If I understand correctly, it depends on both.
The API is often the differential of each language: I, for example, find C++ superior to Java as a language. But the Java API is extensively more practical than the C++ Standard Library. So if I had to choose between the two for a commercial project, I would probably choose Java.
Similar to systems Apis: It depends on who developed the API and who consumes it. But it depends chiefly who developed it.
If the API has been developed very safely but the client uses it poorly, this problem is unique to the client. The client may misexpose your data, but this will in no way affect the server.
Already if the API was developed with security loopholes, even the most careful of customers may have their security affected. It cannot make security changes to the server; it depends on that bad API. The most it can do is be careful in its application and hope that no one tries to use the poorly developed server to harm it.
In short: Depends on both, but mainly on who developed the API -- and not who consumes it.
Faro. Could you define what is "safe"? Note that nothing is totally safe, however, if you specify some minimum requirements you can arrive at a concept reasonable.
– utluiz
When I talk about security I mean directly if the application exposes customer information or even makes your application easy to penetrate.
– Faro