Introduction to API analytics
Like many companies, we strive to be data driven here at Moesif. If we were launching a web or mobile app, we would add web/mobile analytics solutions like Google Analytics, Mixpanel, or Amplitude to understand how users use the app. For APIs like the Moesif API though, we also need analytics on how third party developers use our API. What we need is API analytics.
If we were launching a new feature on our API and had to push update to all our SDKs, which one would we update first? API analytics can tell us what’s the most popular Moesif SDK used by our developers and update that one first.
Since Moesif is a API analytics platform, we eat our own dog food and use Moesif on Moesif. We thought we’ll also share some of those insights with you. While, not all the metrics may be applicable to you, some definitly will be if you’re running a developer program or launching your own API.
The below metrics are for the Moesif API (api.moesif.net) for the last 30 days as of August 12, 2017 which is now processing over a terabyte of new data a day.
Moesif customers by SDK/language
The below chart is the SDK or language used by Moesif customers.
Customers by SDK/language
There are still a lot of PHP developers familiar with the LAMP stack out there in the world, and now they’re building REST APIs on PHP. The Wordpress REST API is built on PHP. Even with the design and security flaws of PHP, it has stood the test of time. If Moesif was more focused on HTML sites rather than REST APIs, I expect this number to be even be higher.
Java Servlet is an enterprise technology that you see more in large companies building CRUD apps and services rather than small businesses. Many popular Java frameworks like Spring and Jersey are built on Java Servlet. I’m not surprised to see the large use of Java in larger companies moving towards APIs.
DotNET was a surprise to us, but like Java, there are a lot of enterprises using .NET. The design of C# and the CLR (Common Language Runtime) is very similar to Java and the JVM. While in Silicon Valley, C# gets a bad rep, the language is quite eloquent compared to Java with stuff like async/await and Parallel LINQ.
Moesif does have a browser SDK to monitor from the client side rather than server. However, majority of our customers choose the server side integration. There are some unique cases for using the browser SDK such as for Backend as a Service (BaaS).
Very few people are building REST APIs on Ruby today. The RoR raze happened during the early 2000s seems to be over. Unlike PHP, Ruby didn’t stand the test of time as newer non-blocking frameworks like NodeJS were adopted.
While considered “hip”, Golang hasn’t seen a high adoption rate for building REST APIs. Today, Golang is more of a systems languages used to build technologies like Docker and Tyk.
Moesif API traffic by location
Not surprised to see a lot of traffic in west and central Europe in addition to Western US and Eastern US. Interesting to see a lot of traffic from Sao Paulo, Brazil. We should think about ensuring we provide a good developer experience to developers in South America using Moesif. We also have quite a few people in South Africa using Moesif.
Like many public APIs, we see some rogue hackers probing with typical administrator URLs trying to penetrate our API. Luckily for us, we don’t have any PHP code or SQL servers running on our ingestion clusters and we locked down access, so the Moesif API just responds with a simple 4xx error.
In the below chart, we see 7.6% of of these attempted hacks come from Taipei. Quite a few hacks are also coming from Moscow.
Percentage of hacks by city
The below list is the actual attempted URLs sorted from most popular at the top to least popular at the end. You may want to use this list to check your own API to ensure you didn’t inadvertently leave something exposed to the internet.
List of attempted URLs
/MyAdmin/ /PMA/ /admin/ /admin/db/ /admin/pMA/ /admin/phpMyAdmin/ /admin/phpmyadmin/ /admin/sqladmin/ /admin/sysadmin/ /admin/web/ /administrator/PMA/ /administrator/admin/ /administrator/db/ /administrator/phpMyAdmin/ /administrator/phpmyadmin/ /administrator/pma/ /administrator/web/ /database/ /db/ /db/db-admin/ /db/dbadmin/ /db/dbweb/ /db/myadmin/ /db/phpMyAdmin-3/ /db/phpMyAdmin/ /db/phpMyAdmin3/ /db/phpmyadmin/ /db/phpmyadmin3/ /db/webadmin/ /db/webdb/ /db/websql/ /dbadmin/ /myadmin/ /mysql-admin/ /mysql/ /mysql/admin/ /mysql/db/ /mysql/dbadmin/ /mysql/mysqlmanager/ /mysql/pMA/ /mysql/pma/ /mysql/sqlmanager/ /mysql/web/ /mysqladmin/ /mysqlmanager/ /php-my-admin/ /php-myadmin/ /phpMyAdmin-3/ /phpMyAdmin/ /phpMyAdmin2/ /phpMyAdmin3/ /phpMyAdmin4/ /phpMyadmin/ /phpmanager/ /phpmy-admin/ /phpmy/ /phpmyAdmin/ /phpmyadmin/ /phpmyadmin2/ /phpmyadmin3/ /phpmyadmin4/ /phppma/ /pma/ /sql/myadmin/ /sql/php-myadmin/ /sql/phpMyAdmin/ /sql/phpMyAdmin2/ /sql/phpmanager/ /sql/phpmy-admin/ /sql/phpmyadmin2/ /sql/sql-admin/ /sql/sql/ /sql/sqladmin/ /sql/sqlweb/ /sql/webadmin/ /sql/webdb/ /sql/websql/ /sqlmanager/
We see a lot of hacks are targeting PHP and SQL applications. If your API is built on PHP, be very careful. Even if not PHP, you should always ensure your API is secure and locked down. We also see that a lot of cities have the same percentage. It is possible for the same hacker to make requests from many locations to widen their attack area.
Let us know if there is a specific metric you’re interested in. We’re always open to sharing more data as long as it OK.
Do you spend a lot of time debugging customer issues?
Moesif makes debugging easier for RESTful APIs and integrated apps