Geek Answers Handbook

Security API for Mobile Servers

I am tasked to develop a system that will allow our users to also log into their accounts and interact with our service using their mobile phones. However, I am concerned about the security of the application.

Basically, we allow users to register through OAuth using Facebook or Twitter. A mobile application (built with an Accelerator type) should do this. After successfully logging in to the phone, I need to notify my application that someone has logged in with FB or Twitter so that my application can receive a user-oriented user ID.

My first thought was to write an API that the phone could call, which would accept parameters like Facebook or twitter userId. I would query my database and find their internal user ID and return it to the phone.

This will work fine, but completely unsafe. Anyone can use the same API with the Facebook user ID, and the API will simply return the internal identifier (and any other data needed by the application) without knowing if the request is allowed.

This is my first mobile application, so I don’t know a bit how to properly implement the security of my API.

+8
security api mobile titanium appcelerator
source share
4 answers

Most API settings include some type of secretKey or APIKey, which is unique to the developer. Since you are the only developer, you can simply set the key / hash in your mobile application, which is also transmitted to successfully return data.

http://lcsd05.cs.tamu.edu/slides/keynote.pdf is the key information that Google gives about developing a good API from scratch.

Also check out this previous question

-6
source share
  • If you can, use https and a lot of problems.
  • Upon successful login, you can create a session and pass sessionid to the client, here I advise you to send sessionid using RSA (for the case when someone can sniffer your session)
  • use a hash signature to ensure that the request is not modified along the way, but this method cannot prevent the reposition problem.

Finally, for your problem, if there is new progress, please let me know, thanks!

+2
source share

I also ran into this problem, user authentication is quite simple, but device authentication is much more complicated. As you said, anyone can connect to your API and provide the user with Facebook authentication and access to your API.

You can handle it using SSL mutual authentication, but then if the key is compromised on any one mobile device, the whole API will be compromised, since all devices will use the same key pair as the application when it was installed.

What I finally did was force the device to register in my API when the application was first installed. The device issues an API request to my server and gives out the secret of the API key, which it must then use to make all other API calls. This is unsafe since you can write a script to register and get the API key, but it allows me to control the use of the API and disable devices that behave badly.

This is the best I could think of, a way to block unauthorized devices that I have identified out of range.

+2
source share

I had the same problem and solved it by creating my own API (PHP) in combination with a proxy server (NodeJS). Each request from my client is sent to the proxy server, the proxy server checks the request and passes it to my API. The API only allows requests from the proxy server to its IP address.

First, the user authenticates with a proxy server using the authorization header, if the user succeeds with 2 tokens. Access Token and Update Token. An access token is used to execute requests and live for 5 minutes in my case. When the access token has expired, the user can update the token with an update token that lives forever.

Create a global module in your application that processes your key logic, stores your keys in your local properties and uses them when the user restarts the application so that they do not have to reinstall each time.

If you use this using HTTPS, the keys cannot be sniffed, and you cannot retrieve the keys if you decompile the application, because they are stored on the user device and not β€œhard-coded” in the application itself. Technically, if an attacker has a user device, he can decompile the application and get the keys. I know this, but if he already has access to a physical device, he can still use any application.

The proxy server also logs every incoming request and notifies me by email when someone tries to use tricks (I created this myself). I used the following modules:

  • to express
  • Https
  • http-proxy (proxy requests my API)
  • jsonwebtoken (generates and checks access / update tokens)
0
source share

More articles:


All Articles