Best practice in allowing only Android app to access Rails API

Question

I didn't find any concrete answer and most of the solutions are older ones so I would like to ask community for best practices in protecting Rails API from other requests and allow only Android app to access it. There is no user registration or login. Android app only needs access to data.

I was thinking to insert a secret key inside my Android app and pass that key in each request but this doesn't seem too safe to me.

What would be recommended practice in protecting Rails API from other requests and allowing only Android app to access it? Thank you.

Answer 1

I don't have a lot of experience with API's, but I do know that if you want to secure them properly, you can use some API secret keys to handle the job

--

API Keys

If you want to provide functionality to only a particular group of users, you'll be best embedding API keys into their applications.

I don't know how you'd achieve this specifically (IE only for your android systems), but what you'll want to in an ideal world, is only allow particular API-key enabled accounts to access the Rails app data.

Your job will then be to provide the keys to android-powered devices only (the part I'm not sure about yet).

Rails is actually very versatile when it comes to securing an API:

--

Android ID

I don't know specifically, if you're installing apps on Android devices, surely you'll get access to an Android ID or something?

Upon reading this documentation, it seems you get access to a collection of appliance ID's inside Android (both for your device and Android installation). I would be looking at how to use these as a way to identify API requests

Is there a unique Android device ID?

Perhaps your flow could be something like - the first run of the app would verify the device is Android, and if so, adds the Device ID to your rails "API Keys" db. This will then allow you to permit access to the device in the future

Answer 2

I don't think you'll be able to get 100% security. But if you store the secret key in the application's data area (ie write a file to the internal storage location), it will be at worst very difficult to get to. I hesitate to say impossible. The chink is someone with a rooted device can open the file quite easily. You can pull a trick like encrypting the key using another key that's in your source code, then obfuscate your source using ProGuard or something. This won't be perfect either, but it will make it a serious pain in the rear to get the key even if the user has root. Probably the best you can do.