Reputation: 967
Securing private API key
So I've been searching a while about this whole private API keys security and I'm kind of confused about the approach I should take simply because I haven't found yet someone with the same particular issue/approach than mine is.
I'm developing an Android app that works through a third-party API which I gained access by requesting a private key. Now, 2 points:
- my app doesn't request directly to the API I'm using, instead, it requests to a set of PHP files (hosted on the app website) I coded to simplify the requests and retrieved data from the API I'm using, lets call it a "sort of API", if you allow so. So, from the app only requests specifying what my sort of API should request to the original API are sent, and, in consequence of this, the requests doesn't need the original API private key, because I can store it in one of the php files and use when needed.
- my app doesn't require the users to register their accounts, so I don't have any user IDs or names to work with in requesting.
So, from this you can see that I'm not trying to hide the API key in the app code neither I'm trying to use user ids and signatures to allow access to my sort of API and consecutively to the original API..
The thing is that despite of the fact that php code cannot be seen in the browser, it isn't impossible to do so in other manners, so I'm not secure in storing my key there either. So my question is simple, is this still the best approach for me to use to hide my private API Key or should I re-think the way I doing all this process?
Upvotes: 3
Views: 7639
Answers (2)
Reputation: 393
If I understand you correctly, you don't want to store the API key in your public web folder, because it could then become publicly accessible under certain conditions.
The recommendation I've followed is store the API key in a file outside of the root web folder. You then require/include that file in the script in the public folder.
In a Linux environment, something like this:
/var/www/your_script.php (public access)
/var/secure/api_key.php (private, web server doesn't access this directory)
in your_script.php
require_once 'api_key.php'; // example only, you will need to use the correct path
echo $api_key; // testing, you can use the key in the script
in api_key.php
$api_key = '15r723er8q5re';
Upvotes: 5
Reputation: 747
Your app should connect to YOUR SERVER, which then sends information on behalf of your user to the API SERVER that requires the api key. The only time the api key should be transmitted is when YOUR SERVER talks to the API SERVER.
Upvotes: 0
Related Questions
- How can I secure PHP API to use in the android application?
- How can i secure this API in an APK file
- Securing API key in Android
- How to secure a small php api with public and private key
- securing a REST API accessible from Android
- Using an API Key System
- API Key and security
- Securing PHP API Based on Device
- How to securely use api key
- Security between Android and PHP webservice