Geek Answers Handbook

Protecting MY REST API for use only with MY IOS APP

I am developing a REST API in Laravel for use with my iOS application. Currently, I stick to the following point: How to protect my REST API to allow access to ONLY my iOS application?

I read about HTTP Basic Authentication, HMAC, oAuth2.

1) SSL is required for basic authentication, and you need to send a username: password for every api call.

  • But does this stop others from using APIs from other applications, assuming they send their credentials to enter endpoints?

2) I understand the HMAC method and how the client and server know the public and private keys. The private key is encrypted along with the request and other data. The public key is sent to the headers. When the server receives the request, it detects the public key in the headers and associates it with the private key in the database. He then recounts the hash and checks to see if it matches. So, I have the following questions:

  • How does a newly registered user receive a secret key that will be stored in the iOS application if the private key is not sent by wire?
  • Is this more suitable for applications that will use your application? I usually see this in an API toolbar such as Instagram and Facebook, where they give you the application secret key, right?

3) oAuth2 - It seems to me like letting users log into my application using a different API. For example, allowing users to log into my application using FB and allowing my API to use Facebook data? At the moment, I really do not need to do this.

  • I do not understand this?

It seems like I need to enable something similar to the HMAC method by providing my IOS APP with a private key where I store it in my IOS APP code. When the request is launched from the iOS application, I transfer the hash with the private key and other data, and then when the request is received on the server, I find that the request came from the user in the application, recounting the hash. I have no idea if this is safe, and I would suggest that it is not?

What knowledge am I missing? I am so embarrassed at that moment that writing this question was a big fight. I will review it as soon as it becomes clear.

+7
authentication rest api restful-authentication oauth
source share
1 answer

1. You are right, this does not prevent unapproved customers.

2. Actually, this is not a way to prevent unauthorized clients; it is more about verifying that the message has not been tampered with by cable.

3. You understand oAuth correctly; this concerns client authentication for using your API in a certain way, as well as restriction of permissions.

It is not possible to block your API, so only a particular client can use it, because there is no way to check who the client is. In addition, any form of authentication or client-side authentication can ultimately be reconstructed and then sent to the server as an β€œapproved” client.

Something like this can be done with a token. The server sends the token to the client, the client performs a known operation on the token, such as salting and hashing, with a known salt and hash operation, and then returns the token to prove that the client is real.

The problem is that if someone calls the engineers of their client, they can determine what kind of operation it is, and then create their own client that authenticates the same. Any form of client-side authentication is not reliable and cannot be trusted.

In another way, it is broken if someone can request MiTM. The request could have been captured and modified before it reached the server, and there really is no way to prevent this other than using SSL, which could be corrupted with something like SSLStrip.

Any attempt to prevent an unapproved client is basically security through the unknown , as there is no reliable way to do what you ask.

The best way to protect your API is not to restrict which clients can access it, but to make it safe. Best practice includes forced SSL, just send the password once and then use tokens for authentication, etc.

+5
source share

More articles:


All Articles