0

I have bought an API that can be used in a mobile application. API includes the Key and username as expected. Within the app, this API needs to be called on Payment confirmation.

I found that using tools like Fiddler, one can see the request made by the application. If that is the case, it is just a matter of seconds to fully get access to the API signature.

It would be of great help if someone can help out/add to this issue.

My thoughts:

  1. Use a server to make this API call instead of calling it directly from the application.
  2. If a server is used, the issue would still exist as the API call made to the server(eventually which calls the bought API) can also be interrupted/accessed
  3. How to secure the call made to the server from the application?

Technologies: Angular JS, Node JS, Ionic framework

Sanjay
  • 111
  • 1
  • 9
  • 2
    possible duplicate of [Best Practices for securing a REST API / web service](http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service) – Parth Sane Aug 23 '15 at 05:40
  • This is a fairly broad question, but your thought #1 is right on track: if you are making requests from an **untrusted** client (frontend frameworks like Angular fall into this category), you cannot make API requests that would compromise your credentials. One solution is to use a scheme like OAuth on your server to grant an access token to the client, and of course make all your private API requests from your server only. – Nate Barbettini Aug 23 '15 at 05:45
  • @NateBarbettini Thanks for your quick reply. I will check on OAuth. I have one lil question though, Will OAuth be useful even if there's no user concept involved ? I mean, the app is designed to use with no login feature. The only thing that needs to be checked is if the API call is indeed made from the app installed. – Sanjay Aug 23 '15 at 06:13
  • 1
    @user5256499: in this case, the app is the user. – Sergio Tulentsev Aug 23 '15 at 06:25

1 Answers1

0

Look at my answer to this question. Instead of using the user name and password, your backend could provide an additional resource that allows the user to create a token with a special scope. In your AngularJS application you can use the $http or $resource services (if the ngResource module is included) and obtain such kind of token that allows you to access only the parts of your backend your client really needs.

This token must be cached at the client side and included in the header of each request.

In AngularJS storing the token in the header of each request can be done at a central place if you are using the config function of the module you created.

    app.config(function($httpProvider) { $httpProvider.defaults.xsrfCookieName = "TOKEN" }

AngularJS also provides some additional security features. For example you could use the JSON vulnerability protection mechanism. If you are using this, your backend had to add the characters )]}', (you could also override the default characters) to each JSON response body. For other clients the JSON response will be invalid Javascript code, but in your AngularJS application the characters will be automatically removed.

UPDATE

The best way for implementing security for your application would be reading and understanding the OAuth2 specification.

In this video from minute 11:36 to 17:26 the JavaScript flow is described.

This site provides some implementation of the standard for different programming languages.

Some of the aspects in this standard are that all clients and redirect urls must be registered in an additional authentication server. Client are identified by a unique client id.

To avoid that some other application intercepts your requests for extracting the token, the original token should only be active for a small amount of time and each api request must be SSL encrypted.

For providing Single sign-on also refresh tokens can be used.

Community
  • 1
  • 1
Patrick Leitermann
  • 2,144
  • 2
  • 13
  • 13
  • Thanks for info. I think, even with the approach u've suggested there would be issues. 1. If this approach were used for a website, it would make sense to use a token and add it for every request made for authentication. 2. But in case of app, if this approach is used, how can we make sure that the token itself isn't intercepted/accessed using fiddler tools and the same token is used for calling the API's on the server? – Sanjay Aug 23 '15 at 06:48