APIs and the telcos: A holy union?
If you take an annual event like Mobile World Congress as a bellwether for all that’s going on in the world of telecoms, the usual subjects abound: 5G, 5G Advanced, the internet of things, 6G as well as the question of who’s going to pay for all of it – all featured heavily this year.
But what was also interesting about 2023’s Barcelona-based conference was that we started to see 5G enablers taking centre stage.
It’s all very well offering 5G to enterprises for connectivity, but without vertical-specific programming and features to take advantage of 5G’s wider capabilities, it’s not going to provide the return on investment that mobile network operators require.
And this is where APIs come in. Application Programmable Interfaces are designed to provide software developers with easy access to operator networks so that they can design a host of features and services.
From telco to techno
As the mobile network operator’s trade body the GSMA acknowledged in its 2023 Global Mobile Trends report: “Monteising 5G cannot be based on connectivity alone. There is lots of revenue potential in providing developers with access to network capabilities via Open APIs which could unleash 5G capabilities but also deliver important new revenue streams for 5G network builders.”
To this end, the GSMA announced its Open Gateway initiative at MWC this year, aiming to utilise these software middlemen to extend developer reach.
Launching with support from 21 carriers, the initiative claims to allow developers to access and use a variety of mobile network services like location or identity verification and carrier billing, in a simpler, more cost-effective way.
Earlier telecom-based API initiatives over the last year or so have included the formation of CAMARA – the Telco Global API alliance formed between the Linux Foundation and the GSMA, with the aim of defining APIs that can expose network capabilities to third parties.
Moves by individual networks, meanwhile, include Ericsson’s $6.2bn takeover of Vonage in the hope that developers can work their magic on the 5G enterprise market using the comms specialist’s APIs.
Historically, telecom service providers have lagged in terms of digital user experience (UX) and its adoption.
According to Amanda Brock, CEO of open-source advocacy group Open UK, concerns about the risk of open source and the ability of users to change code which potentially interfaces with networks has slowed things down in a heavily regulated sector, but she notes, this is changing.
“We’ve seen similarities [in terms of push back] from both the banking and automotive sectors although they are now ahead of Telco – but we’re finally at the tipping point with even organisations like Nokia, which have been noted for their legal teams putting blockers in the way of open source, seeing their technology teams drive announcements about open-source software forward.”
Perhaps another tipping point has been the success that early-to-market providers such as Twilio (which reported $3.83bn in revenue at the end of 2022) have experienced in the world of text messages generated for two-factor authentication.
And, as the whole world becomes software based, any current initiative involving data sharing or leveraging 3rd party functionality today is based on developers creating and leveraging APIs.
According to Akamai, over 90% of web traffic today is API traffic, so any material developments in the telecom space will require developer interest and support.
In short, the telcos have little option but to evolve into ‘technos’, according to Padma Ravichander, CEO at telecom specialists Tecnotree.
She adds: “To endorse this service creation, telcos must focus on building a complete ecosystem that increases the prospects of spurring innovation by offering multiple entrepreneurship opportunities to app creators.”
So, what potential does the developer community see in creating services around the standardised network APIs released by the telecoms industry?
If the past is anything to go by, the signs are positive, according to Amr Houssein, managing director of Mobilise, a customer-facing business support platform for the telecoms industry.
“Look at Apple and Google’s app marketplaces. Once they opened their technologies to developers to develop their own applications with Apple and Google’s support, they have both established the arguably a couple of the biggest marketplaces in the world — App Store and Google Play,” he says.
An even early example is SMS and the explosion of text messaging in the mid 90s – which originally started off as a signalling tool for networking.
Chuck Herrin, CTO of API security platform Wib explains how these successes might replicate themselves in the world of telcos and APIs.
“They can use APIs to build all sorts of innovative applications and services, and building to a standard is hugely helpful in simplifying the development process and spurring interoperability, making it easier to create solutions that work seamlessly across different networks and platforms.
“If you can build a killer app on a standard platform and have it work across a large ecosystem, the returns can be massive,” Herrin adds.
While there were API demos on display at MWC this year, it’s fair to say that none of them seemed like they’d set the business world alight, even if they did improve the user experience in terms of connectivity.
On stands belonging to Europe’s biggest operators, including Orange, Deutsche Telekom, Telefonica and Vodafone’s, there were demoes involving a holographic presence phone call which was developed in conjunction with deep tech company Matsuko.
It showed how the quality and 3D rendering of a holographic display conferencing call could be improve by using an API to route the traffic from the closest Edge server to the called user.
Elsewhere, three operator networks – Rogers, Verizon and Vodafone – demonstrated in The 5G Future Forum how musicians from around the world could ‘jam’ over 5G, using mobile edge computing and the Open Gateway’s Edge Site Selection API.
According to Brock, further innovation across a wider range of verticals is more likely to happen with closer collaboration with the developer community.
