Wesabe API: Security Considerations
Because Wesabe is a personal finance application, the data contained within it can be extremely personal and sensitive. API clients must take care to keep that information private.
We’ve listed a few general issues, below, that developers should keep in mind; we are also happy to answer specific questions or provide informal advice. Please feel free to contact us at support@wesabe.com. Please also note that Wesabe reserves the right to block any API clients that we feel do not provide sufficient protection for our users and their data.
- Password Storage
- Passwords are, in general, very hard to store securely. API clients should try not to store passwords anywhere on disk unless absolutely necessary, and should instead prompt the user where required. This is both more secure and simpler to implement than most other options.
If permanent storage of passwords is truly critical, those passwords must be stored in encrypted form. The best way to do this is through the password management libraries that come with your operating system such as:
- Certificate Validation
- The Wesabe API uses HTTPS to protect information as it is transmitted over the network. Implemented properly, this guarantees that information is encrypted (protected against eavesdropping) and provides endpoint authentication (protected against spoofing). Some HTTPS libraries, however, do not verify the authenticity of SSL certificates, effectively undermining these protections. Python, in particular, does not verify certificates by default. Python developers should consider using a 3rd-party library such as M2Crypto to provide SSL services.
- Data Handling
- More generally, developers should be careful to handle the data extracted through the API in a manner commensurate with the sensitivity of that data. Obviously, this is highly subjective, and will vary from application to application. However, we urge developers to consider the risks involved in processing personal financial data, and to err on the side of caution wherever possible.
