Clever Geek Handbook

How can I secure this API in the APK file

I am currently developing an api to run a website. The api will be used in several places and one of those places is an android app.

The goal is to allow users to log in and upload files. I have an api assembly and it will use HTTPS so that all data is good in transfer.

The problem I am running into is that API calls require an API key. With this key, you will be able to access certain API functions that may cause problems.

What I'm wondering is if there is a way to secure this API key? I'm not an Android developer at all, but people will be using the API that is on Android, so I need to develop a solution.

Below is an example of a stream that uses the API:

// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) { 

    console.log(r);

    // Once you have the token, request the API key that allows actions such as downloading
    romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){

        console.log(d);
        // Download the file

    }, 'POST');

}, 'POST');
+3


source to share


2 answers


Not. You cannot secure an API key once it is injected into an Android app. The application needs access to the API key, so whoever has access to the application can recover this key from the application and use it for their own purposes. The best you can do is obfuscate your application to make reverse engineering more difficult (the goal is to make it harder to modify your application than it's worth). You need to decide how much effort is required in this regard based on the risk of the API public key, but you can never recover it, and even more difficult. In fact, your best bet is likely to enable Proguard during your build process (so everything gets obfuscated to an acceptable degree in the APK without any work on your end) and hope for the best.



+2


source


You must create a specific API key for each user. There is not a very good way to protect data that is actually in the user's hands (ask the developers about copy protection). Then you can use HMAC to hash along with the API key and the requested API and make sure the same happens on both ends.See http://en.wikipedia.org/wiki/Hash-based_message_authentication_code (PHP has a function for that. )

Actually, it would be more accurate to say that there should be many-one relationship between keys and users, since you can have different and / or revoked keys for the user.



For an excellent overview see https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able

+2


source






More articles:


All Articles