I am looking to build an API that I can deploy on my servers to monitor system load.
It will report to a central manager server that runs a client to display the information.
The issue I am struggling with is best to secure the API.
What I want is for the client to be the only software that can access the server and retrieve this information but I am unsure how to achieve this using PHP.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The client is also written in PHP using MySql and has a secure login.
This sounds like you're trying to solve the wrong problem.
I also want the possibility of distributing the API and client for others to use on their servers so I don't want people to be able to access other people data if they are using the API also.
The only right answer to this is authentication. You need to protect your API by giving each user access credentials known only to them.
Your API must never reveal any data that the client isn't allowed to see as per their authentication credentials. Trying to work around this danger by trying to somehow protect the client from prying eyes is not safe - somebody who has access to the client and can observe it running will be able to reverse engineer any traffic between it and the server given enough effort.
If the API is properly secured, it won't matter to you which client tool is used to access it. The requirement to limit API access to a certain program will go away.
if you use SSL, along with authentication (i use 3rd party auth google, fb, etc), create data /reports on the fly and have the data saved in a subdirectory OUTSIDE your web folder (instead of /var/www, /var/myStorage/currentSessionId/), then you basically guarantee the security that you want.
your php will only access a subdir that is named for the session it is running under.
Related
I have an API developed in PHP for my Flutter web app. I am using this API to fetch all the data. But, I can see all the requests made to the server.
Is there any way to hide/restrict any unauthorized person to use my API? I am using HTTP library to make calls from my flutter app to API. I just want to hide those calls to web API. I have seen some websites do that. Since the server code and website code in those websites are in the same directory it can be accessed directly without having to make a request to the webserver.
Two problems I see are
You are able to see all the request made to backend server from your web page and you want to hide them.
The answer to this is No you cant. I say this based on my search in google and some posts in SO like this
You may think about disabling the developers tools. The answer is No and maybe with unknown side effects.
Is there any way to hide/restrict any unauthorized person to use my API?
The answer to this question is yes and can be done in many approaches. Like you said token based authorization has its own issue with keys being leaked and thats why there is always validity associated with it and should be considered. There are mechanisms such as refresh tokens to renew tokens etc.
The first and foremost thing I would do is enable CORS mechanism in your sever where the server will only allow request from very specific domains to be processed. More details available here
So I am building a phonegap based application and I'd like that application to get it's information from a source using a http request to this source. This source however, must only be able to deliver data to this specific source and no info to any other source what so ever.
I can surely add parameters to the request, however, these parameters can easily be found by decompiling the application file. Is there a possibility for the server to know that the source indeed is my specific application without having to hardcode any kind of key into the app that easily can be obtained?
This all is to ensure that only this app can use a service and somebody else can't make use of that api.
You can't really secure your app with a login/secret embedded inside your app. But if you craft a token system that delivers an access token back to a user upon identification of that user. Bottom line, you need to start with a register/login screen.
I recommend this lib for php, and the Client Credentials grant seems like it would be what you want, see grant types
I'm currently working on a mobile application with an Objective C developer. Because of the nature of mobile devices and how they work, all data is retrieved through an API I have created.
For example, if the user is trying to find something specific to do with the application on a page (a search maybe), the application would make a request:
http://mydomain.com/api/search?param1=hello¶m2=world
If these calls are made from the mobile device through the application I know they are legitimate requests (what I class as legit, anyway). If they're coming from somewhere else I really need to stop that. For example, another developer could copy the exact same application and use the API I have built on my server and there is no way I know of that can stop them doing that.
Is there a way I can secure the API some how to stop the API from being accessed outside the app?
Assuming there are no user accounts for authentication, the only way to secure the app is to hardcode a security token in the mobile app. And even doing so, it won't be 100% secure, because of reverse engineering.
Your API only receive HTTP requests, so the only way to differenciate a legitimate with a non-legitimate request is to send a further information that will be considered as valid on your server side (as OAuth tokens), but if there are no user accounts, you will have to send an identical token shared by all apps (or following a commnon rule).
I think that the best solution here is to hardcode the security token, it will at least force "hackers" to reverse engineer your app and not just sniffing the network.
My iOS app needs to connect to a mysql server. To accomplish this, I'd like to create a webapp that acts as the middleman between the client side apps and the server side database.
My concern is that someone can simply figure out the URL that my app uses and pass their own URL parameters - and since the webapp has no idea whether legitimate data is being sent from my iOS app vs. someone just typing in the properly crafted URL from any web browser, the system will be vulnerable.
Let's say I have a PHP function for marking a user as "verified" (after I send them an email verification code). This is pretty standard stuff, but what's stopping someone from making the same request from a web browser?
Of course, the user that the app uses to make database queries will have limited privileges, so the rest of the database won't be at risk. However, even having users activating their accounts from outside the app would be catastrophic.
The option that I thought of was using https so that even if the user figures out the URL, they won't know the password and wouldn't be able to sniff it since it's encrypted from start to finish. Unfortunately, https can be expensive for a poor college student, so I'd like an alternative if one exists.
As stated before, there is no 100 % security possible. But there are several solutions that put together give great security.
Https
As you point out, this is an important part , as it prevents sniffing.
Sessions
Use sessions and don't allow any request without a valid session ( except the first, that must authenticate the app ).
Fingerprint
Check the user agent and set extra http headers, to get a fingerprint unique to your app. ( Still someone could sniff, but he needed to use curl or similar. )
Obfuscate requests
Build your query string and apply a hash function. The server needs to implement the reverse function. ?43adbf764Fz instead of ?a=1&b=2
Encrypt
This goes a step further. Use a shared secret to calculate a hash. On the server repeat the same. This is already strong security. In order to break, one needs to reverse engineer your app.
Use unique shared secret
You say it is a app for iOS. Upon installation a unique token is generated by iOS. Have your app register this token with your server. Like this you have a strong shared secret unique to each installation, and there would be no way to hack your web app.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start