APIs not to blame
An API is just an official way to do something, with a (more-or-less) guarantee it won't fall to pieces next system update. Snarfing users' PINs without an API is a hack; using an API is just regular programming.
The APIs used in this case aren't the vulnerability, they just expose it and make it (too) easy. And, erm, make it difficult to fix without breaking a stability promise made to app developers in general.