-1

A friend and I are trying to create a mobile app. The app recieves the data per API from our server. So if someone uses Wireshark, they can see the API Url and all our data can be easily stolen.

We thought that we use HTTPS server, so Wireshark couldn't read it... But there are some ways to decrypt HTTPS in Wireshark as well.

So the question is what is the best way to hide or encrypt API Url or our data?

Milad
  • 377
  • 1
  • 3
  • 15
  • 1
    probably this could help (jwt) https://stackoverflow.com/a/34160202/1135424 – nbari May 26 '20 at 08:24
  • 1
    If the client is sending/reading traffic, then anybody using the client can too. You can't encrypt the URL you want the client to access because otherwise the client doesn't know what it is. If you want to encrypt data between your client and server *inside of an encrypted HTTPS connection*, use some form of public key cryptography. – Ross Jacobs May 26 '20 at 11:28
  • Who do you think is going to attack your API and how? – Ross Jacobs May 26 '20 at 11:30

1 Answers1

1

Even on top modern websites you can still see the API URL, rather than trying to hide the URL, use API access Keys to limit single user access to what is normal, hash out the Key and make your API restrictive enough to not break from someone finding the url

Voltex
  • 56
  • 1
  • 7