0

I recently developed a RESTful service that my windows desktop application is using for retrieving information from a MySQL DB sitting on a Linode server. The desktop application is written in .Net and obfuscated so that all urls are encoded. I developed the RESTful service in Spring but had a lot of issues with Spring Security and I was thinking that maybe authentication is not necessary as I am the only user. If the code is obfuscated then it will be hard for anyone to get the endpoints and start using my web service. So question is, is my logic valid or should I secure my API even if I have to struggle with OAuth and Spring?

Dimitris
  • 2,030
  • 3
  • 27
  • 45

2 Answers2

2

In my opinion it depends on several factors, such as:

  • Do you have any private and valuable data stored inside your database?
  • Is it possible to modify your data from your API?
  • Does any other people rely on this service or results of it's work?

If any of this is true, you should provide basic OAuth. But it is usially a good practice (or even "a must") to do that.

sobolevn
  • 16,714
  • 6
  • 62
  • 60
  • I will store customer name and emails so yes private and valuable data. There is a way to modify the data and people will rely on this service via the desktop application. So I guess basic OAuth would be necessary in your view even if it will be a struggle to get it right – Dimitris May 05 '15 at 22:28
  • in this case you must use authentication. – sobolevn May 05 '15 at 22:30
  • OK so if I start using OAuth authentication don't I have to store the token or username password in my app anyway and have the same problem? – Dimitris May 05 '15 at 22:43
  • have a look at `http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service` – sobolevn May 05 '15 at 22:53
1

Yes. Even with obfuscated code it is trivial to fire up Fiddler and watch all the network calls your app is making. If you are not authenticating the calls on the API side a malicious user could read or make changes to data that they should not have access to.

scott
  • 385
  • 4
  • 8