Reducing Threats From Flawed Security APIs: The Banking PIN Case

Despite best efforts from security API designers, flaws are often found in widely deployed security APIs. Even APIs with a formal proof of security may not guarantee absolute security when used in a real-world device or application. In parallel to spending research efforts to improve security of these APIs, it argue that it may be worthwhile to explore design criteria that would reduce the impact of an API exploit, assuming flaws cannot completely be removed from security APIs.