Reputation: 445
Native app OAuth2 authorization
we want to create a native mobile app using OAuth2. How to protect from stealing clientID (this information can be obtained by anybody)? Someone can create his own app and act as our app by using our clientID?
Upvotes: 1
Views: 69
Answers (1)
Reputation: 546
Yes, if someone retrieves your clientId/clientSecret, he can act as your app and sadly, there is no way to fully remove credentials from your application.
At a higher level, your app needs an identifier and a secret to authenticate to your service. If you remove the secret from your app, you need to get it from somewhere else (it could be your user typing it, this would be the same as having an auth for the user and giving him a token to perform further API calls).
However, you can make it harder for reversers to obtain the credentials, as explained in this article. To make it even harder, you could force all your API calls to be done in HTTPS and enable SSL Certificate Pinning thus making Proxy Debugging/Man In The Middle difficult to pull off.
Ultimately, you should clearly identify which API calls should be public (with only the OAuth token to access those resources) and which should require a user authentication.
PS: Google's (Android Security Best Practices)[https://developer.android.com/training/best-security.html] could be a good start !
Upvotes: 1
Related Questions
- Secure an API for mobile apps call
- Best practice for first-party auth in a native app
- What's the right OAuth 2.0 flow for a mobile app
- OAuth 2 approach and refresh token security for SPA and Native Apps
- Mobile app + REST API authentication
- Mobile App Authentication
- good Oauth2 flow in mobile app?
- Secure third-party API calls on mobile app
- Options to securely authenticate mobile access using OAuth2
- Oauth 2 on an Android app