How to develop a private RESTFull API?

Navigation
7

I need to develop a RESTFull HTTP API in PHP to serve as authentication for users of an Android application, the problem is that since it is a public distribution application I can not define any key in the code as for example: basic authentication key , because it runs the risk of the APK being broken and the key discovered, but I can not leave the API open so it can be accessible from a browser, but it should be accessible only from my application.

What should I do to do this? and how do I make sure that only my Android application will have access to the API?

I want to avoid unwanted requests from other sources.

    
asked by anonymous 21.10.2014 / 20:35

2 answers

7

I think you can set a key in the yes code as long as the encryption algorithm is asymmetric .

It works as follows: you have a pair of keys, public and private. These names are arbitrary and serve only to reflect the fact that you keep one of them only for yourself. What matters in asymmetric key cryptography is that everything you encrypt with the public key can only be privately decrypted (and depending on the algorithm used, the reciprocal may also be true).

Use the private key on your authentication server and deliver the public key to your application without fear. After the client application encrypts the credentials to send to the server with the public key, only the private key - which only you have - can decrypt this information. So you're unconcerned about people stealing authentication data as they travel.

    
21.10.2014 / 21:04
0

Unfortunately I will say, regardless of the solution you want is not possible, at one point or another it can be broken, simulated or emulated.

Asymmetric or symmetric key does not change that.

All these techniques will only hinder, but never inhibit the actions of someone with knowledge and interest.

In these cases you should work with the type of security that is worth. Do not put something too complex because it needs to be maintained, or put something too sophisticated, as perhaps a simple key will never be seen. It all depends on the type of application and the interest of those who are aware.

Given just one line to guide you, see how to obscure your code. Using Java with C mix also helps.

Obscuring can also be used at the API level, but in these cases you use something like swagger to define the API, and then some other solution depending on the language to shuffle the requests.

Using SSL in the endpoint makes it difficult to break, if used together as GRPC already increases the level of complexity with performance gains but with increased infrastructure spending.

One solution is to use a key in each version of the APK. Whenever a new version exits you disable access of 1 or 2 previous versions, join this with GRPC, and maybe with the generation of 'login' per installed application, each holding a registered key, or even a login itself where you return a key to be used (asymmetric) where you can selectively cancel the ones you want.

    
11.09.2017 / 14:57
Make two different classes communicate Help with configuring DbContext with EntityFramework using good practices