Secure Rest Api for Mobile App Without User Login Updated FREE
Secure Rest Api for Mobile App Without User Login
Information technology's pretty common for mobile apps to admission backend API services to fetch information. It'due south also pretty common for APIs to require secret keys in order to access them. So how do yous securely include API keys in a mobile app? Well, the curt answer is y'all don't. The long answer is the residual of this web log post.
Let'due south accept a look at two ways it's possible to hack secret API keys out of mobile apps.
Keys can be extracted from native and mobile apps
It'south fairly straightforward to excerpt API keys from a JavaScript app. As soon as you lot load the web page hosting the JavaScript app, your browser downloads the entire source code so information technology can run it. All yous have to do is click "view source" and beginning poking around, and the whole source code, including any API keys inside, will be visible. JavaScript code is often compressed or minified, so it may not be easy to really sympathise the source code, merely ultimately any strings defined in the app will be visible to anyone looking.
Information technology's less obvious that the same matter is truthful for native and mobile apps. These apps are too downloaded entirely to the device before they are run, merely in this case you're downloading a binary file instead of uncompiled source lawmaking.
Simply for fun, let's demonstrate this speedily. If you're on a Mac, and you take 1Password installed, run this control. (You lot can run this on any binary file on your Mac, but the 1Password app happens to have some very readable data within it.)
strings /Applications/1Password\ 7.app/Contents/MacOS/1Password\ vii | grep 1Password The strings command volition display whatsoever embedded strings in the binary file, and then nosotros use grep to find whatever strings matching 1Password, and the result is a bunch of text that is displayed in the application!
... Restarting 1Password... 1Password failed to connect to 1Password Please quit 1Password and start information technology once more. Add Account to 1Password An update to Safari is required in club to utilise the 1Password extension. Welcome to 1Password! ... If there were any API keys embedded in the awarding, they would also accept been displayed by the strings command.
Let's demonstrate this by writing a simple program from scratch. Nosotros'll write a C program that outputs "hello world". Outset, create a file called how-do-you-do.c with the following contents:
#include <stdio.h> char how-do-you-do [] = "hello" ; char earth [] = "globe" ; int primary () { printf ( "%southward %s" , howdy , earth ); return 0 ; } In this lawmaking, we're declaring a string named example with the value "hello earth", and and then printing it when the program is run. You tin compile this with any C compiler such as gcc:
The outcome volition be a binary file called a.out which you can then run:
Let'southward see what strings thinks of the file:
$ strings a.out %due south %s hello globe Wait at that! Information technology plant our text no trouble.
Now you might be thinking, "what if I obfuscate the API primal by splitting it into a few parts and combining it in lawmaking?" That might buy you a bit of time, merely someone who'due south actually adamant volition probably nonetheless figure it out.
Even Twitter couldn't stop this from happening! In 2013, the API keys for the official Twitter apps were leaked this way, allowing attackers to impersonate the legitimate Twitter apps.
The point is, once you've shipped something downward to a user that contains a string that needs to be used past the app, it's always possible for someone to extract it. The only real style around this is to use a "hardware security module" where the surreptitious is stored in a microprocessor that has no ability for annihilation to programmatically extract information technology, where that microprocessor can cryptographically sign data instead of sending the secret itself.
At the terminate of the mean solar day, if you've shipped code to the user, in either uncompiled or binary form, it volition exist possible for them to run across what's inside.
HTTPS requests tin be intercepted from mobile apps
Even if yous think you've got the almost clever obfuscation technique and are sure that nobody could ever excerpt the secret from your app's binary file, in that location'southward another way someone can observe out the cloak-and-dagger.
Unlike an awarding running on a server in a datacenter, mobile apps run in the device in the user'south mitt, on a wide diverseness of networks. The user might install the app while on their home network, then open it over again from a coffee store, and then they may open up it from a hotel before they've authenticated to the captive portal. None of these networks can be trusted, and there are a lot of opportunities for things to become wrong, or for attackers to try to intercept data!
You're probably thinking "but HTTPS will protect the data in transit!" And that's totally correct, under normal circumstances. As long as the app is properly validating the HTTPS document when it makes the request, it's virtually impossible for an aggressor between the phone and the server to run into the traffic.
Simply, that's non the threat we're worried well-nigh hither. If someone wanted to, they tin can intentionally intercept their own HTTPS connexion right as information technology leaves their telephone, by providing their own HTTPS document for the URL of your API. In that location are plenty of tutorials online for how to do exactly this! It'south actually a neat technique you tin can use to test your own applications as you're developing them, and is a common way people take contrary engineered otherwise individual APIs like Instagram.
