I have a problem providing my API private key globally on potentially thousands of mobile devices. It can be easily hacked and used by attackers for hackers.
So what are the options for me? I would suggest that the private server has an API secret key and a web service that encapsulates all method calls. Therefore, instead of a mobile device that has a secret key, and something like:
List<Friends> = service.GetFriends(secretKey);
If my API secret key is compromised and used for mailing / abuse purposes, I must disable use for all my users, leaving my application dead at sea.
So my idea is that I can use a unique device identifier for a mobile device:
List<Friends> = myService.GetFriends(deviceID);
Of course, an attacker can simply call my web service with a fake device identifier, but at least now I have control over the blacklist of device identifiers. It also introduces some potential bandwidth, but this is less important.
A true PKI is probably out of the question since the target device does not process HTTP client certificates in the current version.
Any other good ideas?
source
share