Skip to main content

APIs and Third-Party Services in Apps: CRA Due Diligence

Modern app development is often an ecosystem of APIs and third-party services. Whether you are pulling weather data, processing payments, or using an authentication service, the EU Cyber Resilience Act (CRA) requires you to be diligent.

Your Responsibility as an App Developer

As the "manufacturer" of your app, you are responsible for its overall cybersecurity, even if parts of its functionality rely on external services. The CRA mandates that manufacturers "exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements" (Article 13, Paragraph 5). This applies to APIs and services you integrate.

What Due Diligence Involves

  1. Choosing Services Wisely: Opt for reputable service providers with clear security practices. Review their security documentation and certifications if available.
  2. Secure Integration: Ensure that your app's interaction with the API or service is secure. This means:
    • Using HTTPS for all communications.
    • Securely managing API keys and secrets. Don't hardcode them in your client-side app.
    • Properly handling data received from APIs, including validation and sanitization, to prevent injection attacks or other vulnerabilities in your app.
  3. Understanding Data Flow: Know what data your app sends to third-party services and what data it receives. Minimize data exchange to what's strictly necessary (Annex I, Part I, Point 2g).
  4. Contingency Planning: What happens if a third-party service your app relies on has a security breach or outage? While the CRA focuses on your product, resilience is a good practice.

Vulnerabilities Originating from Services

If a vulnerability in a third-party service impacts the security of data as handled by your app, or if your app's insecure integration with a service creates a vulnerability, you are responsible for mitigating the risk within your app and its interactions. This falls under your general obligation to ensure your app meets essential security requirements (Annex I).

Key Takeway

When your app uses external APIs or third-party services, the CRA requires you to perform due diligence. This means choosing reputable services, integrating them securely, understanding the data involved, and being prepared to address vulnerabilities related to these integrations. You remain responsible for your app's overall security.