Pragmatic Big Data for the App Economy

Meeting key business objectives (in the context of a platform strategy) such as increasing market share or profitability in the enterprise’s niche can be achieved by increasing the enterprise’s user base, the user engagement and improving the product mix.

Strategic Objectives

Big data analysis of the large volumes of data being generated in the app economy is key to designing and executing strategies that can help enterprises meet their strategic objectives.

Entities in the API Ecosystem such as end users, apps, developers, API and backend systems are continuously generating streams of data within the API value chain and outside the API value chain. For example, App Users are not only using their apps and APIs but sharing opinions on social media, looking for content on the internet and interacting with products andservices in the physical world. These continuously growing streams of data contain hidden signals that hold the key to meeting the enterprise’s strategic objectives.

Enterprises looking to gain a competitive edge in the app economy have the opportunity to harness the power of big data and contextual analytics to solve three key problems that directly offer increased profitability & market share through higher usage of their products and services and higher user satisfaction.

Understanding End Users

End users drive value in the API value chain. It is critical that the enterprise understand the behavior and actions of their end users and why users act and behave the way they do. It is critical that the enterprise is able to segment their end users by product usage, by value they drive to the bottom line and by how engaged these users are with their products and services.

Offering sticky products and services requires that the enterprise understand the value that end users are looking for in the products and services. Enterprises need to understand their desired profile of the end user. The desired profile is an intersection of the end users who find value in the enterprise’s products and services and the end users that are profitable for the enterprise.

Attracting the Best Developers

Developers are key to building great apps across a diverse use case set. A diverse app set attracts a broader set of end users directly translating to more end users, higher usage and higher profitability for the enterprise. Enterprises do not retain control over the end user experience on apps written by third party developers. This makes it critical for the enterprise to attract, detect, nurture and promote developers and apps that offer the best user experience and the best value for the enterprise.

Attracting the best developers requires enterprises to understand their desired developer profile, their current developer profile and emerging trends in the developer world being promoted and embraced by the “early adopter” developers. The ability to adapt and embrace these emerging developer trends can increase the attractiveness of an enterprise’s platform.

Enterprises need to understand how their developers communicate with them and how and where developers hang out or seek support. The ability to keep a tab on all developer communication avenues, quickly gather areas of dissatisfaction and move to address and quelch any unhappiness can be the difference between retaining the best developers who build the best, most profitable and desirable apps.

Monetizing Data

Understanding the value of an enterprise in eyes of end users, developers, partners and other enterprises is critical for building new and innovative products and services, improving existing products and services and building new business models around data monetization. Every time a request is made for an enterprise’s data, the metadata generated around the context of the request event can offer deep strategic insights into where value is concentrated in an enterprise’s data set.

Understanding and monetizing data requires enterprises to extract and process to build comprehensive accounting mechanisms across all data access mechanisms enabled through APIs, Apps and other data transfer mechanisms. Enterprises need to be able to understand the end user intent and request type metadata to determine the highest value data and data enabled use cases.


The App economy fueled by the shifting enterprise edge is and is expected to produce increasingly diverse and disparate streams of data that provide a wealth of opportunity for enterprises to apply big data and contextual analytical principles to solving the key problems in the app economy.

An enterprise’s competitive edge depends on their ability to uncover deep insights through platforms like Apigee Insights that offer the ability to gather, model, analyze the app economy data, generate insights, act on these insights, observe the change and adjust if necessary andmaking strong progress towards the enterprise’s strategic objectives.


Protecting users, apps, and APIs from abuse

Published Originally on Apigee

Abusers or spammers are the bad guys looking to make money by getting unsuspecting end users or consumers of online services to interact with malicious content or spam that leads to one or more of the following scenarios:

  • Eyeballs on spam content that lead to clicks and purchases.
  • Gathering users’ private information through keyloggers (or other spyware) on the user’s machine or device which is then sold to the highest bidder.
  • Phishing for users’ private information such as SSN, credit card #, or passwords and selling those to the highest bidder.
  • Installing malicious software on users’ machines or devices, which in turn steals more of their information or uses their bandwidth or storage for carrying our further attacks.

Any workflow that creates or consumes content, shares or reshares content, sends or receives communications can be vulnerable to attack.

Online attacks almost always contain a “payload” that either delivers the attack or leads the user to another location where the attack is completed. Any time a piece of content is created or consumed or a communication is sent or received, there is an inherent “payload” that is delivered. In the wrong hands, this payload can be malicious.

Blogs can be spammed with comments which contain spam or malware, or which employ phishing techniques that redirect users to other malicious locations on the Internet.

In the same way, users can receive emails that contain spam or malware or other phishing techniques. Users can be redirected to malicious sites in their browser. Users’ machines can be attacked and malware (such as adware, spyware, key loggers and viruses) installed which can scrape users’ private information and send it to the abusers.

Thinking about apps and APIs as assets

Apps like APIs can be considered “assets” that can be used to carry out attacks against end users.

APIs (and especially free APIs) provide services that eventually reach other users. Even if an API has a usage cost associated with it, if the return on investment for an abuser for planning and carrying out an attack is higher than the cost of using the API (at scale), even paid APIs can be abused.

Both developers and enterprises have apps that are highly monetizable if abused. App-based attacks fall into the following general categories:

Malicious apps: These apps are written with the sole goal of abusing unsuspecting users who download and install them. With the increasing use of single sign on services and integration of social networks with apps through social network platforms, a user’s social network can be used to propagate these attacks.

