Software developers often use application programming interfaces (“API's”) during the development of mobile applications. The use of an official API requires that the developer, and API provider (hereinafter, “API provider” or “API owner”), enter into a written agreement stating that they will abide by the Terms of Service (“TOS”) specific to developer access to the API. The API provider will provide a set of unique identifiers (or keys) to the developer upon acceptance of the TOS or Developers Agreement. Currently, API owners are responsible for the ongoing compliance management of their developers throughout the life-cycle of the application. Management of compliance on an official API is fairly straight-forward. However, those same applications that are outside of the API owner's system become problematic to audit. There are some common areas of abuse for most API providers including, but not limited to, Trademark Use/Abuse, Copyright or Logo Use/Abuse, Common Abuses Using Official API(s), and/or the like.
In some cases, Trademark Use/Abuse might include, without limitation, (1) the brand (inappropriately or inaccurately) implying partnership, sponsorship or endorsement; (2) use of part or all of a trademark phrase or title in the company or app title without explicit consent from the trademark holder; (3) the developer including any sort of manipulation or distortion of the trademarked term, which could include, but is not limited to, using foreign language equivalents, phonetic equivalents, or use of letter or number equivalents, and/or the like; (4) using a trademarked term in the Description of the App without additional words such as “for,” “powered by,” or “compatible with” (which is generally permitted if those additional words are used); and/or the like.
Copyright or Logo Use/Abuse might include, but is not limited to, (i) using the official logo, when using their official API (which is usually not permitted by brand holders); (ii) using part or whole of an owned graphic or logo as the company or product logo of a non-affiliated application; (iii) using the official logo within the application (instead of using a platform provided developer logo); (iv) creating similar copyrighted images, or logos to imitate official copyrighted material owned by the platform, thus creating confusion with the developer's application and the official application; and/or the like.
Common Abuses Using Official API(s) might include, without limitation, (a) using the official API in order to reverse engineer the core product(s), website(s), dashboard(s), or stream(s); (b) failing to verify that applications are safe and secure, adhering to specific industry standards such as the Open Web Application Security Project (“OWASP”); (c) developing the application without some form of integrated error handling; (d) developing the app such that the functionality, reliability, or performance of the app is not to the standards set in the Developer Agreement or Terms of Service; (e) using a deprecated API in an application, contrary to the API provider's explicitly statements in their Terms of Service; (f) developing a mobile application that is not properly encoded or that is using a character set encoding that is not approved by the API owner; (g) attempting, by a developer, to conceal its identity during the process of entering into a developers agreement, in order to receive API credentials (“keys”); (h) failing to implement safeguards that can limit the amount of data that can be requested from an official API; (i) developing an application so that an official API can be used to spam, incentivize, or harass users; (j) using data from an official API in order to create advertisements or marketing materials, or for targeted advertising campaigns; (k) using the official API use to disrupt, negatively affect, or inhibit the user experience; (l) making any attempt to circumvent any content-filtering techniques; (m) using an official API for any application that constitutes, promotes, or is used in connection with spyware, adware, or any other malicious programs or code; (n) using data that is harvested, or scraped from an API owners website, and is used to supplement the data provided from the API; (o) using multiple member tokens (“oAuth”) to circumvent any restrictions put in place by the platform, such as showing non-registered members' content from the platform (each user must authenticate individually); (p) attempting to access services that the developer is not authorized to access normally, through use of the official API; (q) copying or distributing any object related code that calls the API (which is considered part of the API, and is solely for inclusion as part of API Client(s)); and/or the like.
Hence, there is a need for more robust and scalable solutions for implementing API use compliance, by, e.g., implementing application auditing for API use compliance within virtual environments in which target APIs are executed, or the like.