I have an API written in PHP that works by receiving HTTP POST requests, the API will then process the request and output some XML.
I have an Android application that is communicating with this API successfully.
My question is how do I make this secure?
I was looking into using OAuth, but for PHP it uses a library that is not available to me.
Plus as the API is not public and only to be used by external applications created by myself, this seems a bit overkill.
What other suggestions would you recommend? I was looking at sending an API key/signature along with the POST request.
It should be done the same way you make javascript calls secure. You use sessions. You should be able to send and receive headers, why not accept cookie-like data? At least session_id. Securing with SSL for open wifi hotspots would also be very beneficial if you use symmetric authentication.
OAuth has a different purpose - its when your website starts to host third party applications that users want to use without giving this app own password.
Related
I have an API developed in PHP for my Flutter web app. I am using this API to fetch all the data. But, I can see all the requests made to the server.
Is there any way to hide/restrict any unauthorized person to use my API? I am using HTTP library to make calls from my flutter app to API. I just want to hide those calls to web API. I have seen some websites do that. Since the server code and website code in those websites are in the same directory it can be accessed directly without having to make a request to the webserver.
Two problems I see are
You are able to see all the request made to backend server from your web page and you want to hide them.
The answer to this is No you cant. I say this based on my search in google and some posts in SO like this
You may think about disabling the developers tools. The answer is No and maybe with unknown side effects.
Is there any way to hide/restrict any unauthorized person to use my API?
The answer to this question is yes and can be done in many approaches. Like you said token based authorization has its own issue with keys being leaked and thats why there is always validity associated with it and should be considered. There are mechanisms such as refresh tokens to renew tokens etc.
The first and foremost thing I would do is enable CORS mechanism in your sever where the server will only allow request from very specific domains to be processed. More details available here
I have a main website (which contain all data) and multiple client websites which fetch data from the main website. Each client website has access to different set of data on main website. I want to create a PHP based web API for this. This is my first API so I am not sure what is the best and most secure way to do this.
After some googling I found OAuth to be the most common authentication method for APIs. however in my case I want the client website to be configured once and then the communication should be automatic, i.e. communication should take place in background without any user interference. Is OAuth required for this scenario?
Or is there any other method I can implement here?
oauth is way to complicated to implement for your needs.
If you are using rest, i suggest using a basic-auth in the header and using SSL so that your communication is encrypted.
You could make a small SecurityFilter that checks if for any request with a url pattern /api/ that the basic-auth is correct and that it use SSL...
It really depends on how you are exposing your API.
If you are using REST, HTTP Basic Auth over HTTPS is sufficient. I see a lot of people try to implement their own solutions when the provided approach is quite sufficient.
If you are using SOAP, there is a SOAP-based approach you could use: WS-Security (which is just a standard using anything from SAML assertions to OAuth tokens).
If passing Basic Auth credentials over HTTPS is too "open" for you, in that the credentials are saved in config on the client server somewhere, OAuth2 is probably the best solution. Doing OAuth on the server side wouldn't require any user interaction. You just store your tokens in a server config and let the OAuth library take care of the rest. PHP has a library for this PHP OAuth Library. There are plenty of OAuth2 libraries for PHP. Just Google it.
After some more googling and research I found answer to my question:
The scenario I explained is an example of 2-legged oauth (one can find many articles about 2-legged and 3-legged oauth)
Also, OAuth is not difficult to implement, infact for a developer with good knowledge of API and Auth system its very easy.
Here's a link of very good php OAuth library with example code http://code.google.com/p/oauth-php/
I'm starting a new application that will have a server side PHP and client in Android another (at the moment, and then also probably iphone). The application will only be used from mobile customer applications ie not to be used by web. My question is what would be the best way to login to this mode of operation?
thank you very much
It sounds to me as if the server side will be some sort of API that opens up access to a users data. The easiest method would be sending along a stored username and password with each request. This would only work if the connection your using is secure (https) which brings in the hassle of obtaining an ssl certificate.
Another option would be using OAuth, though your use case seems a little bit different than the standard OAuth use-case. OAuth is a protocol that uses a token based system to establish a users permission to access certain data from an application by another application. In your case you would be in control of both the first and the second application (hence my remark on being different than the standard use-case) Read here for more info.
I think it will be more easier if you use a webservice to make this connection between android and php server
this Presentation may help you ..
you are gonna deal with SOAP and xml or JSON to send data from android to php server.
and this a Video that shows how to deal with REST android Apps.
hope that help.
I think building an API on the server-side would be the best approach. For example a simple REST endpoint might be the way to go.
You can also host the API over HTTPS so that the communications channel is secure.
you need to create PHP web service for that. and while accessing you can pass security key like IMEI of phone for log. I think it can be secured mode for login from Android Phone.
Best practice these days is to set up a simple JSON web service, and use the built in Android HTTP & JSON libraries to interact with this service.
Create a login page in android, take the values from the fields send those values to server using httppost there store in your database and send response from the server
i think you first make a login form on Php server and send it the login and password as soon as user types and php returns the JSON object then read it if login is accepted by server login to application.
another way is when user don't have the net access make some Content providers on android and store the user pass there and match from there locally.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you