I want to offer some functions of my webapp to be used in other apps (I'm thinking mainly about smartphones, since they offer more capabilities e.g. GPS, Camera,..).

From what I have encountered myself so far in terms of other APIs e.g. GoogleMaps, is that a 3rd party developer would register himself at my site, he gets an API key (some random UUID) and he has to use it to authenticate his requests against my website. So far so good...

Is there a mechanism to protect the end user of a mobile app from malicious apps? E.g. a 3rd party developer could build an app and capture all username/passwords from the end user, so that he can do bad stuff with the useraccount. (E.g. I could build a twitter app, capture all the usernames/passwords and then delete all their tweets, post new ones,..) Is there a possibility to prevent this? AFAIK you could use oauth on the web so that my website login box would appear on another site and ask them for their username/password, so that it isn't shown to the 3rd party site. Is it possible to implement a secure authentication for smartphone apps? How would you do it?

  • 798
  • 3
  • 8
  • 7
  • Use SSL and challenge based authentication. Every time the user tries to access data through an API, present a credential challenge. – gabaum10 Mar 17 '11 at 15:35
  • 1
    If I see it right, the mobile app still needs a textbox for username/password and this data could also be send by the app to www.someVeryBadServer.com !? – codie4711 Mar 17 '11 at 16:01
  • I don't see a good solution. I mean by opening up your application this way, you are introducing a security hole no matter up. Perhaps if you were a large application like facebook or google and provided the UI components along with the logic to the user, you could control it. Still seems highly doubtful. – gabaum10 Mar 17 '11 at 18:04

2 Answers2


For Android and iPhone you can use OAuth without problems, and so far I think this is the best way to be done.

The flow for these two smartphone types is the same like in web applications, because both OS give you the possibility to start web browser from your application and redirect the user to web provider, so he can authorize your request (token), and then the browser can return your user to the application via proper callback URI. I haven't implemented oauth for mobile phones, but I've heard from a friend that it's possible and that the mobile browser can redirect the user back to your app with some special URI, like scheme://app/parameters.

Here is something for this with android: link

There are two oauth use cases: 2-legged and 3-legged

2-legged is when you want to protect your API, so that it can be called only from authenticated consumer applications. This is a popular scheme that exists from ages AFAIK - the consumer signs every request with a consumer shared key, and the provider (your API), signs the request also to see if the signature match. This way you can tell if API usage is ok for that consumer.

3-legged oauth includes the end-user of the consumer 3rd party app. It is very suitable, if you want to protect your API again like in 2-legged, because requests are still signed, but also your API can be protected by the end-user's permission. The provider of the API issues a token and gives it to the consumer application (3rd party app). Then this app saves the token locally and redirects the user to Provider for authorization of the token. When the user authorizes it, the provider sends back the user to the consumer application and then consumer can make authenticated (signed) and authorized (by the user - 3rd leg) requests to your API.

The protocol is not very complicated once you read how it works, and is very flexible - you can extend it to your needs however you like. I would highly recommend it for protecting APIs, especially if user permission is required for access to the APIs.

This is a very good site to read about oauth: http://hueniverse.com/oauth/

--- ADD ON ---

There is some security implications regarding shared key storage in the consumer application - mobile phone app in your case.

If somebody open your program and disassemble the code and extract the shared key, then he can make application which will authenticate successfully to the provider API. However this is not a very big concern if user authorization is required (3-legged), because the user will still be asked to give permission to this false application - and now it's up to the user to make the proper choice. And besides that - the false app will not be able to steal user's credentials, because with oauth, user credentials are entered only at the provider's site.

  • 1
  • 1
  • 2,150
  • 3
  • 28
  • 36
  • Ok, I've read several pages about oauth, openID,2-3 legged authorization and now I am a bit confused and need some clarification. Let's say e.g. my web site is like twitter and I want to provide an api for (app) developers to use it. So what they will do is go to my site, request an api key and put it somewhere in their code. This way i am using a 2-legged authorization, cause the mobile app (consumer) is just requesting my webapp (service provider) for access to the api, right? The 2-legged auth. is just for the api-access? Is the api key (a random string) i've given out the consumer secret? – codie4711 Mar 22 '11 at 15:47
  • And what benefit do i have when using oauth? Can't i just handle all access with the credentials the user has at my site ? Let's say my site is twitter.com, and I have a method postUpdate(String status), then the app is only allowed to call this method if it is authorized before by calling login(username, password). Where is the benefit of oauth? – codie4711 Mar 22 '11 at 15:52
  • On your first question: there are both consumer key and consumer secret in the terminology of oauth 1.0a; consumer key is like ID, consumer secret is the shared key with which the consumer signs All requests. – luben Mar 23 '11 at 09:55

On your second question:

The benefits of oauth are:

  1. User can be asked for permission when sensitive API is access by 3rd party;

  2. User will never enter his credentials at 3rd party app. Every 3rd party app is untrusted and is potential attack vector.

For example, if you are gmail - provider of API and you provide web service method login(user, pass) to 3rd party app developers, then they can make login screen in their app and log in the users. However in this process their 3rd party app directly receives user credentials before sending them to gmail. I would never use such application. The problem is that most people are not familiar (especially non technical people) with the consequences of such application usage and people making applications are still exploiting this old and insecure way of doing things. However, as more people engage to implement some security protocol like oauth (or similar), the people will become familiar with this flows and will become more suspicious to such intrusive 3rd party applications.

I say intrusive, because imagine for a moment the following scenario:

You can make a payment API in a not so developed country like Bulgaria or Albania. This is a very good opportunity for businesses to use, because Credit Cards are not a common payment method at all at these locations.

And this provider API is protected by exposed web service method login(user, pass). After 3rd party app use this method with user credentials (which it has already taken), it gains access to charge(user, amount) method. It can then call this API method with whatever parameters it wants and charge the user with one hundred thousand million pessos :D

The user will not even know until later. And besides, you cannot separate API method calling by permissions - what the user is agreed to and what not.

Other drawback is that users use one password for many places - this way 3rd party app can gain access to another service that the user may use with the same password.

  • 2,150
  • 3
  • 28
  • 36
  • Ok, i get the point with the delegation of credentials (user/passwort). However i just checked out some twitter apps for android and it doesn't seem that they are redirecting me to the twitter login page. They just offer native textboxes for the login. Difficult guess, but are they emulating all oauth steps in the background? (Getting username&password, sending GET requests, parsing answer, ....) – codie4711 Mar 23 '11 at 15:44
  • It's possible that they do - if they have user's credentials, they can fetch in the background twitter's login page and submit credentials, and all they have to do after that is parse the permissions page and send another request to submit YES instead of the user. But this is not how OAuth is supposed to work, because this way the security is the same like exposing login(user,pass) method directly as we talked above. – luben Mar 23 '11 at 19:15
  • Ok,i get it.I've tested the DroidIn app for android and it actually does use the "oauth-way" of login in(if you haven't got a phone you can see it here: http://droidin.net/wp-content/files/2011/03/login.png. A click on the button would open a webbrowser where you can login yourself).I am quite unsure now. My brain gets the point that this login mechanism is much more secure, but my heart thinks that it is a bad user experience: Open app, browser (another process) opens with login page, login there, than return back to the app..quite confusing if you also see non-techie users as your customers. – codie4711 Mar 24 '11 at 09:05
  • Yes, I totally agree that it seems confusing. One thing is that you can remember user's decision and this login and permission grant can be made only once, when the user starts using the app. However the process still seems complicated, especially when everybody are used to directly entering their user credentials. – luben Mar 24 '11 at 11:29