If I'm offering an API service call out to developers and wish to offer for example 500 calls a month for £10, is there a safe way a developer can register and then use their calls from a mobile app they have developed? I'm assuming not because:
Not sure if I'm missing something here but I presume the only safe way is for the developer of the app to have their own secure application server which their app talks to, and to make the calls to my API from that. How they secured the connection from their mobile app to their app server would be down to them.
Solved! Go to Solution.
You are correct the main challenge is one of securing the authentication process and managing trust relationships, either directly between the mobile app and your API or via a two-step indirect route.
Implementing a secure connection and it typically requires a combination of:
By taking measures to secure the authentication process, making sure some parts of the authentication process are not stored on the mobile device and wrapping it all with encryption you protect the credential data used to generate the token and also the generated token and you minimize or remove the risk of a malicious 3rd party intercepting and helping themselves to the calls.
Take a look at the following references for deeper reading:
eBook: Is Your API Naked?
eBook: Securing the Digital Enterprise
eBook: OAuth - The BIG Picture
Apigee Docs on OAuth
Apigee Docs on API Key Validation
You are correct the main challenge is one of securing the authentication process and managing trust relationships, either directly between the mobile app and your API or via a two-step indirect route.
Implementing a secure connection and it typically requires a combination of:
By taking measures to secure the authentication process, making sure some parts of the authentication process are not stored on the mobile device and wrapping it all with encryption you protect the credential data used to generate the token and also the generated token and you minimize or remove the risk of a malicious 3rd party intercepting and helping themselves to the calls.
Take a look at the following references for deeper reading:
eBook: Is Your API Naked?
eBook: Securing the Digital Enterprise
eBook: OAuth - The BIG Picture
Apigee Docs on OAuth
Apigee Docs on API Key Validation
Thanks for the response and the helpful links to the books. I couldn't really find anything specific relating to protecting an API key used for monetisation but I guess the bottom line is (as you've indicated), don't store any API user credentials on the phone.
Dave,
The question you ask is relevant to many use cases - monetization being a very clear example.
As stated it is critically important to protect API Keys, use multi-factor authentication (user and secret), short lived tokens AND have a robust means of monitoring access and resetting keys/secrets when needed.
Ensuring TLS for all transport, not storing secrets on the client, and using reasonably short token TTL values all reduce your exposure.
Hope this helps,
David
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |