tags:

views:

29

answers:

1
+2  Q: 

Preventing mobile API client identity theft

We're developing a REST API to be consumed by a couple of mobile applications. It's important that we're able to trust the identities of these mobile applications. In our current design, each API call is authenticated with an "API Key" parameter and secured with HTTPS.

My concern is that the API Key is embedded within each copy of the mobile app, which means there's no way we can keep it secret. It will be on thousands of phones, and theoretically any hacker with a binary editor or HTTP Traffic analyzer could extract the API key and then 'pose as' one of the applications, sending us requests that we'd have no choice but to trust. Client certificates would appear to have the same risk.

Is there an architecture that solves this problem?

+2  A: 

It is being discussed from time to time in different places including StackOverflow. In brief - whatever you put to user's possession is not yours anymore. You can obfuscate the private key, of course, yet I see at least three ways to bypass your security measures.

The only way to solve a problem could be to employ cryptographic device (smartcard or USB cryptotoken) which keeps private and secret keys and doesn't let them out, however with handhelds use of such devices is quite complicated (if not impossible) from both technical and usability points of view.

Also you might want to reconsider your approach and let any client software use the service given that they pay for it. And your server will authenticate users and not software. Then the topic of keeping login data secret will be users' task.

Eugene Mayevski 'EldoS Corp  2010-10-14 19:33:37
note too that you can add the IMEI (android) or UUID (iphone) to help in identification. make sure this matches with the customer (send a confirmation email?)
KevinDTimm  2010-10-14 19:51:53
Good points. Charging per API call would certainly help incentivize better private key security, but our business relies on the API being free and the apps easy to use. Its a given that our server will authenticate users - what we don't want is a fraudaulent app out there trying to steal users' passwords or brute-force credit card details through our API.
realworldcoder  2010-10-14 20:16:28
@RealWorldCoder trying to authorize your apps is probably not the best way to prevent misuse of the API, especially if such misuse can constitute theft of credit card details. I'd better make the API more robust to prevent such possibilities.
Eugene Mayevski 'EldoS Corp  2010-10-14 20:33:34
@Eugene - there is already rate-limiting by IP for CC authorizations. Perhaps ways of improving the API require a separate question.
realworldcoder  2010-10-14 20:47:32

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application