Reputation: 1890
How to implement authentication for Web API services that are used by an Android App?
We are going to build a Web API application which will be used by an Android app. I want to protect this public facing API so that only the Android app can use the API.
We prefer not to use HTTPS because the data that is transferred is not sensitive really. There is also no sign-in involved so as long as we make sure the legitimate app is making the call we are fine.
I was thinking of sharing a kind of secret data between the app and the api but our Android developer says whatever data we put in the app can be retrieved by malicious people. Plus, transferring that piece of data over HTTP is not safe.
I would like to know if anyone can help me with a solution by which we preferably won't have to use HTTPS?
Upvotes: 0
Views: 319
Answers (2)
Reputation: 6363
One idea is to have the app calculate a key based on something like the time that the message is sent and then the server side would be able to validate that key. The server would have to allow some time window.
If you use Proguard to obfuscate your app code you can make it very hard to read your code (not impossible but very hard). Constants are easier to find in obfuscated code than to see what method calls are doing so I would recommend calculating the key.
Using this approach, someone who intercepted the message could reuse the key (at least not more than a very short time). So if you really want to avoid https and your data isn't that sensitive this is a possible solution.
Upvotes: 1
Reputation: 4799
You're correct that there is a possibility someone could recover a shared secret from the app source on the device. There is also no way to do what you want without using transport layer security (TLS/SSL). As soon as you transmit any secret in the clear, it's no longer a secret.
There is some good advice on how to do this properly here: http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html
"You absolutely must use an HTTPS connection, to keep any men-in-the-middle from peeking at your token." Emphasis from the page itself.
Upvotes: 1
Related Questions
- ASP.NET Web API Authentication
- How to use security (Authentication & Authorization) in ASP.NET Web Api
- How to secure Web API for android/ios apps with basic authentication
- Securing communication from android to a web service
- Authenticate android app to call web api service
- Proper way to authenticate with a web service from Android
- How can I authenticate users via my android app for a web service?
- Android Authentication
- Android APP that consumes a webservice how to authenticate users
- how to authenticate to REST web service from Android app?