The iPhone app that I am working on requires GET calls to a 3rd party site's api. The 3d part site does not offer SSL and requires the API key be in the GET request's querystring. What is the best way to secure this? I know I can have the iPhone app talk to my server and then my server send a request but I would like to avoid that if possible. The other question is if this is even a big deal. What can they do with the API key anyway if it is only pulling data?
A:
I asked a similar question the other day with regards to the Google Maps API key.
My thought was whether it was worth worrying about someone using my call allowance.
The concensus was that the API is designed to be used in this way, and there's not a lot you can do about it.
If your API requires your domain name as the referrer header with the API key (Google Maps does), that offers some degree of deterrent I guess.
Brabster
2009-09-02 15:56:32
+2
A:
The 3d part site does not offer SSL and requires the API key be in the get request's querystring.
There is no way to secure that. The get request must go out over the internet, where it can be seen and - since you are not using SSL - the API key extracted.
You need to work out what the API key is for. If the API key is intended to identify your application, then this behaviour is fine and you need not be concerned. If it is intended to identify you or your computer, then this is not a sane state of affairs; you need to contact the third party site and work out an arrangement whereby you can either generate keys for your users or avoid the requirement.
moonshadow
2009-09-02 15:59:58
It is to identify my application.
SonnyBurnette
2009-09-02 16:01:38
+2
A:
Indeed, it's not possible to secure it, simply because someone can install a packet listener in-between the device and your web service endpoint, and just look at the bytes flowing. If your communication channel is not encrypted, you're toast.
A way around that is to create your OWN proxy server; that server will communicate with the end-point service using your API key. The device will then talk to your server (you can even secure the channel between the device and your own box if you want to - it's your server, everything is up to you).
Alex
2009-09-02 16:02:00
A:
One suggestion would be to create a proxy service that sits in the middle. So in effect your app is calling your server, which in turn calls the API and returns a result that is relayed back from your server to the client. This provides you with protection of your API key in addition to a way to account for usage and/or change providers transparently in the future.
Nissan Fan
2009-09-02 16:02:07