Reputation: 4594
API key + HTTP Signature - why use both?
I am trying to secure an API and looking into ways to secure it. I've seen different approaches used by different APIs:
- API key + HTTP Signature
- OAuth client credentials flow + HTTP Signature
Now, I'm wondering isn't HTTP Signature enough by itself to prove identity? Why use it in combination with something else (like API key or OAuth)?
Upvotes: 1
Views: 1959
Answers (1)
Reputation: 13104
Your Problem
Now, I'm wondering isn't HTTP Signature enough by itself to prove identity?
Assuming you refer to sign the HTTP request with HMAC, then it only proves the integrity and authenticity of the message in the HTTP request, or by other words, that it wasn't modified while in transit, but only if you know that what is making the request is indeed what you expect, a genuine and unmodified version of your mobile app, that isn't under attack of any kind, otherwise you may get an HMAC signature that was spoofed by the attacker.
Why use it in combination with something else (like API key or OAuth)?
The API Key will provide to the API server a unique identifier for the app while the OAuth token will provide the identity of the user using said app.
So, before I continue to address your questions I would like to first clear a misconception about who and what is accessing an API server.
The Difference Between WHO and WHAT is Accessing the API
In the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
When you grasp this idea and it's ingrained in your mindset, then you will look into API security with another perspective and be able to see attack surfaces that you never though they existed before.
Extracting secrets from API Requests via a MitM Attack
Now, I'm wondering isn't HTTP Signature enough by itself to prove identity? Why use it in combination with something else (like API key or OAuth)?
You can and you should use all of them in order to increase the level of difficulty required for an attacker to impersonate your API backend with requests that look like they were issued by genuine clients of your API.
The problem is that the API requests can be intercepted via a MitM attack, even when using HTTPS as I show on my article Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
When an attacker performs a MitM attack he has the possibility to also modify and replay the requests, therefore the attacker just needs to reverse the client to see how the message was signed to replicate it in the MitM attack to tamper with the messages content and resigned them as if they were signed by the client. You can see an example of this being done in the article Practical API Security Walkthrough — Part 3
This is the third part of a mini series which uses a fictional product, “ShipFast”, to walk you through the process of defending against various exploits in a mobile application to gain access to data on a remote server allowing real users of the system to gain an unfair business advantage at the expense of the company.
The article will show you an example of securing the API request message integrity wit static and dynamic HMAC and how they can be bypassed by an attacker. It includes code samples, but you can also clone the Shipfast repo on Github and play with it to better understand how everything works.
Possible Solutions
Why use it in combination with something else (like API key or OAuth)?
For Mobile Clients
For when the API client is a mobile app you can check this answers I gave:
- I will recommend you to read my accepted answer to the question How to use an API from my mobile app without someone stealing the token where the Runtime Secrets Protection seems your best option.
- Another option for you is to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
For Web Clients
For Web APIs you can learn some useful techniques to help your API backend to try to respond only to requests coming from what you expect, your genuine web app, and to do so I invite you to read my answer to the question Secure api data from calls out of the app, especially the section dedicated to Defending the API Server.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
For Web Apps
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
Upvotes: 1
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- API authentication, using home-grown "API Key" vs. OAuth2 client credentials flow
- What's the best approach for generating a new API key?
- Why use an API key and secret?
- Secure app using firebase auth to stop malicious use of the key which is on the client
- Securing an API: SSL & HTTP Basic Authentication vs Signature
- Why does google-slides rest API ignore my api-key?
- API Keys vs HTTP Authentication vs OAuth in a RESTful API
- How to choose which method to secure a Mulesoft API?
- iOS API Key: Is there an actual safe way to secure your API key when making http requests?