0

Let say i have an android app with Reddit OAuth2 authentication. I initiate authorize request with my client id and user accepts the consent. Now i got the authorization code which will be exchanged for token in my server via HTTP request. This process will protect my client secret as it is in my server, but it actually doesn't. Anyone can take the client ID from the app by decompiling and initiate authorize request to reddit and exchange code for token from my server. They don't even need to know secret to get the token.

How can one protect the API against this kind of misuse (or attack?)?

Is there any way i can allow my API to accept requests only from my app and reject other requests (using SHA256 or etc.)?

I have looked up and studied about PKCE. But this is not useful in case as it only protect again code sniffing/intercepting and accept only the original authorize request initiator.

Mohan
  • 329
  • 4
  • 8

1 Answers1

1

You will probably want to store a secret. When first opening the app (and after certain interval of times to keep it secure) you will need to generate a keypair. Store the private key on the device's Keystore and send over the public key to your backend. When authenticating to your api, sign the client's secret with the private key and verify it using the public key on the backend.

Note that this will induce substantial overhead to your login process. Because mobile devices are not necessarily well equipped to perform cryptography. Though this is less and less true.

EDIT: Your keypair will need to be issued from a CA you trust, otherwise this is all useless.

BinarSkugga
  • 400
  • 2
  • 15
  • Thanks, i will do some research on your method and try to grasp what's happening here. – Mohan Jul 20 '21 at 15:08
  • can you please provide me some kind of resource (like blog, articles, or docs) on this topic. Honestly, i don't even know where to start. – Mohan Jul 20 '21 at 15:48
  • Cyber-security is a vast topic that cannot be simplified in a comment or a post. What you need to do is essentially to sign a secret. Here's a couple of good resources: https://stackoverflow.com/questions/7224626/how-to-sign-string-with-private-key https://ssd.eff.org/en/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work https://stackoverflow.com/questions/37722090/java-jwt-with-public-private-keys You should never attempt to implement anything related to encryption or signing. Use proven and mature libraries. – BinarSkugga Jul 20 '21 at 15:51