Reputation: 2989
How do you protect a restful api endpoint in flutter
I have a flutter mobile app that call a backend API server. This requires an API key . I don't want to embed the key into the app . How do I protect the API key and the endpoint for unauthorized access. My app does not not required the user to login.
The only idea that I can come up with is to have a pass-thru (nodejs ) server that makes the call to the API server and I can store the key on that server so it is not in the app
However, now I will need to protect the node server.
Any suggestion on how to do this or do you have a better solution.
Thanks for your suggestion
Example
class UserService {
Future<List<users>> getUser() async {
var response =
await http.get(Uri.parse(user));
final int statusCode = response.statusCode;
User uData = json.decode(response.body);
return uData
}
}
App.js
var express = require('express');
var app = express();
var PORT = process.env.PORT || 3000;
app.get('/user', function(req, res) {
res.json({
"employees": [
{ "firstName":"John" , "lastName":"Doe" },
{ "firstName":"Anna" , "lastName":"Smith" },
{ "firstName":"Peter" , "lastName":"Jones" }
]
})
});
app.listen(PORT);
Upvotes: 3
Views: 3218
Answers (1)
Reputation: 13064
The Problem
The only idea that I can come up with is to have a pass-thru (nodejs ) server that makes the call to the API server and I can store the key on that server so it is not in the app
However, now I will need to protect the node server.
You jut have shifted the problem from protecting your API backend to have to protect the pass-thru server, that is in fact a reverse proxy as I describe in this article Using a Reverse Proxy to Protect Third Party APIs:
In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.
Reverse Engineering
So, in fact with the use of a pass-thru server you hide your API key from being exposed directly to prying eyes but anyone can still access your backend API via the pass-thru server, even after you also protect access to it via an access key(API key, token, etc.), because they will extract the access key via reverse engineer techniques or with a MitM attack, like I describe in some articles I wrote:
Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
How to Extract an API key from a Mobile App with Static Binary Analysis:
The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.
I really recommend anyone to read the above articles to familiarize himself with some of the possible approaches to extract secrets from a mobile app, because you will learn several approaches to hide those secrets and their trade-offs.
Possible Solutions
Any suggestion on how to do this...
So anything that runs on the client side and needs some secret to access an API can be abused in different ways and you can learn more on this series of articles about Mobile API Security Techniques. This articles will teach you how API Keys, User Access Tokens, HMAC and TLS Pinning can be used to protect the API and how they can be bypassed.
To solve the problem of WHAT is accessing your mobile app you need to use one or all the solutions mentioned in the series of articles about Mobile API Security Techniques that I mentioned above and accepted that they can only make unauthorized access to your API server harder to bypass but not impossible.
A Possible Better Solution
...or do you have a better solution.
A better solution can be employed by using a Mobile App Attestation solution that will enable the API server to know is receiving only requests from a genuine mobile app and to learn more about it I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
Upvotes: 2
Related Questions
- Storing Api Keys Securely in Flutter or Sending Payment Details to my Server?
- How to pass basic auth credentials in API call for a Flutter mobile application?
- Securely Saving API Keys In Android (flutter) Apps
- Rest API in Flutter Login
- How to solve insecure http not allowed by platform flutter?
- Flutter REST API Security
- Flutter - using an API key
- How protect API request made from Flutter Web app?
- Prevent untrusted clients to use login/register endpoints of REST API
- Best practice for a flutter app with authentication and some fetch from a REST API