they then posted online. Hartzog explained that this cyberattack was committed via third-party applications that used Snapchat's API.

The writer further argued that responsibility for this incident ultimately should reside with Snapchat. He explained that even though API security is particularly difficult when it comes to social media, companies have a responsibility to ensure their users' privacy when they offer these services.

This applies not just to social media companies themselves, but also any firm developing its own API or utilizing available social media offerings.

Achieving security
This obviously raises the question of how companies can best protect these resources.

For starters, firms should strive to follow all best practices in the realm of API security. Consider, for example, the case of Moonpig's cybersecurity vulnerabilities. Early this year, several major flaws were found in the U.K.-based personalized greeting card company's API. As SmartBear contributor Paul Bruce explained, these flaws included the exposure of credit card details and internal DNS data, inappropriate use of Account ID data and Basic Authentication and little to no rate limiting. All of these missteps contributed to put Moonpig customers at risk of identity theft or fraud and should be avoided whenever any firm uses or develops its own social APIs.

Securing social APIs is difficult but possible.Securing social APIs is difficult but possible.

Furthermore, Hartzog emphasized that there are a number of steps that social media-specific API developers can take to further ensure the security of these resources. For example, the writer recommended that companies embrace rigorous client authentication to go along with standard user authentication efforts. This will help to ensure that only authorized software can connect and interact with the API.

Ultimately, establishing security with social media APIs is undoubtedly a challenge. However, considering the value that these resources can provide, it is certainly worth taking the time and seeking out the expertise needed to ensure best practices are followed at every step.