2

I am working on a website for which I hope to have an application for as well. Because of this, I am creating PHP API's which will go into my Database and serve specific data based on the method/function called.

I want to protect these API's from misuse however, and I plan on implementing Authentication Digest to do so. However one of the OS's I want to support is Android. And I know that a malicious user would be able to reverse engineer the Android app and figure out my authentication scheme.

I am left wondering:

  1. Is there a better way to protect these API's from misuse?
  2. Is there a way to prevent a malicious user from reverse engineering the app and potentially seeing the source code for it, enabling them to see my authentication scheme?
  3. If none of these are preventable, then is my only option to have a Username/Password cred specifically for the Android app, and when eventually hacked, change the creds and issue an update for the app?
gnat
20.5k29 gold badges117 silver badges308 bronze badges
asked Jun 4, 2012 at 21:24
2
  • Wait, so your going to have one username/password for all users and not one per user? If so, why? To prevent misuse, right - but if anyone can download the app anyway what misuse exactly are you trying to prevent? Commented Jun 5, 2012 at 23:42
  • I was (and even still, am) lacking a lot of experience in this field of security. My main concern was with someone hacking the Android app, and figuring out how to make "authentic" posts to my db. I guess I've come to terms that there isn't really a way to prevent it. Or maybe there is but I don't have the experience nor resources to implement it. The best that I could come up with was implement a unique hash of each user's un/pass inside the authenticate request, then authenticate server side with their password. At least this way I can track if any user has made malicious requests. Commented May 17, 2013 at 16:34

1 Answer 1

1

In my opinion, talking about authentication, you could give a look to OAuth | http://oauth.net/.

I've recently implemented a RESTful service (using other techs, .NET/NancyFX). In my case the mobile app needs access to public available content (the same published in companion website). In a case like mine the real concern wasn't security but some sort of misuse.

I've protected my service using an API Key: http://yourhost.com/api/{api-key}/xyz. Valid keys are stored in a persistent repository (in my case a mysql instance) and checked on every request. This worked great for me.

You may also find this useful too | https://stackoverflow.com/questions/6004068/restful-api-keys-suggestions.

answered Jun 5, 2012 at 17:39
3
  • just don't bother with OAuth 2.0 : webmonkey.com/2012/07/… Commented Aug 4, 2012 at 18:19
  • OAuth 2.0 perhaps not, but all authentication schemes get convuluted in very-very-very short time (SAML, WS-*, HTTP, they ALL wanted to be simpler than their predecessors, and all of them were marketed this way). OAuth 1 is easy and logical Commented Aug 5, 2012 at 0:20
  • Yea I looked into OAuth. Like gbjbaanb pointed out with his link, I found implementing it a little beyond my abilities. I like your idea about using an API Key. I'll look into that a little more. I assume this would make it easier to block someone from using my services should I find any evidence of misuse? Commented May 17, 2013 at 16:40

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.