API

What is an API?

API stands for “application programming interface.” Most generally, an API is a way for software systems or pieces of code to communicate with each other—generally, for one system or piece of code to “ask” another to perform tasks, transfer data, or both. One system’s API defines what other systems/code can ask it to do, and the technical details of the communication (such as data formats).

What types of APIs are there?

There are many ways to categorize APIs. One way is by what type of software systems are interacting:

• Operating systems—like macOS, iOS, or Windows—offer APIs for apps to use. The OS controls how and when other software can interact with hardware, which includes disks, network connections like Wi-Fi and Ethernet, cameras, USB devices, and more. Apps on the device must use these APIs to ask the OS to interact with the hardware on their behalf.
• Web browsers offer APIs for websites to use. The browser mediates all interactions between the website and your device, by way of these APIs. For example, if a website wants to know your device’s physical location, it must use the browser’s API; the website can’t directly access your device’s GPS chip. In this scenario, the website uses the browser’s API to ask for your permission to get your physical location.
• Websites and apps may also offer APIs (sometimes called a “webservice”) so that third-party apps and services can interact with them. For example, some social media services have an API to make posts on the site. Third-party developers can use that API for various purposes, such as making posts at scheduled times, or in response to certain events.

Another way to categorize APIs is by the specific mechanics of how the communication is done. A “REST API” is an example of this categorization.

Why are APIs important?

APIs define the ways in which separate software systems can interact with each other. Operating system APIs determine what apps can do, and browser APIs determine what websites can do. In this way, APIs are integral for creating seamless experiences between hardware, apps, websites, and other software.

More importantly, the creators of APIs can use those APIs to give preferential treatment around access or capability. For example, Apple’s iOS has some APIs that only Apple-made apps are allowed to use, thus shutting out competition from some other app developers. In this way, one company’s API can dictate another company’s success.

Security and privacy concerns

Because an API is the boundary between a software system and the outside world, APIs are crucial to security and privacy. Security bugs in APIs can give attackers capabilities they aren’t supposed to have. When a Web service offers an API, they must be extremely careful about designing the API and managing access to it, or they risk compromising their users’ privacy.

A notable example of a privacy failure enabled by a Web service’s API is Venmo’s exposure of some users’ transaction data via their API. Anyone on the Internet, even without a Venmo account, could use the API to see the transaction data of any Venmo user who hadn’t set the visibility of their data to “private.” Those users likely didn’t intend for their transactions to be so widely visible. It’s important to note that no one “hacked” Venmo or any Venmo user to get this data. They made use of capabilities that Venmo willingly offered to external developers. Venmo had designed and released an API that didn’t adequately protect their users’ privacy.

Another potential privacy risk is in Web browser APIs. The capabilities browsers offer to websites via APIs depend on the specific device, OS, and browser. These differences can be used in fingerprinting, a technique that allows websites to track users.