Menu
I'm designed REST API that is going to be used for iOS and Android apps, and possibly web and other mobile clients in the future.
How do I restrict my entire API to only the clients (apps) that I want to have access? I want to prevent 3rd parties from accessing my API to register users or even login without going through an authorized application (mobile or web client).
I could give each client that I want to have authorization a secret key, but how do I prevent this key from being extracted from my application's source code (especially easy if my app was a web app)? Also, if the key needs to be changed in the future (due to a compromise) this would be difficult as all my clients would need to be updated, and old clients would fail to function. There has to be a better solution.
I'm using JWT for user authentication, but I fail to see how I can apply this to my problem. I really like how JWT are easily implemented, so it would be great if I could apply a JWT implementation to solve this problem.
541
if you want to restrict the access to some REST API endpoints, use the ACLs authorizations. if you want to restrict the access to certain parts of your product catalog, use the Entreprise Edition permissions (only available in the Entreprise Edition).
If you want to restrict usage and make it inconvenient for abusers to call your API, you can issue a token on page load (CSRF token) and require that token to be present in the request to the API - that way the API will be callable from a browser that initiated a page load.
Keep APIs behind a firewall, web application firewall or API gateway -- accessed through a secure protocol, such as HTTPS -- to provide baseline protection, such as scanning for signature-based threats and injection-based attacks.
When you embed an access key in the client you basically accept that it is exposed. Current technology like proguard and ssl may secure it, but it doesn't prevent bad people from abusing it in legitimate way (i.e through the app). As a matter of fact this still holds true in the case of user validation being required. So preventing abuse is just a half of security paradigm. The other half is identifying abuser.
That said you cannot hope to do more in preventing that access key being hacked. What you can do however is layer it again under an authority you control from your server. One way I am aware of is token mechanism. A user sends a request with access key and his device parameters. Once it is validated you return him a token with expiration time. With this token he can then access your resources. This method gives two benefits:
User is still identified by his device parameters. Depending on this information and frequency of his access, you can decide that he is an abuser or not. Token itself expires after a certain duration, so if he is then you can just refuse him the next token.
You won't need to update your access key.
Actually this mechanism would be similar to Amazon Token Vending Machine which was replaced by the service Amazon Cognito.
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
