Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Mobile-to-Server API Security

Tags:

security

mobile

api

titanium

appcelerator

I am tasked with designing a system that will allow our users to also sign in to their accounts and interact with our service using their mobile phones. I am concerned about the security of the application though.

Basically, we allow people to login via OAuth using Facebook or Twitter. The mobile application (built with Appcelerator titanium) should do that too. Upon a successful login on the phone, I need to notify my app that someone logged in with FB or Twitter so that my app can retrieve user's app-specific user id.

My first thought was to write an API that the phone could call out to which would accept parameters such as the Facebook or twitter userId. I would query my database and find their internal user id and return it to the phone.

This would work fine, but its completely insecure. Anyone could hit that same API with a Facebook user id and the API would just return the internal ID (and any other data needed by the app) without knowing if the request is authorized.

This is my first mobile app, so I am a little unsure of the correct way to implement security on my API.

like image 794
Bryan Migliorisi Avatar asked Apr 22 '11 19:04

Bryan Migliorisi

People also ask

How can I protect my mobile API?

App attestation is one way to ensure that only genuine, tamper-free versions of your mobile app can access your API. There are various ways to implement app attestation, but one common approach is to make use of a cryptographic signature of your app that can be verified.

Which is the most secure method to transmit an API?

One of the most straightforward ways to secure these APIs is to implement authentication mechanisms that control their exposure, mainly through user credentials and encrypted access codes.

Are APIs a security risk?

Like any software, APIs can be compromised and your data can be stolen. Since APIs serve as conduits that reveal applications for third-party integration, they are susceptible to attacks.

What are the common API security risks?

Broken User Authentication Another common API vulnerability is the use of illegitimate tokens to gain access to endpoints. Authentication systems themselves may be compromised, or expose an API key accidentally. Attacks can exploit such authentication tokens to gain access.

1 Answers

  1. If you can , use https, and lots of problems solved.
  2. when successfully login, you can create a session and pass sessionid to client, here I advice you to send the sessionid with RSA way( for the case that someone can sniffer your sessionid)
  3. use hash signature to make sure the request is not modified on the way, but this method can not prevent repost issue.

Finally, for your problem, if there is new progress, please let me know, thanks!

like image 113
jianpx Avatar answered Oct 20 '22 20:10

jianpx
Sign in to Comment

Related questions

Mandrill Webhooks - Security
Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
Weird Javascript in Template. Is this a hacking attempt?
Are Universal Links cached in iOS? Do they work offline?
Decompilation possibilities in iOS and how to prevent them
(Why) should I use obfuscation?
Validate that IPN call is from PayPal?
Can a secret be hidden in a 'safe' java class offering access credentials?
SecretKeyFactory.getInstance() throws exception for all algorithms in unit tests
iOS takes a screenshot of App every time it is sent to the background - How would I secure my App?
What is password strength considered enough for use with password_hash function?
How to restrict access to phpmyadmin? [duplicate]
Ruby on Rails source code security / obfuscation [duplicate]
Is storing the answer to a secret question any more secure than storing a password?
Why do I need to perform server side validation?
How can I avoid the "This page contains both secure and non secure items" warning in my browser?
What real life examples of security by obscurity have you seen/worked with? [closed]
Is there a best .NET algorithm for credit card encryption?
how secure is tomcat
What makes an input vulnerable to XSS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!