How to store APP Keys in Mobile APP

Hi,

I have an Mobile app which need to integration with one of the system (REST based) . We are bringing Apigee as Gateway with the external system and Mobile APP, the Mobile APP team needs the API keys to be static all the time since they are hard-coding the keys in the APP and if there is a change they would need to upgrade the APP and in turn all the users should update it to use it.

What would be the effective way to handle this scenario ?

Thanks.

1 3 194
3 REPLIES 3

There's no problem. In fact, you might consider provisioning a new key (credential) into each new version of the app that you publish.

Apigee Edge allows you to provision multiple keys (Credentials) for each App. Let's say your app is "FantasticApp" and the first version is v1.0. You can provision a key for that in Apigee Edge, and embed the key into the app. Distribute the app (via the app store, etc). When users employ the app, the REST calls carry the keys (Credentials) into the Apigee Edge gateway. Apigee Edge verifies those credentials before allowing the calls. Apigee Edge rejects calls if the key is not valid, or is expired, etc.

Apigee Edge also collects statistics on the traffic, including the volume of calls from each particular key or credential.

Now suppose you update to version 1.1. You can provision a new key on the same app in Apigee Edge, and embed that new key into the new version of the app. Now your Apigee Edge statistics will reflect which versions of the app are in widespread use, which are trending upward or downward. You can also correlate error rates to versions of apps.

If a key happens to get compromised, you can de-activate one key. The rest of the keys for the app in Apigee Edge will continue to function.

The credentials I have been discussing identify the app to Apigee Edge. But re-reading your question, maybe you are talking about storing credentials for the external system.

If you have some other system, some external system with a REST API and you would like to use a single set of credentials for that backend API, you can use Apigee as the smart proxy to handle that scenario.

Store the credentials for the backend app into the Apigee Edge encrypted KVM (Key Value Map) . When a call arrives from the mobile app, Apigee Edge verifies the credentials for the mobile app. If that passes, Apigee Edge can extract the keys from the KVM, then assemble the message to send to the external system with the appropriate credentials for that system.

Thanks @Dino-at-Google for response.

Completely understood of the explanation. But my query was to "Maintain the same keys for this APP " till it dies. I know it might sound crazy .

But requirement is if the environment crashes or any disaster the Keys shouldn't be altered.

If it goes with APP upgrade this might be ideal one as there will be changes from the APP .

Thanks!.

I don't know what you mean by "if the environment crashes". Apigee Edge has been running as a service for 6 years and has never "crashed".

If you do want to migrate keys from an external system into Edge, you can import credentials into Apigee Edge. There's an administrative API for that. In the normal circumstance, you wouldn't need to do that.

Typically those APIs are used for migrating existing apps that already have keys embedded in them, to Apigee Edge, from some other system. The app is sending REST requests to myapi.example.com. To switch over to Apigee Edge, first import the existing credentials that were issued a long time ago by a different system, into Edge. Then switch over the DNS so that myapi.example.com now points to the Apigee Edge service. With inbound requests, Apigee Edge will now trust the existing credentials; there's no need to re-build or re-distribute new versions of the App.