0

I've been doing a lot of search about secure my api for mobile apps for Android or IOS.

Almost all examples tell user provides an user id and password somehow in a exchange for a token.

But how to prevent someone else to consume my api without my consent? Face the following scenario:

  • I expose an API,
  • I develop, then, an app for android to consume it,
  • I develop, then, an app for IOS to consume it.

Other developer performs a rev. engineer in my app, creates his own app and starts to consume it without authorization.

How to prevent that?

Improve this question

2 Answers 2

Reset to default
2

Short answer: you can't.

Little longer answer: If you know what you are doing you can always reverse engineer a given application and use its api. You can only make it more difficult and time consuming, using authentification via tokens and device ids or usernames is a good first step. Apart from that: why would you want to close your api to outsiders? If your server code is written well there is nothing to worry about.

You can maybe secure your API on a legal basis and sue developers who use it, but that is a completely different topic.

Some clarification regarding securing the API and securing content via the API. Assume you create a server where you can send user/password and receive a token if that combination was correct. For the account-page you send said token over and the server verifys that that token is valid and returns your account page. You secured the actual content of the API. That is obviously very possible and almost a must-have unless you have no user-specific data. But still everybody can send the exact same initial request from their custom app, sending a user/pass and again receive a token, etc. You cannot really prevent the request itself or even determine that it was not send by some service not authorized by you. You can send some hashes along the request to add some security by obfuscation, but since your app has to compute them, so can the reverse engineer.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

What do banking apps and similar do?
@Woofbeans They do not secure their API, they secure the per-user-connection. The same way you can open YOUR account page via the browser, but not the account page of anybody else. If you connect to the server via the app you send user/pass and receive a token. But nobody prevents your newly created app to do the exact same thing. But he does not want to secure the actual subsections but the API itself, I may have to clarify that in my answer.
@Woofbeans I added a new paragraph - is that more understandable?
1

Yes, login api are open but they return a token only on successful match in your database. You should focus more on security of your data than unknown hits at your api.

SignUp API can be used for creating a user, and login for returning token of that user. Only if malicious developer has credentials, then he can access tokens and auth APIs. There is also something about DDOS attacks so you can maybe write logic to temporarily block IPs where hits frequency is high.

You can also store device ID of signing user, which seems idle for your scenario. Entertain hits from that deviceID only. Similarly, user can add more devices with their credentials. I think even Google does that (generate alerts if user creds are signed in from new device and add the device to list if user confirms). Hope this helps.

Improve this answer

2 Comments

Block IPs crossed my mind. Your answer plus @luk2302's answer solve my dilemma.
@ramires.cabral Yes, blocking IPs that do too many requests is a must-have ;)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.