I had created an Android app that requests resources from the server using Rest APIs. Now how can I check on the server side that the request is from the app and its not from the Postman.
For example,
I am using the following endpoint to get data from the server.
https://api.example.com/get-data/{id}
Now, this endpoint is also accessible from a browser. Therefore I want a solution to make the API in-accessible by all other means. ie. It should be only accessible from my android app instead of any browser, Postman or an android app that is not built by me.
In other words, I want my android app to send a special piece of information that helps the server to authenticate the app.
Besides this, I am also concerned about someone to decompile my APK and take out that information to make API requests.
Note By special information I mean a security key or a mechanism to generate that key.
I am looking for something like the "origin" header that is set by the browser by default and no one else can change this header even the developer of the website. Does anything like this exists in android?
You need to implement an API token, that behaves like a password for your API.
A simple way of doing this is using the Bearer Header with the token value to come from the API and every request you send via your app should include this token as a header.
An example is the Slim 3 Token Authentication which does this for Slim 3 Framework APIs. IF you are using laravel API, try https://laravel.com/docs/5.6/passport
Related
I want to implement Rest api with authorization in my Wordpress website. the version of Wordpress is 4.9.5 and REST api version 2.0-beta15. For securing my apis i need to implement OAuth on my site and at first, I implement WordPress REST API – OAuth 1.0a Server from this link and this useful link. But had these issues with plugin:
Rest-calls still works without authorization and every un-authorized user can call my rest-apis.
I want to implement this inside my Android app so I had to handle all steps in the background, but with this plugin, I should show many webView to user and user should fill them and the final token is also shown to the user in webview and this does not sound good for me.
So I looking for another plugin and find JWT Authentication for WP-API. This plugin is easier and handy. I followed the instructions and can get token and add to request header to make a request and if it is the valid response is 200 and if not need to validate. Every thing seems to work fine!
But the same problem:
every single REST API is even working without authorization header and if I do not put header the result is 200 And all request works as before without any Authorization
This is despite documents that say:
Once you get the token, you must store it somewhere in your
application, ex. in a cookie or using localstorage.
From this point, you should pass this token to every API call
So now I see that I cloud not restrict API call to have Authorization header in both plugins, how I can achieve that and what is the best solution?
I finally solve this problem with this plugin:
Disable REST API and Require JWT / OAuth Authentication
As its name says it will do exactly what i want. It works on both plugin i used
JWT Authentication for WP REST API
WP OAuth Server
And restricts all api calls that not authorized and works fine.
So i my best practice is JWT for Oauth + Disable REST API and Require JWT / OAuth Authentication and they are very good combination to implement OAuth in android application for word-press.
I am using Django and we are planning on opening some of our API for 3rd party usage.
Till now we have been using DRF along with session authentication for our Django Web App and DRF with JWT for our Android application.
What I would like to know is whether the call is from our own app (webapp/android app) or from 3rd party apps (they can call from their own applications, which can be other webapps/phone apps). Is there any way this can be distinguished? We want to count the no.of 3rd party API call to our server.
Your android app can add header User-Agent with app version. So you may distinguish requests. However it is not very reliable - as any web client can send such headers. Here you can sign your requests. Take URL add some secret value calculate md5/sha2 from this values and add to request.
Protection is based on idea only you know secret value. It is ok for non-critical tasks but may be risky for financial apps.
I'm developing a small REST API that will be used by browsers and Android / iOS / Windows Phone applications. I'm using JWT for authentication. Since in the API every url must receive the token, I'm stuck thinking about how to send the token to the API so that it's compatible also with mobile apps.
I can only think of two options:
First: Cookies, but I do not know if android / iOS / Windows Phone applications can use cookies just like browsers do. Can they?
Second: Using POST to send the token on every request. I know it would work, but I find it unprofessional and I'm sure there is some other way to make it easier.
Would cookies work? Does anyone have any idea how to do it right?
Thank you
Android and iOs applications do not use cookies. You need to store the JWT in local storage and include it in each POST request. The recommended way is using the Authorization header, but it is not mandatory
To store the token locally you can use perfectly cookies for the web application and Preferences for Android and iOS
jwt it your best choice
the main idea is to generate token using your credential that have 3 part the first and second part contains user info and the third part is generated by the first 2 part and the server key
you can see this example building by laravel and angularjs with full description
example here
update:
the best is to send it in request header Authorization : Bearer cn389ncoiwuencr[jwt token] it will work in both web and mobil
I have a server developed in laravel. I have an android application that can send POST and GET request to my server. I found that i can send POST and GET request from any other systems if have the link to my api. I want to authenticate my API and only allow my android application to POST and GET from my API. Please note that i dont have user login in my android part. I simply want to authenticate my android app to access those APIs.
If you want only your mobile application to make API calls, you can't. Your API doesn't know who is sending the information, he can only check if the information is correct and proceed with your endpoint. Like others have said use JWT/Authentication to limit who can use your API by creating an account or requesting a token, but there's nothing to prevent the user from taking his token and use it on his browser or tool of his choice like Postman.
I'm working with mobile apps and RESTful APIs and I have some doubts about security when registering a new user. I'm developing an android client that will communicate with a backend through REST requests.
It is very clear to me about the usage and implementation of the OAuth Authorization Server and how the communication is made between the android client (frontend) and the resource server or the authorization server (backend).
Most of the documentations mention that the client_id and client_secret must be stored in the server instead of the mobile app to avoid that such data to be figured out in an eventual decompilation proccess.
If I wish to perform an activity to create a new user, directly in the app (as it is the case in apps like snapchat, pinterest and so on), how could I perform the communication of the client with the REST API without the client_id and client_secret (or any kind of credentials) in the app?
The first and easiest solution would be to redirect the user to a signup webpage, but how could it be made in the APP?
https://stackoverflow.com/a/14572051/5055317
Simple answer: no data on the .apk is safe.
There are many ways to hide your API keys inside the apk. For example, using obfuscators like ProGuard/DexGuard, using Base64 encoding or hiding these Strings with JNI. But at the end they just create some delay to obtain the keys.
The only way to keep this information safe is if it is stored in a server, and your app gets it when needed.
Here is an article by Michael Ramirez review about hide techniques: https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/
And here a discussion about this topic with some google employees: https://groups.google.com/forum/#!topic/google-places-api/SmujrL-pDpU