Geek Answers Handbook

How to protect REST API for mobile applications?

I am trying to add a REST interface in Django for a mobile client. The mobile client will use JSON over HTTPS. I could not find the β€œbest” way to do this for mobile devices. From a search around, it seems that # 2 is more beneficial for # 1:

  • Use HTTP authentication and establish a session based on cookies. All transactions will occur through HTTP, and JSON messages will contain only commands or data.
  • Pass the username and password (encrypted) in each JSON message for all transactions and do not rely on cookie-based sessions.
+6
source share
4 answers

I would recommend sending username / password first using login. JSON will return an authToken or accessToken that the mobile device will send back for all subsequent calls. Then you will verify that authToken is valid. This is the approach of many APIs. In their database, they will associate the API key with the user account with which they are logged in.

+8
source

OAuth is redundant if you do not want to provide these services to other developers (which they will access on behalf of your end users). It is better to go with option 2, but I would recommend using Digest Authentication as opposed to password authentication. Combine this with SSL and you are definitely pleased to go.

+3
source

Number 2 is preferable, and instead of folding my own, I would recommend using OAuth authentication if possible. Both client and server libraries are now available on most platforms. See http://oauth.net for more details.

+1
source

As long as you use actual encryption, not base64 or some kind of proprietary obfuscation algorithm, # 2 is fine and dandy. You can also consider a route that many companies take that associates an API key with a username.

0
source

More articles:


All Articles