These APIs are just as susceptible to attack as traditional web applications. Anyone can easily intercept and modify the traffic being sent between the mobile banking application on their phone and their banks mobile APIs. There are plenty of scanning tools for finding vulnerabilities in web applications but even though they talk HTTP, these services work differently. Static tools are designed to look for standard source methods such as request.getParameter() and trace the program through. Instead, security instrumentation means that we dont have to have to attack the application to find vulnerabilities.”]