How to implement Android API security?

Question

I am trying to create an API for Android clients similar to Google and Facebook

Both Google and Facebook have this process in their API's of generating some kind of hash from your android keystore. They say that only requests made from your packagename (eg. com.example.myapp) and that keystore's hash will be allowed and identified in their systems as you.

Google's method:

keytool -exportcert -alias androiddebugkey -keystore <path-to-debug-or-production-keystore> -list -v

and

Facebook:

keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1 -binary | openssl base64

How would I implement my API to guarantee secure identifiable requests from the Android client to my backend.

thanks!

score 1 · Answer 1 · edited May 23 '17 at 12:03

1

You can obtain application signature as it suggested here. That you can use MD5 or SHA1 to encode it.

There are many Java libraries for SHA1 and MD5, here is one I googled.

edited May 23 '17 at 12:03

Community

1
1

answered Dec 10 '13 at 09:47

Ilya Gazman

31,250
24
137
216

Please provide more detail. – John Saunders Dec 12 '13 at 13:53
@MichaelBarany here you go – Ilya Gazman Dec 12 '13 at 14:07
thanks, but I'm just using standard Java. In any case perhaps someone can explain how to use the application signature on requests. – Michael Barany Dec 12 '13 at 14:46
@MichaelBarany oh sorry, changed the link to java sample – Ilya Gazman Dec 12 '13 at 15:27

How to implement Android API security?

1 Answers1