1

I want to securely access the REST API(.net) through a mobile application(react-native). I had the following solutions but each one has its drawback. Can someone suggest me the solution to the problem?

1.

REST API: secure rest API with username & password.

Mobile App: send username and password with every rest API call.

Drawback: On reverse engineering username and password is obtained which is stored in the mobile application. The code was obfuscated and password was stored at places but hackers were successful to obtain password after doing certain efforts.

2.

REST API: auth 2 implemented

Mobile App: call Rest API to obtain Token for future use but the first time required to pass auth credentials to obtain token. Same problem username & password can be obtained by reverse engineering.

How we can move app secrets out of the app and can access REST API securely from the mobile application?

Improve this question
4
  • I prefer using Oauth 2. I used it on my react-native project. Lost your token is not like you lost your username and password. By using Oath2, if you lost your token, hacker can not do too much things with it. In addition, we can revoke token as need Commented Mar 4, 2019 at 10:52
  • But how you obtained token for first use? did you pass username and password to the API? If yes where did you stored username &password? @VuLuu Commented Mar 4, 2019 at 10:54
  • I don't storage password. When user login, we create a POST request, . If hackers stole that request, they can not read username and password, because the credential was encoded. When user login success, you should storage Token only Commented Mar 4, 2019 at 10:59
  • My app does not have a login but it creates a user on background with a unique ID on every install. Commented Mar 4, 2019 at 11:00

2 Answers 2

Reset to default
1

You should look to implement the Authorisation Code Grant with PKCE.

Here is an example project doing something similar.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The problem is my app does not have login and password but it creates users with a unique id for the first time app is opened. How that can be dealt? How I can generate a token for the first usage.
0

Three things for you:

1) I would definitely recommend OAuth2 over repeatedly sending username-password. It's well understood and there are both open source and free commercial implementations available. On mobile, PKCE is very important to prevent Auth Code interception attacks.

2) Using HTTPS for your REST API calls is a given, but I would encourage you to pin those connections as well. An attacker can easily compromise a mobile device and man-in-the-middle your API calls otherwise. Pinning is tricky for React Native; take a look at the react-native-cert-pinner npm package and/or read Strengthen TLS in React Native through Certificate Pinning (Android) or iOS.

3) OAuth2 with PKCE won't stop an impersonation attack, and especially if you are creating users with trust-on-first-use, you will be even more vulnerable to bot attacks. You should do more than just simple API keys. I would recommend some well-obfuscated signing of API calls or, even better, some form of app attestation. For React Native, see First experiences with React Native: bridging an Android native module for app authentication or similarly for iOS.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.