My team has a Web App(Laravel) and Android Application written in Kotlin. Our website has a Registration and Login forms but my problem is everyone can build their own app and call a POST method in registration form.
How can I secure our WebApp so that the only POST METHODS it accepts are just the forms from our own Android App and Web App?
Short answer: you can't.
For web apps, you could restrict origin by allowing specific domains in your CORS config. But since mobile Apps can change their IP there is no 100% secure way to restrict a public endpoint (at least I didn't find it when I faced the same issue).
Anyway, you can try to add an extra security layer by including a request header with some encrypted content that must be decrypted and approved by your API.
But this is not completely secure, Android apps can be decompiled with reverse engineering and they will find how your encrypted header is done.
If Android apps are not public (can't be downloaded from Google play services) you can also try to use the installation_id generated, but it will change when the app is reinstalled. In this way, you can approve or reject requests as per installation ids
You can JWT Tokens to verify the request .
If request is from a legitimate user then return the JSON data otherwise return an error . You can read more about JWT Tokens here
https://jwt.io/introduction
Related
This question already has answers here:
how to authenticate RESTful API in Laravel 5?
(2 answers)
Closed 6 years ago.
What is best way to secure API calls from AngularJS(Mobile application) / HTML pages to a Laravel PHP backend?
To be clear, I'm NOT talking about user login authentication.
I'm planning an API based application. I would like to read the JSON data from my API into an page using AngularJS, before any user is asked to sign up or log in.
I need to ensure that only my client front-end can access this data. Is there an existing system to send a token or utilise my secret key, to ensure that only my front-end can access my API? I would also like to be able to revoke access from a specific client or tenant.
What are security options for this set up? I'm thinking along the lines of JWT, CORS etc... This is my first attempt at such an application, so please forgive my ignorance! How to securely access API from Mobile application
You should use CORS and only allow the web application domain to request the API. Then any other request won't have access to the data.
Using a token won't be safe since anybody can access it from your application and use it outside.
Take a look at this package to manage CORS inside Laravel
This is application to application authorization. You could use a protocol such as OAuth2, however there's an interesting way of avoiding such a protocol.
If I were you, I'd go with client-side SSL certificate. The idea is that your client (mobile app) presents a certificate to the web server. Web server tries to verify the certificate. If it verifies it, it sends a parameter to PHP script that it verified you. If not, the parameter is empty or not sent.
Here's a link to a blog post that describes this process.
There are other ways to implement app to app authorization, by implementing secret keys, one time passwords etc. but no approach is as straight-forward and easy as client-side certificate.
I have a custom Restful API in php that I want to consume via multiple clients:
CMS
Website
iOS app
Android app
I currently authenticate the user by using a login form that sends credentials to the server which return a JWT token.
What I'm not sure is how to authenticate the client app that will consume the API. For example, how can I identify that the API calls are coming from the CMS? Do I need to implement some sort of client whitelist so that all of the 4 clients below are authorize to consume the API and blocks any other ones?
I need help, suggestion or links to understand the best solutions to implement such a things.
Thanks,
Steve
You can simple add the device type during authentication. For browser its simple as getting user-agent for other devices add another parameter that adds device type. Add that device or user-agent while encoding the JWT. This is assuming that you have multiple tokens issues for each devices separately. If thats not the case look for user-agent headers and add additional middleware in your app for same in android or other apps. Hope this helps
I have JSON file on my server(on my website).My Iphone and Android app use this JSON.
I would like to hide or secure json files from another websites or app.
Is it possible ?
The most common way to do this it´s by using a Token that signs every WS call.
You can generate this Token in many ways, the most extended it´s by password username encryption.
Users in App sends USER/PASSWORD by SSL secured connection to the server.
Server validates USER/PASSWORD and sends back a token that will be used to sign every call made now on, so the user doesn't have to be sending every time the USER/PASSWORD info.
You can also check how to secure your web service following this SO link.
Best Practices for securing a REST API / web service
Hope it helps. :)
I'm currently working on a mobile application with an Objective C developer. Because of the nature of mobile devices and how they work, all data is retrieved through an API I have created.
For example, if the user is trying to find something specific to do with the application on a page (a search maybe), the application would make a request:
http://mydomain.com/api/search?param1=hello¶m2=world
If these calls are made from the mobile device through the application I know they are legitimate requests (what I class as legit, anyway). If they're coming from somewhere else I really need to stop that. For example, another developer could copy the exact same application and use the API I have built on my server and there is no way I know of that can stop them doing that.
Is there a way I can secure the API some how to stop the API from being accessed outside the app?
Assuming there are no user accounts for authentication, the only way to secure the app is to hardcode a security token in the mobile app. And even doing so, it won't be 100% secure, because of reverse engineering.
Your API only receive HTTP requests, so the only way to differenciate a legitimate with a non-legitimate request is to send a further information that will be considered as valid on your server side (as OAuth tokens), but if there are no user accounts, you will have to send an identical token shared by all apps (or following a commnon rule).
I think that the best solution here is to hardcode the security token, it will at least force "hackers" to reverse engineer your app and not just sniffing the network.
i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?
I need a way of recognizing that an incoming request to the api is a legitimate request from our api.
What other security concerns should i keep in mind and calculate for?
any design suggestions?
i am currently looking into what oauth can do for me here!
I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).
I would make sure you use this:
HTTPS (never send password or sensitive data over plain HTTP)
A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
Make sure your access_token expires after certain time or conditions you might impose.
Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.
Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<