Geek Answers Handbook

How can I prevent other iOS / Android applications from using my RESTful API?

I have an existing application for iOS and Android that I am doing to update, including a RESTful API and a Facebook login to authenticate users. General application thread:

  • Users are "registered" in my application through the Facebook SDK, which returns the access token to my application.
  • The application calls the RESTful service, including the Facebook access token, as a parameter (using HTTPS and SSL).
  • The service that is being called sends the access token (and the application secret stored only on my servers) to Facebook to check who the user is and performs actions based on this. Facebook is configured to require application secret from server calls.

My application has gained popularity and already has several clones, and I want these clones to not be able to use my RESTful API (as I'm sure they will try to do when I release the update). Suppose the clones are smart, use the same Facebook access tokens as my application (if possible), and follow the same pattern and frequency of the API call that my application makes.

In any case, to ensure or almost ensure that calls to my services come only from my application, and not from clones?

Thanks in advance!

+6
source share
3 answers

You can do this by including the signature in the request and verifying it.

Application Side:

  • do something like: signature = md5( md5(url + data) + MY_RANDOM_KEY)

  • add signature to data, url, etc.

  • send a REST api call (as usual)

Server side:

  • extract signature from body / url (and remove it from there).

  • calculate what you think: signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY) [remember that you removed signature from url / data to get the URL / data in the original state before the hash]

  • make sure signature and signature_should_be are equal

Doing this, along with SSL, should make your API fairly secure.

+6
source

You can do as Tommy Crush suggests and add a secret to your application. But if you're against smart opponents, this probably won't help. Attackers can either decompile your application, or try just rebuilding the signature algorithm.

It is important to remember that everything that is stored in your application should be considered already compromised, since an attacker can decompile your application and comb your code as much as he likes and extract from it everything that he wants from him, you cannot rely to anything in your application to be safe in your application, because an attacker could extract it from your application into your application.

It is important to note that you are using an attempt to use OAuth for authentication for which it is not intended. It just means authorization that does not match authentication. Authorization simply gives you access to the resource, but does not tell you who turned to it, and this is the problem you are facing. In order to authenticate your users as real users (or as close to them as possible), you will need to add a login service for your service - something like you are minimizing your own OAuth server or the like. Then you can decide who can access the resource, which in this case is your RESTful API :) If it is more than worth it, then the Tommy scheme is a good alternative :)

+3
source

The de facto authentication solution for soothing APIs such as using Twitter and Facebook is OAuth. You can find more information here: http://en.wikipedia.org/wiki/OAuth .

OAuth is supported from most languages ​​through external libraries. For example, on Android there is a library https://github.com/wuman/android-oauth-client .

+1
source

More articles:


All Articles