5

I had created an Android app that requests resources from the server using Rest APIs. Now how can I check on the server side that the request is from the app and its not from the Postman.

For example, I am using the following endpoint to get data from the server. https://api.example.com/get-data/{id}

Now, this endpoint is also accessible from a browser. Therefore I want a solution to make the API in-accessible by all other means. ie. It should be only accessible from my android app instead of any browser, Postman or an android app that is not built by me.

In other words, I want my android app to send a special piece of information that helps the server to authenticate the app. Besides this, I am also concerned about someone to decompile my APK and take out that information to make API requests.

Note By special information I mean a security key or a mechanism to generate that key.

I am looking for something like the "origin" header that is set by the browser by default and no one else can change this header even the developer of the website. Does anything like this exists in android?

Amarjit Singh
  • 2,068
  • 19
  • 52

1 Answers1

0

You need to implement an API token, that behaves like a password for your API.

A simple way of doing this is using the Bearer Header with the token value to come from the API and every request you send via your app should include this token as a header.

An example is the Slim 3 Token Authentication which does this for Slim 3 Framework APIs. IF you are using laravel API, try https://laravel.com/docs/5.6/passport

zavora
  • 353
  • 2
  • 9
  • I've considered using tokens. But the problem is that I can not rely on mechanism that requests token from server because anyone can request token and then use that token – Amarjit Singh Aug 01 '18 at 10:32
  • you are requesting a token using username and password, so anyone can request the token if they do know the url to request that token, but only users with username and password can get a token. Laravel passport and laravel jwt are proven methods to protect the API – UnderDog Aug 03 '18 at 06:05