Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best way to secure Private REST API without user authentication for mobile app

Tags:

I am making some Restful APIs for my mobile application.

The communication between APP and webserver has to be made in REST. These apis should be private , and only my app should able to call them for successful results.

The tough part is, there is no user id and password required in my app so i do not know how could i restrict rest API with the mobile app without basic user authentication.

One solution i thought was to embed some kind of hardcode string so when mobile app will use the restful url they will pass that in encryption format over ssl. But i know this seems like very bad solution..

kindly suggest what should be the best solution under such situation.

like image 241
wolvorinePk Avatar asked Jan 31 '15 12:01

wolvorinePk


People also ask

How can I protect my mobile API?

App Integrity App attestation is one way to ensure that only genuine, tamper-free versions of your mobile app can access your API. There are various ways to implement app attestation, but one common approach is to make use of a cryptographic signature of your app that can be verified.

Which is the most secure method to transmit an API key?

HMAC Authentication is common for securing public APIs whereas Digital Signature is suitable for server-to-server two way communication. OAuth on the other hand is useful when you need to restrict parts of your API to authenticated users only.


2 Answers

Take a look to the Hash-based message authentication code (HMAC) mechanism.

Wikipedia link: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

Your client (mobile app) will need a public API key that identifies the REST webservice client and a private / cryptographic key. The public API key can be send along with the HTTP request. It is public and everyone can see it. The private key, however should never be sent along with the request, and should only be known by the server and client. This key is used to generate the hashed message that instead will be sent to the server. The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know and, finally, the private key.

like image 82
Emanuel Miranda Avatar answered Oct 20 '22 01:10

Emanuel Miranda


Your are right, embedded key in app can be easily retrieved by packet sniffers or various other techniques. You can overcome this issue by using following instructions.

  • client (your app) will call required API
  • server will reject it, but in response it will send a string containing random hash (=challenge).
  • client uses that string in combination with some other string (=password) (already embedded in app) to generate a new hash (=digest)
  • client will call same API again but this time using newly created digest as authentication parameters.
  • server will validate that digest and will proceed

FYI: the above mentioned procedure is widly accepted standard and being referred as Digest Authentication. If you need more help then just ask Google for "android http digest authentication"

like image 22
Nasir Iqbal Avatar answered Oct 19 '22 23:10

Nasir Iqbal