0

If an app is interacting with server api over https using post method ( JSON objects ), then there is a danger of api endpoint getting exposed and anyone accessing the api. Is there a way to make sure that api is called only from the designated app.

I did some research on the web and came to know of:

a. manual credential checking using POST method

b. using json web tokens ( jwt)

However my question is: both of these methods a) & b) would require some kind of username/passwd passing from client app to server ( everytime in a. and only once in b.). Now this username/passwd would need to be hardcoded in apk and it can be easily obtained by anyone by decompiling it. So then how are these methods secure?

dgarg
  • 103
  • 1
  • 9
  • It shouldn't have to be in the APK. You should create an API to store the credentials and also create a unique token for each user. If you want to add another layer of security, you can use a salt key and check against it. Please, take a look [here](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication/477578#477578). – Cadu De Castro Alves Feb 13 '20 at 17:59
  • Thanks Cadu. where do we store the unique token for each user? There is no login/registration for the user. They can just install the app and start using it. – dgarg Feb 13 '20 at 18:14
  • Well, then you need to implement a database to store this information or use an API like Firebase. – Cadu De Castro Alves Feb 13 '20 at 18:23

2 Answers2

0

I think you're misunderstanding how json web tokens or bearer tokens work. Why would a username and password ever need to be hardcoded? You'd supply the user with an interface that accepts a username and password.

In option a, you'd store these locally after the user supplied their credentials and clear it when they exit the application or log out. This would not be recommended as that's what tokens can be used for. Many frameworks already offer support for JWT out of the box.

If using a token, the user still supplies their username and password to authenticate, the server will return a valid authorization token. From that point forward the auth token is passed with each request.

user2355051
  • 535
  • 7
  • 23
  • OK. I think you are assuming that we have unique password for each user. This is not the case. User does not need to login to use the app. it just works. I have come to realize now that in this case, it can never be 100% secure, we can just make it a little bit difficult for the hacker by hardcoding & supplying credentials from client app to server – dgarg Feb 13 '20 at 18:12
0

I would somehow use TLS security ... with digital certificates ... to cryptographically secure the network access to the portal. The app would contain the necessary public certificate, possibly obfuscated, which the server could check to make sure that the access is legitimate. Now, no one can intercept the communications, and they can't spoof it without somehow first extracting the certificate information from the app, which is probably unlikely. Knowing that the supplicant does possess a copy of the necessary public key should be sufficient authentication.

Although we don't usually employ it when we use TLS to get to your friendly neighborhood https web-site, modules like mod_ssl do provide a complete TLS implementation including the ability to require and to verify a client-side security certificate, without possession of which the connection attempt will be refused. This might be an ideal situation for that.

Mike Robinson
  • 7,537
  • 2
  • 17
  • 28