Hello I am working on android application in which i required to execute few https web services so all my webservice URL and Web API KEY are in the code plus ip address of the server. When anyone do reverse engineering of my app then that guy can get my web service URL as well as API KEY then can simply hit it using rest client.
How to secure such that any attacker can't get anyhow my WEB API KEY which I defined in the strings.xml
<string name="WEB_API_KEY">XXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
Thanks in advance.
The Secure Sockets Layer (SSL)—now technically known as Transport Layer Security (TLS)—is a common building block for encrypted communications between clients and servers. Using TLS incorrectly might let malicious entities intercept an app's data over the network.
SSL (Secure socket layer) Certificate Pinning, or pinning for short, is the process of associating a host with its certificate or public key. Once you know a host's certificate or public key, you pin it to that host.
I have faced the same issue. First to ensure that this is the app that I have created is calling the webservice only. even if they get the key by reveres engineering. secondly the valid user is calling the application. The following checks are done in the server.
1)Verify that it’s really signed by Google.
2)Verify that it’s really meant for you.
you need to use Google developer console https://console.developers.google.com/project?authuser=0
create two Client Ids (One for the server and other for the android application.) under the Menu API & auth.
To create client ID for the android application you can use keytool
keytool -exportcert -alias <your-key-name> -keystore <your-key-store-file> -v -list
I have followed the steps from here
Serverside php sample is given below
function checkSession($token){
$result = Array();
if(isset($_SERVER['HTTPS']))
{
if ($_SERVER["HTTPS"] == "on")
{
$secure_connection = true;
}
}
if($secure_connection){
try {
$client = new Google_Client();
$client->setClientId(CLIENT_ID);
$client->setClientSecret(CLIENT_SECRET);
$ticket = $client->verifyIdToken($token);
$validtocken = false;
if($ticket){
$token_data = $ticket->getAttributes();
if($token_data ["payload"]["aud"]==CLIENT_ID &&
$token_data ["payload"]["azp"]==ANDROID_ID){
$validtocken = true;
$result["Email"]=$token_data ["payload"]["email"];
}
else
{
log_message(serialize($token_data));
}
}
} catch (Exception $e) {
$result["Details"]=$e->getMessage();
}
}
the best way is receive the web api key from server at first time app open.
in this case app store the key on internal storage not in apk.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With