0

Suppose you have an app that uses a proprietary authentication system based on HTTP headers and further suppose that the authentication info is hard-coded into the app (I don't know how you would do it otherwise). It hits a web service via SSL.

I do not think that it would be possible to sniff out the headers (correct me if I am wrong) but would it be practically possible for a motivated user to decompile the app and get the API key somehow? How does this vary between iOS (Obj-C) and Android/Blackberry (Java)?

tacos_tacos_tacos
  • 10,277
  • 11
  • 73
  • 126
  • Unless you're verifying the cert in your code, sniffing the traffic on their own session is as easy as having control over any web server with a legitimate SSL certificate and some simple redirection. [Hopper](http://hopperapp.com/) for iOS, quite a few Android decompilers. If the data isn't tied to an individual account, why do you care if the API becomes public? If it is tied to an individual account, then you should be using account based authentication. Maybe if you explained your specs, we could discuss alternatives. – Marcus Adams Oct 11 '13 at 16:06
  • @MarcusAdams I've had this sort of philosophical discussion with others and I can see both arguments. I guess the idea is that they want to control what sort of client can access the service. They don't want the service to be easily consumable by a leech, etc. But it sounds like what I want really is not possible – tacos_tacos_tacos Oct 11 '13 at 19:37

0 Answers0