Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

secure a REST API for use by Android clients

Tags:

rest

android

security

ruby-on-rails-3.2

We're developing a JSON REST API in Rails to be consumed by an Android application, which we are also developing. Is there any way to secure the API such that it can only be used by our specific Android application?

The API is read-only, and does not involve any kind of user-related or otherwise sensitive information. But to the extent that is reasonable we'd like to prevent abuse and restrict its use to only our app.

I could easily add an authentication token to the API and distribute it with the app, but:

  1. We'd probably have to move the API over to SSL, if we use BASIC auth.
  2. It's probably trivial for a determined person to open up the Android APK binary and uncover the auth token anyway.

The situation seems analogous to a café posting their WiFi password on the shop counter- you have to give the secret out to everyone who wants to use your service, so it almost seems pointless to have it in the first place.

What's the most reasonable approach to take?

like image 411
George Armhold Avatar asked Mar 07 '13 14:03

George Armhold

People also ask

How do I make my REST API secured?

Use HTTPS/TLS for REST APIs As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.

How can I protect my mobile API?

App attestation is one way to ensure that only genuine, tamper-free versions of your mobile app can access your API. There are various ways to implement app attestation, but one common approach is to make use of a cryptographic signature of your app that can be verified.

Which is the most secure method to transmit an API?

HMAC Authentication is common for securing public APIs whereas Digital Signature is suitable for server-to-server two way communication. OAuth on the other hand is useful when you need to restrict parts of your API to authenticated users only.

Does REST API have security?

REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified.

1 Answers

Wanting to secure a probably public undocumented API so it can only be accessed by one application, means you want to stop people from using your API who are determinate of using your API.

Meaning people who would try everything possible to use your API.

If this is not the case adding a Auth token won't be trivial but at least a big stepping stone for people who stumble upon your API. And not a very bad idea to implement this.

Because this authentication isn't user based but application based and you don't want authentication to rely on user input. The request must be purely done so by the application.

Meaning you will have to do so anyway(adding hardcoded token). Only you make it very very difficult for a determined person to uncover the access and request tokens and the methods.

It depends on the situation, but I would go for the SSL and hardcoded token.

Some extra security:

  • Release an access token to the application which only need to send a request token periodically. Meaning less chance people intercept the hardcoded request token, but a session based access token which expires. Maybe just do this once for every application install.
  • Encode this request token before sending it through the air. Meaning people have to decompile your app.
  • Obfuscate code (make it more difficult to decompile).
like image 80
Timmetje Avatar answered Sep 27 '22 20:09

Timmetje
Sign in to Comment

Related questions

USB_DEVICE_ATTACHED only startsActivity of Galaxy S3 ICS
Custom ArrayAdapter in a ListFragment
Duplicate AndroidManifest.xml in bin directory?
Android: download file from server and show the download progress in the notification bar using AsyncTask
What is the practicality of using PhoneGap? [closed]
Can I eavesdrop Android touch events?
Type Conversion from C to Java
Android: How to get search suggestions asynchronously from the web?
Android Multi State switch
android listview displays false data after scrolling (custom adapter)
Android : Couldn't create directory for SharedPreferences file
Android emulator still slow as hell even with Intel image, why?
No DataTypeConverter Method option in android
should I use setDaemon() in android?
Passing custom parcelable object extra or in ArrayList to RemoteViewsService breaks appwidget
Consumer closed input channel or an error occurred. events=0x8
A list with multi-select Checkbox on an Alert Dialog?
Android Spinner Size very large
how to check if activity is still in the stack?
Android ndk can't find atof function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!