Well-intentioned apps with vulnerabilities: These apps are not written to be malicious but have vulnerabilities either in their code (e.g. the apps’s functionality can be scripted or controlled through hooks provided by the app) or in their business logic (e.g. no throttling of calls from a single user to the back-end system). An abuser can exploit these vulnerabilities to carry out attacks on enterprise APIs or on the end users of the apps.

Well intentioned apps exploited by a malicious user: In this case, an abuser can use some legitimate capability offered by the app as a foundation to carry out attacks that propagate through the end user’s social network and spread through further usage.

Protecting your assets

You don’t want your APIs or apps used for abuse. It is crucial for both developers and enterprises to protect their “assets”. If an end user develops a perception that a certain app or service is “dangerous”, usage declines, growth can be reversed, and revenue and profit suffer.

Remember that abusers are most often out there to make money and if the cost to carry out an attack is less than the value derived from the attack, it will continue to be a sound business investment for the abusers.

Some things that developers can do to protect their apps and end users (and their friends)

  • Monitor usage of your app and its impact on the users. Build and maintain a proxy for user reputation and models of good and bad behavior in the content of the app.
  • Enable end users to report suspicious behavior of the app or of other users of the app.
  • Work with the enterprise or API provider to ensure that your app is not creating suspicious loads on the API.

Some things that enterprises can do to protect their APIs

  • Build traffic monitoring solutions and models to rate traffic as safe or abusive.
  • Ensure that any content or communication created or shared through the API is free of malicious payloads.
  • Invest in mechanisms to report and notify suspicious user and app behavior to the app developers.
  • Build reputation systems for users, content and IP addresses to be able to quickly classify traffic, users and apps as good or bad OR desirable or undesirable.

Next time we’ll look at some of the ways to push back against attackers, including use of quotas, throttling, and so on.

Security & Privacy in the App Economy

Published Originally on Apigee

As enterprises adjust to the new reality of business having moved beyond their core and legacy systems of record – to millions of mobile devices and social networks at the edge of the enterprise, to new distribution channels in the shape of apps which are often built by third party or partner developers – the question of end user privacy becomes increasingly important. As the app economy matures, it’s participants will have to quickly move from self governance to establishing standards or even regulation to address end-user privacy expectations.

Who is responsible for security and privacy when dealing with applications and APIs?

In the era of the browser, privacy questions were handled expressly between the website operator and the end user. The end user consented to using the products and services exposed through the website and had the right to agree to the policies set forth by the web site operator.

In the app economy, the value chain changes forcing a change in how privacy and privacy policy need to be managed and crafted. The question of privacy will quickly rise higher in the minds of end users as the app economy matures.

Who is ultimately responsible for privacy and policy in the app economy?

End users? API providers? App developers?
The answer is all of the above!

End Users

Privacy is really the control that a user has on their definition in an environment that they are familiar with and understand how it functions. The world of apps is a new environment that end users are only becoming familiar with and privacy best practices from the browser world can be found severely lacking in this new environment. Users will demand similar rights as they do in the online/browser world, including:

  • Understand and view the information being collected about them

  • The ability to choose what information can be collected and for what purposes it can be used beyond the immediate product or service

  • The ability to contest the accuracy of information collected about them

  • Understand the security of processes and systems used to store and process their private data


Through the ability of APIs and apps to reach new markets and end users across the globe, the enterprises might find themselves operating in completely new markets and geographic regions and therefore find themselves bound to the privacy regulations in several parts of the world. This means that enterprises will have to increasingly deal with different privacy rules and regulations for the same services and products. New products and technologies are required to operate in this new environment.

App Developers

The app developer who might not have been thinking about their end-user privacy expectations will very soon have to worry about how and what end user information they collect, store, process, and share. Preparing for success requires developers to be cognizant of privacy and security issues and utilize best practices while building their apps.

Developers should collect only the data required to offer the best experience to end users. They should not store user data without users’ permission. User data should be obfuscated or encrypted if possible, and so on.

As apps become popular, as usage increases and becomes more personalized, these requirements and considerations can be ominous and a distraction for developers. They too will need a new set of tools and technologies to help them deal with privacy expectations, consent, and data management solutions.


A whole host of factors including the advent of big data technologies, publicly available information sources optimized for consumption, sophisticated behavioral analysis for personalization, and the advent of recommendation and predictive products and services, end users will become more concerned about their privacy. They will demand a single point of contact and tools to understand their privacy considerations and control their information and its usage.

Is the app economy ready for this challenge?

Here are some steps that can be taken to get ahead of the problem.


  • Understand and provide to your end users privacy policies and data handling procedures for all services that your app uses

  • Choose APIs (and services) for your app that are highly reputed and offer best-in-class privacy handling and mitigation procedures

  • Enable end users to connect with services directly regarding their policy questions

  • Utilize cloud-based data storage providers that are privacy and security certified


  • Consider the entire value chain from a security perspective – from API to developer to app to end user

  • Build capability to distinguish between good and malicious apps that use your APIs

  • Detect malicious apps and take steps to block such apps and notify end users of these apps and help them deal with any privacy outages

  • Enable end users of apps that use your APIs to understand your data collecting and privacy policies