REST web API for mobile devices - CSRF protection?

Question

I know about CSRF attacks and protection against them inside and out, I've read the entire owasp page regarding it, but I'm a bit at a loss when it comes to protecting REST APIs.

I'm developing a RESTful web API for a mobile application. To authenticate users, I'm using an oauth server package (password flow grant) and my custom-built social grant for the facebook's manual login flow (we have both local and facebook accounts in our database). Both of these grants generate our application-specific access tokens that the client (mobile app) sends to the server with each request (in the Authorization header) to reassure that he/she is a logged in user.

Doesn't this alone mitigate the CSRF attack window? If not, what should I do to protect my server against these attacks?

P.S. I suppose checking the referrer header is not going to help here, because the referrer would differ from my server's domain, right?

Answer 1

Ok first thing, CSRF attack requires one important application called browser. No one can simply trick your mobile application to send a request along with credentials to api server. So your mobile applications is particularly safe from CSRF attacks.

However, the problem arises if you use same api server for communications with web frontend(If your application has a corresponding web application too). In that case, you'd have to separate the API server for mobile application and web frontend, with CSRF prevention ACTIVE for web frontend API calls.OR, you can use the same API server, if you can somehow differentiate the call from web & mobile.