Why is it a bad idea to send username and password with every request between mobile app and backend api?
I've been looking at traffic from what should be a secure iPhone app for a work-related task lately, and I've noticed that the app doesn't use any form for session id / token when talking to the backend. Each request contains a username, password, and device ID, and all traffic is sent over https. It is a calm api, so there is no state backend.
I really feel like this is a bad idea, but I can't think of too many good reasons why.
If you are the victim of a human in a medium attack, an attacker can in most cases find your password when logging in, as the username and password must be sent to the server to get the ID / token anyway.
A better approach might be to send the username, timestamp and hash with timestamp and password. This server then drops the request if the timestamp is x seconds and the cleartext password does not need to be sent over the wire.
However, most of the apps I've looked at (except those using vows, etc.) just send the username and password to a textbox (over https) to get the token. this happens every time you start the app (both username and password are stored in the app data).
As this thread says, why is it a bad idea to send username and password with every request from the mobile / web app to the backend api if https is used?
source to share
Okay, you stated it yourself. You must save the username and password on the device itself. How secure are these credentials? Will a rogue app installed on a device be able to retrieve credentials? If the rogue app is running under the same account as the actual app, it might be possible. Even if you keep these credentials encrypted, you will have to keep the secret on the device itself.
In addition, mobile devices are much more likely to be lost / stolen, which gives an attacker access to the device itself.
Another reason is that each time the username and password are sent increases the attack surface. This will give the attacker more persistent data messages to try to decrypt.
Finally, password validation should be relatively slow, making it less desirable for API authentication.
Protocols like OAuth 2.0 work with access tokens that are valid for a limited time and you will need to access the refresh token in order to get a new access token. Refresh tokens can be easily canceled if the device is lost or stolen.
source to share