3

I want to develop an android app for my website. One way of doing it is to have an API for the site, and let the app use that API. However i want this API to be used ONLY by my android app, I don't want any other client to be using this API.

Is there a way to ensure this?

I can think of one way of doing it: put a secret in the app and let the app pass this secret always to the API. But i am not sure how secure this approach would be because any packet sniffer can easily sniff the parameters and hence the secret. Any other suggestions?

Laurent'
  • 2,611
  • 1
  • 14
  • 22
Bajji
  • 2,243
  • 2
  • 22
  • 35

6 Answers6

4

I think this is something similar to a question I answered a few days ago. Securing a REST API from Android

Namely, find a way to authenticate all of your requests using a shared secret.

If you sign both the path and params with a secret, then there should be no way for someone to forge requests.

Community
  • 1
  • 1
Matthew Rudy
  • 16,724
  • 3
  • 46
  • 44
3

Finally got hold of the answer from the android developer's blog article.

Bajji
  • 2,243
  • 2
  • 22
  • 35
1

The short answer is no, sorry. If someone really wants to exploit your site/api/device/program/insert anything here and they have the time and resources then they will.

To directly answer your question, putting a key in your app isn't secure as anyone can decompile the app and try to reconstruct the key from the source files, they don't need to sniff traffic.

slayton
  • 20,123
  • 10
  • 60
  • 89
  • I'm interested in this. I don't know enough about Java, but can you really decompile and extract this, after its been obfuscated and compiled? I'd love to see some blog posts with examples. – Matthew Rudy Oct 07 '11 at 19:55
  • @MatthewRudy Its really easy to can decompile java class files. Obfuscation tools like proguard simply rename classes and variables making the code hard to interpret but not impossible. Also string literals end up being human readable so its usually pretty easy to go through the code looking for what might appear to be a API key. – slayton Oct 07 '11 at 20:14
  • 2
    interesting. I found [this article](http://www.excelsior-usa.com/articles/java-obfuscators.html#examples) with an example. Doesn't look so great. – Matthew Rudy Oct 07 '11 at 20:35
  • I see all we are trying to do is give more and more friction to reverse engineer the app. Probably the best way is the cumbersome way to compile to native code (as described in the link given by @MatthewRudy). – Bajji Oct 08 '11 at 13:37
1

Correct me if I'm wrong! Packet sniffers can only be used with unencrypted WiFi and in (now) rare network configurations (a router or a switch prevent them).

For serious matters, you should consider secured connections (https).

That said, for standard content, I feel that a passphrase is secure enough. Many popular web apps don't use more than a cookie over http to let you log in, which is exactly what you're proposing.

Laurent'
  • 2,611
  • 1
  • 14
  • 22
  • Packet sniffers can intercept any packet on network encrypted or not, wifi or not. Encryption only changes how the data in the packet is stored. You are actually referencing two different types of encryption here. Encrypted wifi means that the packets between you and the router are encrypted. Https means that the data between you and the website is encrypted. Both are semi secure and both have been demonstrated as breakable. In the end there is no such thing as a perfect encryption algorithm. – slayton Oct 08 '11 at 16:21
0

If you could get some kind of signature back from package manager of your own app, you could use obfuscation to hopefully make it much more difficult, and have the signature/hash of signature from package manager be the key for your HMAC-SHA1.

Might have to try this ( How to get APK signing signature? )

If you did that, it would make it more difficult to use. Obviously, it could still be decompiled, but if they re-compiled it w/ debugging etc, it would have the wrong key. They would then have to actually make their own package manager on a rooted device to get the signature.

Community
  • 1
  • 1
Chrispix
  • 17,941
  • 20
  • 62
  • 70
  • The only issue looks like, anyone can get the hash of your signature. So that could be easily broken unless you passed that into some code to further obfuscate it. – Chrispix Apr 22 '12 at 19:46
0

I struggled with this issue and I actually ended up implementing a version of OAuth for securing my API. It can be difficult if you don't to launch a browser to do the "login" part of OAuth. I baked the login right into my my app and actually implemented the token exchanges under the covers. Too much involved to post the code here, but it works great. Obviously HTTPS is desired for an additional level of security.

Mike Marshall
  • 7,788
  • 4
  • 39
  • 63