Securing API Keys on clients (JavaScript, Android, iOS, etc.)

Question

I am working on an API-centric web application with a custom authorization method that consists of building a string based off of the request method, URL, params, public API key and encoded by a private API key. This works fine on the server side, but on client side the private API key (and authorization method) will be vulnerable. I've spent the last hour or so looking on a good way to secure this API key and the best method I could find is by proxying through my server, but I am still not sure 100% on this.

First of all, should I be worried? I want to make security a priority in my web application, but anything that will deal with modifying a user's account will need a temporary, encrypted token to authorize the request (in addition to the HMAC hash).

My understanding from proxying was that you would make a request to your server, which would then encrypt with the private key and return the information..but how would the server validate that the request came from a source with a valid API key?

Can anyone provide any insight as to what I should do? I feel like this could potentially be a vulnerability for any client-side code including JavaScript, iOS, and Android.

Answer 1

You can never trust the client. Even if you obfuscate, someone could still figure it out. For example, an adversary could reverse-engineer the obfuscation algorithm, look at the device memory, or even capture what's sent over the wire.

However, you can still make a secure app by enforcing security on the server side. For example, users should need to be authenticated in order to successfully make privileged API requests.

Also, you can enforce API usage on the server side, whether by input validation, rate limiting, or IP address tracking.