2

I have an app and i have created the required API for in php I could also create it using firebase.

The app is meant to be used by people who are new to technology. I don't want any login authentication.

As I have created API any one who goes through my code can see the API link and can get the data which i don't want.

What i want to achieve is the API to serve data when the request is from my app only

How can i achieve this without any user login?

Darren
  • 13,050
  • 4
  • 41
  • 79
krv
  • 2,830
  • 7
  • 40
  • 79
  • It seems like you're looking for [anonymous authentication](https://www.firebase.com/docs/web/guide/login/anonymous.html). You can't in any way securely validate anything came from a specific app. You could achieve poor-man's security (which isn't very secure) by [generating your own token](http://jsfiddle.net/firebase/XDXu5/embedded/result/) and using that for auth of all users. – Kato May 04 '15 at 17:47

1 Answers1

0

create an access token and store it in your application, then on each ajax request you will compare the token, so if the token is valid you will deliver the contents otherwise you will show an error message.

As, raymond Camden said in his comment:

it is not secure. I can use Remote Debugging to sniff the access token and then use it myself. At the end of the day, there is no way to do what you want 100% securely.

Community
  • 1
  • 1
Moussawi7
  • 12,359
  • 5
  • 37
  • 50
  • sorry i am new to this..but if the token is stored in my application then someone can get it also..is this correct? – krv May 04 '15 at 07:28
  • @krv,Yes, if someone open your code, and understood the code, can get it. but here you may store it on smart way, and may encrypt the whole code – Moussawi7 May 04 '15 at 07:30
  • @krv, you can check this question: http://stackoverflow.com/questions/2060984/how-can-i-encrypt-javascript-code-so-that-its-not-decryptable – Moussawi7 May 04 '15 at 07:34
  • yes i know about magnification but still the token will be visible..is there a way to get the app’s package name(com.domain.myapp) so i can authenticate its my app and send the data – krv May 04 '15 at 07:38
  • @krv,you can get the package name,but you have to send it as parameter, where this parameter can be modified by someone. unfortunately server side cannot detect it. – Moussawi7 May 04 '15 at 07:42
  • will give tokens a try..but is there any other full-proof way – krv May 04 '15 at 07:47
  • @krv, In fact i made a full search about similar operation (I charge user money to get coins). and yet no one succeeded to hack me. – Moussawi7 May 04 '15 at 07:52
  • I voted down this answer because it is not secure. I can use Remote Debugging to sniff the access token and then use it myself. At the end of the day, there is no way to do what you want 100% securely. – Raymond Camden May 04 '15 at 13:30