Reputation: 13620
How can I secure online API for my app?
I'm creating an app for Windows Phone and Android. So right now Im building a webapi they both can use, but I want to secure it som non other then my applications can use it. How do I go about it? No one else then my apps is going to access these APIs.
I don't want to implement OAuth.
I've got two scenarios that I'm thinking of:
First (I store username and hashed password on the client):
- basic-auth over https/ssl, thats it.
Second (I store accesstoken on the client):
- basic-auth over https/ssl to receive a access token.
- to get access token, user sends a request for requestoken a token that verifies that both the client and server knows the clientsecret.
- for each call to the API the accesstoken has to be sent with to check access
The problem as I see the second approach is that the server sends accesstoken to the client, if anyone where to get this they would have the access of the user.
How is it done in the real world?
Upvotes: 1
Views: 81
Answers (1)
Reputation: 24576
You could use a slight modification of First:
- store username and password on client
- basic-auth over https
Storing a password hash on the client, then sending the hash and comparing it with the hash in the database is equivalent to storing a plain text password in the database because the hash becomes the password. So, your apps should authenticate with a username and password like any human user would do.
But your concerns for the second approach apply too. If somebody intercepts the message, he has your credentials.
A more secure solution is HMAC authentication (now we're talking "real world").
- a user has a secret key that is stored on server and client
- each request gets canonicalized (transformed into a distinct string, which contains the request method, URI, parameters and timestamp)
- the canonicalized request gets hashed with HMAC using the secret key, hash and user id are passed in the HTTP
Authorizationheader - on the server, a hash is generated using the same algorithm (with timestamp from the HTTP
Dateheader) and compared with the sent hash. - if the results are equal, the request is authenticated
An example is the Amazon S3 REST API - the linked documentation is also a good example how to implement it for your own API.
Upvotes: 1
Related Questions
- Protect a public API
- How to correctly secure my api and provide authentification?
- How to access to my own API from my web application securely?
- How to secure Web API for android/ios apps with basic authentication
- Securing MY REST API for use with MY IOS APP only
- Do I need to secure my API?
- Secure API Authentication method
- How to secure Rest Based API?
- How to secure account creation via (private) API?
- Javascript Calling a Rest API with App Name and App Password - How Can i Secure it