On Design of Secure APIs for IoT Applications – Using Taiwan Uniform e-Invoices as Examples

Defining standard application programming interfaces (APIs) plays an important role in Internet of Things (IoT) applications to achieve interpretability. Among different issues of designing APIs for IoT applications, this study focuses on the security issue of designing an API for people to access data about machines, sensors, and other objects collected in servers. To address the issue, this study shares the experiences of designing APIs for Taiwan uniform e-invoices. To prevent tax evasion, Taiwan government holds uniform invoice lottery every two months. Because invoice owners may win NT $10,000,000, the security of APIs to access e-invoices is critical. This study illustrates the security considerations in designing major APIs of Taiwan uniform e-invoices. In addition to common security issues, such as communication security, authentication, and non-repudiation, the APIs consider special security issues in different scenarios. The API for point of sales (POS) applications and ERP systems addresses the security consideration to transfer bulk data among machines; the e-invoice donation API proposes a scheme to restrict that each authorized person can only invoke the API through a specific device; the API for mobile applications considers the issue that misused mobile applications may transfer personal sensitive data and credentials to others secretly; the API for invoice exchanging allows people to obtain e-invoices immediately after transactions with their smart phones and to verify the integrity of the invoices. While this study gives examples of designing secure API for IoT applications from different perspectives, the paper can hopefully contribute to the security of IoT applications.