i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?
I need a way of recognizing that an incoming request to the api is a legitimate request from our api.
What other security concerns should i keep in mind and calculate for?
any design suggestions?
i am currently looking into what oauth can do for me here!
I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).
I would make sure you use this:
HTTPS (never send password or sensitive data over plain HTTP)
A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
Make sure your access_token expires after certain time or conditions you might impose.
Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.
Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<
Related
I am devoloping online store android standalone app(not in webview). I have PHP engine on the server and implemented REST API. But the problem is security between android app and server.
The secure requests shoud be purchase item, view purchased history, cancel order.
My app will let user to enter login and password to login into the app checking data correctness from the server and than user will have an ability to send secure requests.
So the question is how to secure connection ? And how to implement this on the server and client side.
Please give advices how to implement this, and important, what is the best practise to do this to build robust application.
I would be grateful for any help.
You can use OAuth to secure your response - request cycle.
What exactly is OAuth (Open Authorization)?
Generally with RESTful applications, you should leverage the header Authorization. There are several levels of security you can implement:
Basic authentication. It simply corresponds to set a based64-encoded string containing identifier and password
Token-based authentication. It involves a token resource that provides tokens with expiration and that are used instead of actual identifier / password for authentication.
This link provides more details about the way to use these mechanisms: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.
Hope it helps you,
Thierry
I'm working on a user authentication library in PHP. Right now I have both stateful and stateless CSRF protection, everything's secure. My problem is that the API is for remote applications (mobile app, game, etc) and has a public facing script to let a client app perform requests to authorize/log in a user. I would like to include the functionality for creating and removing a user in this API so that the client can do everything itself, but can't figure out a way to make it so that the creation script couldn't just be hit by anybody to flood the database with fake users. When creating a user with the API, I don't require any credentials other than username or password in the request, which means that anyone could hit that script. Does anyone know of a secure solution to this to prevent an attacker from using the API to create/remove users themself?
you could increase obscurity by requiring a secret key. Distribute the key in the client code. However, anyone accessing the client code can see the key and use it. But random people scanning your service wouldn't have the client code, nor the key.
I'm currently working on a mobile application with an Objective C developer. Because of the nature of mobile devices and how they work, all data is retrieved through an API I have created.
For example, if the user is trying to find something specific to do with the application on a page (a search maybe), the application would make a request:
http://mydomain.com/api/search?param1=hello¶m2=world
If these calls are made from the mobile device through the application I know they are legitimate requests (what I class as legit, anyway). If they're coming from somewhere else I really need to stop that. For example, another developer could copy the exact same application and use the API I have built on my server and there is no way I know of that can stop them doing that.
Is there a way I can secure the API some how to stop the API from being accessed outside the app?
Assuming there are no user accounts for authentication, the only way to secure the app is to hardcode a security token in the mobile app. And even doing so, it won't be 100% secure, because of reverse engineering.
Your API only receive HTTP requests, so the only way to differenciate a legitimate with a non-legitimate request is to send a further information that will be considered as valid on your server side (as OAuth tokens), but if there are no user accounts, you will have to send an identical token shared by all apps (or following a commnon rule).
I think that the best solution here is to hardcode the security token, it will at least force "hackers" to reverse engineer your app and not just sniffing the network.
I'm developing a social networking website. This service will be available across various mediums, for example: the web, iPhone, Facebook application etc.
My idea for this application was to have all of these properties interact with one central point for fetching and saving data: an API. My various applications would then interact with this API, sending a GET request to fetch some data; a POST request to submit some data; DELETE requests and so on.
This API will be web-accessible, so I need a way to authenticate only white-listed applications. This API will never be available for third parties to interact with or build third-party applications with; it's to facilitate my applications only so I can cut out re-coding solutions across various platforms and focus only on the logic (controllers, essentially).
Therefore, would OAuth be suitable to be used as the authentication method for the above scenario?
My knowledge of OAuth isn't great, but if it is deemed a viable solution then I'll obviously read up on it before implementing. But as far as I know it works on tokens. A consumer (for example, my website) would request a token from the application (the API in this instance) and then the application would return a token to use in subsequent requests. Or something.
When a request comes in to my application, am I then able to accept/deny requests based on the requesting application? I.e. can I deny access to applications that aren't my own? How do I differentiate between applications? Do I retain a whitelist of IP address or URLs, and compare upon incoming requests?
Any help on the above would be most appreciated.
OAuth is not designed to authenticate some applications the way you want to.
Juste create your own private way to authenticate, because you're the only one to know about your API. Dont forget to pipe the authentication in SSL and everything will be ok !
I don't think OAuth is the best solution for your problem. OAuth is great when you plan to give your API to the 3rd parties as it allows to authenticate user without giving users's credentials to the 3rd party. If you have all control over the API there is no need for this.
It's still a good idea to read about it thou. :)
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you