1

I have a rest API which create by asp.net webservice, and I have an android and IOS application which call the api and show some data to the user.

what I need is to secure my API in a way that only my application can access to the data through the api and other request rejects.

I should mention that my application are not user base so there is no login and authentication and I don't want force user login !!!

According to my search, I need query authentication (query parameters) to achieve this.

What I need is how to create this kind of query parameters and how to validate them? (Performance is too important for me)

Thanks in advance

Mohamad MohamadPoor
  • 1,350
  • 2
  • 14
  • 35

2 Answers2

0

You can use basic authentication or any token based authentication mechanism. So on every request to your api, get the authentication headers(authenticiation tokens in http request header) and verify if client is allowed to invoke it. If it failed then send by necessary HTTP status code. You just need to ensure that the applications that you want to allow to call your api are using those security tokens in their request headers. And you can keep those credentials or security tokens in memory or file or db as you like.

Manmay
  • 835
  • 7
  • 11
  • And how do you protect the credentials if they're sitting on the client? – Eric Stein Jul 27 '15 at 13:16
  • I guess the consumer of your api are mobile applications. So in your android app or ios app the credentials need to be used to make call to your service api. So the credentials not exposed to the user of the app rather configured inside the app. – Manmay Jul 28 '15 at 07:27
  • Any credentials inside the app on the client are vulnerable to an attacker. A user may not be able to see them, but a dedicated attacker will. – Eric Stein Jul 28 '15 at 12:27
0

I am not a security expert, but as far as I know what you want is not possible. Anything you embed on the client to authenticate your application is accessible to an attacker, who can than use that information to access your API.

Eric Stein
  • 13,209
  • 3
  • 37
  • 52
  • I am not either. I'd like to ask if client apps can generate something like OTP in background to communicate with server app? Can we use some more security hardwares such as HSM in this case? – BNK Jul 27 '15 at 13:34
  • 1
    @ChungPham If you're creating a one-time pad on the client, then the algorithm for it's creation is on the client and it's sitting in the client's memory - both are accessible to a skilled attacker. I suppose you could distribute an HSM to clients, but in this case that means mailing out hardware to android users. If the OP doesn't want to give end users passwords, I doubt he wants to give them an HSM. :-) – Eric Stein Jul 27 '15 at 14:05