My app is having a few post API's. Unfortunately, there is no authorization required for that API.
How can I prevent API from being hacked by methods like HTTPCanary and decompiling of the app.
I have tried these things but still, people are able to get the API.
Base URL is encrypted and stored in gradle.properties file
User won't be able to use the app if HTTPCanary is installed (validation added in onResume of all activities) but not sure if the user uses any other apps like HTTPCanary.
Please help me with a failproof solution for this.
use https for your server and being sure that you using "ssl pinning"
you can find more about it in this blog post
Related
Suppose I'm going to create a sdk of my own service. On my experience, most sdks have two things to auth the app which are api_key & api_secret. As I known, the api_key used for identify the app, and the api_secret used for access control and verify something what you said is true. Without those two things, you can't use anything of the sdk.
For example if I need to integrate a sdk into my android app, first I should go to the sdk's console website to register my app, and it will give me the key and secret. While I'm using the sdk, generally I need to call a init method on Appliation.onCreate() passing the api_key and api_secret.
My question is how does such a sdk leverage those two things? I guess it works as username & password pair for token exchanging with server by using some protocals like OAuth, and then the other quests just passing the token is enough.
So what should I do if I'm going to create my own sdk, I can't find any articles of that on the internet. Do we already have such things open source? The explanination is also important because I still don't kown how they working. I'm very interested in the theory behind that.
Please notice I don't need any solution, I just want to known how's it working.
I also find this and this in stackoverflow but they are totally not the same things what I talked.
How safe is it to use OkHttp3 for your REST API?
For example, if my website has some login/signup process, and my app sends requests with OkHttp3 client. How much can I trust that someone can't take his phone, plug it into Android Studio and look into the logs and find the links for all the requests I'm calling?
There's also the matter of decompiling the app, and easily accessing the base Uri I'm using in my app.
I'm not sure how OkHttp works, so can someone tell me about the security used in the client and how much I can trust it?
If a link is on the internet, then it's public. There is no point trying to hide that fact.
You need to focus on the securing the endpoint(s) the app is talking to for confidentiality, integrity and availability
You need to read up on Web security. Take a look at the OWASP Top 10 and related guides.
Why are you worried about your URL address? Whenever you expose an API on the internet anyone can find your API URL address. There are easier ways than reading logs of your app.
What is your exact worry? What do you need to keep secure? What is important for you?
I have a full application API written in node.js with Express.. Now, the API should be only accessed from my Android application, how can I protect the node app from outside requests?
If I use some kind of a password protection, I'll have to write that password in my android app and since the application is available to everyone, the password can be easily found.. What is the solution to this kind of situations?
Web based security can be a bit tricky sometimes, but if you have an app you could use a token-base approach.
When your application starts, it can request a token from your API, which then must be present in all other requests to your API.
Did a quick search for this kind of thing and came upon this page, which might be worth a look: http://thejackalofjavascript.com/architecting-a-restful-node-js-app/
I want to develop an android app for my website. One way of doing it is to have an API for the site, and let the app use that API. However i want this API to be used ONLY by my android app, I don't want any other client to be using this API.
Is there a way to ensure this?
I can think of one way of doing it: put a secret in the app and let the app pass this secret always to the API. But i am not sure how secure this approach would be because any packet sniffer can easily sniff the parameters and hence the secret. Any other suggestions?
I think this is something similar to a question I answered a few days ago.
Securing a REST API from Android
Namely, find a way to authenticate all of your requests using a shared secret.
If you sign both the path and params with a secret, then there should be no way for someone to forge requests.
Finally got hold of the answer from the android developer's blog article.
The short answer is no, sorry. If someone really wants to exploit your site/api/device/program/insert anything here and they have the time and resources then they will.
To directly answer your question, putting a key in your app isn't secure as anyone can decompile the app and try to reconstruct the key from the source files, they don't need to sniff traffic.
Correct me if I'm wrong! Packet sniffers can only be used with unencrypted WiFi and in (now) rare network configurations (a router or a switch prevent them).
For serious matters, you should consider secured connections (https).
That said, for standard content, I feel that a passphrase is secure enough. Many popular web apps don't use more than a cookie over http to let you log in, which is exactly what you're proposing.
I struggled with this issue and I actually ended up implementing a version of OAuth for securing my API. It can be difficult if you don't to launch a browser to do the "login" part of OAuth. I baked the login right into my my app and actually implemented the token exchanges under the covers. Too much involved to post the code here, but it works great. Obviously HTTPS is desired for an additional level of security.
If you could get some kind of signature back from package manager of your own app, you could use obfuscation to hopefully make it much more difficult, and have the signature/hash of signature from package manager be the key for your HMAC-SHA1.
Might have to try this ( How to get APK signing signature? )
If you did that, it would make it more difficult to use. Obviously, it could still be decompiled, but if they re-compiled it w/ debugging etc, it would have the wrong key. They would then have to actually make their own package manager on a rooted device to get the signature.
I have an application that needs to create a remote account if the user pays for an application using the Android Market.
How might I do this from the application itself in a secure way, ie. I don't want anyone to be able to submit data to a url and create an account, I want this to happen in a verified way. I thought of including an authentication key in the application itself, but that does not stop someone from decompiling the application and taking out the authorisation key.
Is there a way to query the Android Market payments using PHP?
http://code.google.com/p/android-market-api-php/
Don know if this might be of any help.
I found out how to do it. You need to write a custom java class based off the original Licensing System, in particular the the verify() method. You can then run the command using backquotes in php and grab stdout.
If you would like to use PHP rather than execute a Java process you may find this library on Google Code verifying Android Market licensing responses useful.
It just takes a few lines of PHP to verify a license and the formatting of keys and OpenSSL stuff is taken care of for you.