3

I designed APIs in php using SLIM framework. I can access these APIs like this:

http://192.168.1.210/getSchool

This API is used to get information about schools. I am using these APIs in my android application. Now I want to make security of my these APIs. so no one can access these APIs with out authentication means no one can get list of schools by just entering the above URL in address bar.

I want that user first log in using my android application then he or she can use my api, no one can directly access in my apis.

Please give me your valuable suggestion.

Thank you in advance.

Jason
  • 15,017
  • 23
  • 85
  • 116
Pushpendra Kuntal
  • 6,118
  • 20
  • 69
  • 119

2 Answers2

1

Once a user is registered with your application, you can generate & assign them an API key in the database (perhaps a hash) which you can return to the phone. Each time the phone sends a request to the API it also sends across their API key which you can validate against their database entry.

This should also all be done over SSL to avoid MITM attacks/viewing of API keys.

There are also other methods available: Looking for suggestions for building a secure REST API within Ruby on Rails (language agnostic).

Community
  • 1
  • 1
Prisoner
  • 27,391
  • 11
  • 73
  • 102
  • I think you are right Prisoner, but please can you send me any example or weblink so i can implement whatever you suggest me efficient way. – Pushpendra Kuntal Nov 29 '11 at 11:04
  • Please see my edit on other methods available, and also this link: http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service which may also provide further assistance. In terms of an actual document which will tell you how to do this - I'm unsure one exists. – Prisoner Nov 29 '11 at 11:08
0

You should create UID and a secret key for each user when they sign up and store on the server. And pass these to the user using https initially. The user will store these two values(make sure secret key is kept safely).

When the user want to send a api request he will create the request url then hashes it using the secret key + timestamp and addes the UID, hash and timestamp to the request and sends to the server.

The server extract the UID then gets the secret from db and then generated the hash of the request (without UID, hash and timestamp) using secret key + timestamp param.

if the hash generated and the hash param from the url matches proceed with the request or ignore it.

Or

Implement OAuth

Josnidhin
  • 12,469
  • 9
  • 42
  • 61