Secure an API for mobile apps call

Question

I've been doing a lot of search about secure my api for mobile apps for Android or IOS.

Almost all examples tell user provides an user id and password somehow in a exchange for a token.

But how to prevent someone else to consume my api without my consent? Face the following scenario:

• I expose an API,
• I develop, then, an app for android to consume it,
• I develop, then, an app for IOS to consume it.

Other developer performs a rev. engineer in my app, creates his own app and starts to consume it without authorization.

How to prevent that?

Answer 1

Short answer: you can't.

Little longer answer: If you know what you are doing you can always reverse engineer a given application and use its api. You can only make it more difficult and time consuming, using authentification via tokens and device ids or usernames is a good first step. Apart from that: why would you want to close your api to outsiders? If your server code is written well there is nothing to worry about.

You can maybe secure your API on a legal basis and sue developers who use it, but that is a completely different topic.

Some clarification regarding securing the API and securing content via the API. Assume you create a server where you can send user/password and receive a token if that combination was correct. For the account-page you send said token over and the server verifys that that token is valid and returns your account page. You secured the actual content of the API. That is obviously very possible and almost a must-have unless you have no user-specific data. But still everybody can send the exact same initial request from their custom app, sending a user/pass and again receive a token, etc. You cannot really prevent the request itself or even determine that it was not send by some service not authorized by you. You can send some hashes along the request to add some security by obfuscation, but since your app has to compute them, so can the reverse engineer.

Answer 2

Yes, login api are open but they return a token only on successful match in your database. You should focus more on security of your data than unknown hits at your api.

SignUp API can be used for creating a user, and login for returning token of that user. Only if malicious developer has credentials, then he can access tokens and auth APIs. There is also something about DDOS attacks so you can maybe write logic to temporarily block IPs where hits frequency is high.

You can also store device ID of signing user, which seems idle for your scenario. Entertain hits from that deviceID only. Similarly, user can add more devices with their credentials. I think even Google does that (generate alerts if user creds are signed in from new device and add the device to list if user confirms). Hope this helps.