0

At this point I have written a program for use on the android platform in which users will see information about outstanding bills (private personal information).

At this point I demanded some kind of formal registration takes place at an office.

I want to improve on the registration part and was wondering if I could implement the use of api keys. In this case people wouldn't need to register at some office formally, but could download the app from playstore.

Currently the app sends requests to a server (at this point I use username and password).

I read and searched information about api key's and how to implement them. But it is still confusing.

The code of the program at this point is irrelevant as I'm not sure about the use of api keys yet and is working correctly at this point. I just can't seem to find a fit answer for the following.

Should every mobile device get it's own private api key when installing/downloading or a public one?

Ooh and for the sake of it, I am using laravel 5.1 with mariadb (not that it will matter in the answers).

Community
  • 1
  • 1
davejal
  • 6,009
  • 10
  • 39
  • 82

1 Answers1

1

  1. Every mobile should get it's own api key because if a hacker were to get a hold of a public key used by everyone, then all your customers would be at risk until you changed the key and updated the app.

  2. The private key should be sent to the device after installation because hackers can download an apps apk file from the phone, unzip it, and look inside to find the key or the code used to create the key.

  3. Two type authentication gives you another layer of security so you should use it.

Also be careful when sending api keys over the internet. Hackers can use proxies to read the data travelling between their device and a server. So I would use HTTPS and use it correctly.

http://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/

Raymond Mutyaba
  • 950
  • 1
  • 9
  • 14