Reputation: 7416
Securing authentication through a REST API with an Android device?
I'm sketching out a solution where an Android app connects to a REST API on the web. Users should be able to create a profile, and then perform certain requests on that profile (change name, email etc.). Searching around for similar questions yielded a recommendation for a private/public key solution from a good portion of the answers.
This guy explains the procedure very well: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
This procedure depends entirely on the prerequisite that the private key is indeed private. And I didn't find any answers that address this. But if the server and client has to have the same private key, then it would have to have been transferred between both parties at some point, which would inevitably expose it to somebody watching the traffic. So is there a secure way to establish the same private key between both parties?
Another question, when the client obtains the private key (securely), how should it be stored? Is something like Shared Preferences secure enough? My concerns are that somebody with rooted access could access this easily.
Upvotes: 3
Views: 934
Answers (1)
Related Questions
- Use API REST interface to authenticate user on android app
- Best way to secure Private REST API without user authentication for mobile app
- Best Way To Authenticate Restful API and Mobile App
- securing a REST API accessible from Android
- How can I implement authentication with Android and REST?
- PHP Server and Android App login system
- Creating a PHP backend to Android Application
- How to have a native android app authenticate with web backend?
- secure login Android / PHP
- Trusted applications for API