If y'all're interested in trying this out, bank check out tools like Charles Proxy or the free mitmproxy. Information technology takes a few steps to set these up, and then we'll get out that as an exercise for the reader.
One time you've got your own certificate potency installed on your phone, your new faux certificate authority can issue an HTTPS document for any domain, and as far equally your phone is concerned, everything looks normal. It'southward just that your telephone is actually making an HTTPS asking to software running on your laptop, and your laptop starts a new HTTPS request to the existent API. This manner your laptop tin can see everything that the phone is sending to the API.
Of course this is not something that an aggressor is going to realistically practise to intercept a random user'due south data in transit, but if someone wanted to find out the secret used by an app, they could do this to their ain phone and hands see all the information the app sends over the wire. This means that despite your all-time efforts of hiding your app secret in the source lawmaking, it's even so going to exist sent over the wire where it can be intercepted.
How does this relate to OAuth?
Alright, so nosotros've seen two means that API keys and secrets can be extracted from a mobile app. But how does this relate to OAuth?
Well, traditionally, OAuth two.0 apps are issued a client_id and client_secret when the programmer registers an app. This works fine when the app is running on a web server equally the users of the app never accept access to the source code and therefore don't take the opportunity to see the secret. However, this obviously causes problems when we try to apply OAuth 2.0 from a JavaScript or native app, since equally we've seen, they don't have the ability to keep secrets.
In OAuth 1, a surreptitious was required in lodge to brand every API request, which is one of its major shortcomings, and largely why information technology was replaced with OAuth 2.0. OAuth i was developed earlier mobile apps were every bit prevalent as they are today, so it wasn't developed with these constraints in mind.
That changed with OAuth ii.0, especially once the PKCE (proof central code substitution) extension was introduced. I like to think of PKCE as an "on the fly" customer secret. Instead of shipping a client_secret in a mobile app, the way PKCE works is the app creates a new random secret every time it starts the OAuth catamenia. This way there are no secrets shipped ahead of time, and there is nothing useful for an attacker to steal. You can read more details nearly how PKCE works in our blog mail "OAuth 2.0 for Native and Mobile Apps" or on oauth.com.
OAuth still sends admission tokens over the wire where they may exist visible to y'all if you lot're using something similar mitmproxy, but the difference is that this token is issued on the fly and is specific to the user who is using it! This way, there are no secrets shipped in the source code, and if someone wants to intercept the traffic from their own device, all they volition see is an access token that was issued just to them! They won't get admission to anything their app tin can't already access.
How to protect secrets in mobile apps
Hopefully you now have an understanding of why it's not safe to ship API keys or other secrets in mobile apps. Then what practise y'all do instead?
OAuth solves this problem by not shipping whatsoever secrets in mobile apps, and instead involving the user in the procedure of getting an access token into the app. These access tokens are unique per user and every time they log in. The PKCE extension provides a solution for securely doing the OAuth menstruum on a mobile app even when there is no pre-provisioned undercover.
If you need to access an API from a mobile app, hopefully it supports OAuth and PKCE! Thankfully most of the hard work of PKCE is handled by SDKs like AppAuth then you lot don't have to write all that lawmaking yourself. If you're working with an API like Okta, so Okta's own SDKs practice PKCE automatically so you don't have to worry about it at all.
Acquire more about OAuth and API security
If you'd like to dig deeper into these topics, hither are a few resource:
- PKCE on oauth.com
- OAuth 2.0 for Native and Mobile Apps
- What is the OAuth 2.0 Authority Code Grant Type?
If you liked this post, you should follow us on Twitter! Nosotros besides take a YouTube channel where we publish screencasts and other videos.
PS: Nosotros've also recently built a new security site where nosotros're publishing all sorts of in-depth security articles. If that sounds interesting to you, please check it out!
Aaron Parecki is a Senior Security Architect at Okta. He is the writer of OAuth ii.0 Simplified, and maintains oauth.cyberspace. He regularly writes and gives talks about OAuth and online security. He is an editor of several internet specs, and is the co-founder of IndieWebCamp, a briefing focusing on data buying and online identity. Aaron has spoken at conferences around the world virtually OAuth, data ownership, quantified self, and home automation, and his work has been featured in Wired, Fast Company and more than.
Secure Rest Api for Mobile App Without User Login
DOWNLOAD HERE
Source: https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps
Posted by: priestleytwold1995.blogspot.com
0 Response to "Secure Rest Api for Mobile App Without User Login Updated FREE"
Post a Comment