Reputation: 801
How can i secure this API in an APK file
I am currently developing an api for a website i run. The api will be used in a number of places, and one of those places is an Android app.
It's purpose is to allow users to login, and and download files. I have the api build, and it will be using HTTPS so all of the data is fine when being transferred.
The issue i am having is that the API calls require an API key. With this key you will be able to have access to certain functions of the API that may cause issues.
What i was wondering, is there a way to secure this API key? I am not an Android developer at all, but people will be using the API that are on Android so i need to work out a solution.
Below is an example of the flow that the API uses:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
// Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
// Download the file
}, 'POST');
}, 'POST');
Upvotes: 3
Views: 3036
Answers (3)
Reputation: 11
Is Android keystore a direction to look at? Then, perhaps an encrypted string is posted to the API based on the key that is stored in android key store by the app at the time of installation. That way if there is a succesful decryption, it can serve the requests.
Upvotes: 0
Reputation:
No. You cannot protect the API Key once you embed it into an Android application. The app needs access to the API Key, so someone with access to the app will be able to recover that key from within the app and use it for their own purposes. The best you can do is to obfuscate your app so that reverse engineering it is more difficult (the goal is to make it more difficult for the attacker to reverse your app than is worth his time). You need to decide how much effort in this regard is called for, based on the risk of an exposed API Key, but you can never make it impossible to recover, just more difficult. In reality, your best bet is most likely to turn on Proguard during your build process (so things are obfuscated to a decent degree in the APK with no work on your end) and hope for the best.
Upvotes: 2
Reputation: 2778
You should create a specific API key for each user. There is no really good way to secure data that is actually in the user's hands (Ask makers of copy protection about this) Then you can use HMAC to hash together the API key and the requested API and verify that the same thing happens on both ends. See: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code (PHP has a function for this.)
In fact it would be more accurate to say that there should be a many-to-one relationship between keys and users since you may have different and/or revoked keys for a user.
For an excellent overview, see: https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able
Upvotes: 2
Related Questions
- How can I secure PHP API to use in the android application?
- Securing php api to use in android application
- Securing API key in Android
- Protect GET Request from Android App over API
- Securing private API key
- securing a REST API accessible from Android
- secure http call in android
- Securing PHP API Based on Device
- Connect php with Android, security methods
- How can I provide safety to my APIs