0

i have a phonegap app and i want only my app users to access the api from where i am getting the data.

I am using php as my back end.

What i did was i created a key and was authenticating the key on the server. But the key is hard-coded in the app meaning someone can look at the code and figure out the key and pass it as a parameter and gain access to my api which i don't want.

Furthermore the key also be seen by using a proxy.

is there a way to dynamically generate the key on both the app and the server so it gets authenticated? Or some other way.

i don't want the user to give any kind of username/password.

i don't want the user to register or login..the user has no role in the authentication..i am authenticating the app.

krv
  • 2,830
  • 7
  • 40
  • 79

2 Answers2

1

Yes sure this can be done,

But several things before you should start.

  • Create a new table to store all the api keys which we are going to generate per user when they are registering through the app.

PHP Side:

  • Grab users password or any unique thing Eg: UDID Andriod, in IOS they have restricted access to UDID and you might have to store some unique generated id in the keychain.
  • Then When we have the password and UDID you can put them together (or anyway you want) and encrypt with Sha1 (or any encryption algorithm) And save it to the api key table
  • Every time when a request hit on the api you can grab the api key from the header and validate it with the database and see.

App Side:

  • When the user login through the app if it is successful, pass the api key to the user and save it inside the app for further use.
  • Also when your going to request the data from the api you can retrieve the api key stored inside the app, Then put it as a header in the request and send.

Few Extra things:

  • Also you can create a private key on both sides (Server and App) then store it in the api key table and encrypt the request which is the server and app only knows using the private keys stored on both sides.
  • Also you can go for advance authentications like oAuth
jlocker
  • 1,478
  • 1
  • 12
  • 23
  • i don't want the user to register or login..the user has no role in the authentication..will this still work then? – krv Oct 03 '15 at 05:45
  • 1
    @krv Why don't you want to register and login??..i don't **recommend you this..And my answer will not work for you..Also your **api** will be vulnerable..You can't restrict access **without authentication**..You have to use hard code which anyone will be able to see. – jlocker Oct 03 '15 at 06:17
  • 1
    @krv then also it won't be an **api** – jlocker Oct 03 '15 at 06:19
  • the app can be for kids or people from rural areas so i dont want that..in a way i am not authenticating the user but i am authenticating the app..so the server logic is "is the request from my app" if yes send the data if no then don't – krv Oct 03 '15 at 06:20
  • @krv i have an idea..You can use end to end vpn to do that :) – jlocker Oct 03 '15 at 06:41
0

Use RSA, the popular Algorithm in SSL/TLS. The point is a private key and public key pair.

Here's the library and example for PHP:

Encrypt and Decrypt text with RSA in PHP

And here's the library for Javascript:

RSA Encryption Javascript

And my personal suggestion: to negotiate a random key store in ram for later usage rather than use the key pair for all message exchange. Because it's a high workload for server(15times more than client). And you can define a object to store the session key in private member.

funciton keyStoreObject() {
    this.publicKey = ''; //this is public
    var sessionKey = ''; //this is private
    this.negotiate() = function () { sessionKey = 123456; //You can access private sessionKey }
    this.decypt = function (str) {...}; //And write your code here
}

and so create a instance:

var keyStore = new KeyStoreObject;
//so now you can
keyStore.negotiate();

About private member, read more here: http://javascript.crockford.com/private.html

Also, you need to implement a session key store on server side and including a expire time. For small instance, serialize() or SQLite can be used.

Actually, the sessionKey is not fully secure(in theoretically). A desktop browser can make DDoS attack. Human validation like captcha code can help you.

Community
  • 1
  • 1
Wilson Luniz
  • 459
  • 2
  • 7
  • 18