“The GMSA and 21 member participants will really need to engage more with organisations like OpenUK to understand how to build success in a collaborative and open space. We are still not seeing enough engagement in existing open-source software communities from the Telco sector,” she claims.
“That will come with time as it has in, for example, banking, and will be needed to both learn from and bring credibility to new open initiatives,” she adds.
Houssein points out that increased collaboration between the developer community and the banking sector has led to neobanks using API-led infrastructure to expand services far beyond those of traditional banks.
Many are now making strides towards becoming ‘super’ apps offering services such as travel and cryptocurrency, as well as connectivity services.
“Connectivity services can be added via a specialist software development kit that gives neobanks access to APIs that support on-device mobile service management, authentication and provisioning, and connectivity through eSIM technology,” he claims.
In the telco world the eight APIs released through the GSMA’s Open Gateway initiative are limited to offer a digital telco user experience, but most agree that it’s a great start in the development of applications and services that enhance UX, automate workflows and minimise customer support overhead in MNOs.
Houssein believes that it will also “open up the door” to innovative solutions that combine telecoms services with other digital services, like finance and travel “by enabling vertical sectors to launch their own, embedded connectivity services through software development kits”.
“I think we’ll see an uptick in interest for applications in areas such as fraud detection, customer authentication, personalised content delivery, and simplified/seamless billing,” he predicts.
Authentication, verification and security remain the key concerns for any telco network-open-source union, not least because it has a direct impact on how the billing for these new services is going to work.
Adam Brown, managing consultant at Synopsys Software Security predicts that authentication and authorisation related to these services “will be a big topic and require significant security architecture work to support secure use”.
To some extent, the GSMA’s eight Open APIs – which include carrier billing, device identifier, and number verification – address some of these concerns.
“Carrier billing covers multiple use cases, such as making a payment request in two steps, retrieving a payment, and making a payment request in one step,” explains Ravichander.
Houssein points out that there are already third-party services and non-telco software solutions that offer API-led user identity verification “which is crucial for enabling telecom services digitally to end users” he points out.
However, according to Herrin, there is more to come on charging and billing integration. “Operators recognise the importance of establishing clear and transparent billing models, as well as robust identity and verification systems to protect user data and ensure seamless experiences.
“Collaboration between operators and developers is crucial in this regard, as it helps define industry standards and best practices,” he adds.
APIs and cyber security
Probably the biggest sticking point in opening access to network APIs and capabilities are the security concerns that have held the telcos back from embracing APIs in the first place.
In January of this year, US operator T-Mobile suffered a security breach via an unprotected API which compromised the data of 37 million customers.
The hacker exploited the unprotected API to breach T-Mobile’s network and obtain a range of customer data, including addresses, phone numbers and dates of birth.
“The T-Mobile breach is a timely reminder for mobile operators to have in place robust, wide-ranging cyber-security measures that monitor and safeguard every aspect of their networks, and which protect their customers as well,” says Dmitry Kurbatov, co-founder and CTO of telecom security solutions provider SecurityGen.
He adds: “When it comes to protecting APIs, there are basic steps for operators to follow. They include ensuring that all API calls are properly authenticated and authorised; validating all input data received by the API to ensure that it is in the correct format and does not contain any malicious code and limiting the amount of data exposed through a single API.”
“You’re also increasing the potential for automation, which is generally a good thing operationally, however, you’re also making it easier for attackers to automate the bad,” he adds.
According to Lebin Cheng, director of API Security at Imperva, APIs can also serve as a blueprint to a network “providing insight into internal objects and even internal database structure. Because APIs are extremely clear and self-documenting, they can deliver valuable intelligence for bad actors to exploit.”
To close the door on security risks and protect customers, Cheng advises that the telecoms industry needs to treat APIs with the same level of protection they provide for their business-critical web applications.
Hornegold adds: “Make sure you enforce authentication for every request, consider cryptographic signing of requests/responses if you’re feeling adventurous.
He adds: “If you’re exposing APIs which were previously just for internal use but are now available to the internet, you need to revisit the security controls in place on those APIs. Internal-use APIs often don’t have the same level of rigour applied to them.”
As well as following best authentication and verification practices, in many cases the true attack surfaces of APIs can’t be fully evaluated until they become ‘testable’ according to Herrin. “They need to be beaten up by a skilled API attacker in a controlled environment,” he adds.
Rather than seeing APIs as a gateway for bad actors, Brock hopes that telecoms will embrace the security question as “an inevitable step towards digitisation”.
She adds “Open source and proprietary code both have security risks, but each have had a different flavour, and each are managed differently,” she says.
“The openness of the source may make open source seem more vulnerable but the collective response to vulnerabilities and the knowledge that we ‘wash our dirty linen in public’ so everyone can see the issues and responses should bring a level of reassurance.”
Subscribe to our Editor's weekly newsletter