Reputation: 622
REST API authentication for mobile application iOS and Android
I want to securely access the REST API(.net) through a mobile application(react-native). I had the following solutions but each one has its drawback. Can someone suggest me the solution to the problem?
1.
REST API: secure rest API with username & password.
Mobile App: send username and password with every rest API call.
Drawback: On reverse engineering username and password is obtained which is stored in the mobile application. The code was obfuscated and password was stored at places but hackers were successful to obtain password after doing certain efforts.
2.
REST API: auth 2 implemented
Mobile App: call Rest API to obtain Token for future use but the first time required to pass auth credentials to obtain token. Same problem username & password can be obtained by reverse engineering.
How we can move app secrets out of the app and can access REST API securely from the mobile application?
Upvotes: 1
Views: 2900
Answers (2)
Reputation: 875
Three things for you:
1) I would definitely recommend OAuth2 over repeatedly sending username-password. It's well understood and there are both open source and free commercial implementations available. On mobile, PKCE is very important to prevent Auth Code interception attacks.
2) Using HTTPS for your REST API calls is a given, but I would encourage you to pin those connections as well. An attacker can easily compromise a mobile device and man-in-the-middle your API calls otherwise. Pinning is tricky for React Native; take a look at the react-native-cert-pinner npm package and/or read Strengthen TLS in React Native through Certificate Pinning (Android) or iOS.
3) OAuth2 with PKCE won't stop an impersonation attack, and especially if you are creating users with trust-on-first-use, you will be even more vulnerable to bot attacks. You should do more than just simple API keys. I would recommend some well-obfuscated signing of API calls or, even better, some form of app attestation. For React Native, see First experiences with React Native: bridging an Android native module for app authentication or similarly for iOS.
Upvotes: 0
Reputation: 4467
You should look to implement the Authorisation Code Grant with PKCE.
Here is an example project doing something similar.
Upvotes: 1
Related Questions
- REST API authentication for web app and mobile app
- How to manage mobile and web authentication with Django Rest and react/react native?
- React Native OAuth2 and REST API authentication flow
- securing REST-API accessed by mobile application with no login
- How to make authentication with OAuth2 and React Native using REST API?
- Mobile app + REST API authentication
- Securing ASP .Net Web API for usage with mobile application
- Mobile app Web API authentication
- OAuth on REST API for mobile app
- Authentication and authorization using REST and ASP.NET Web Api from cross-platform mobile applications