0

I'm currently working on a mobile application with an Objective-C developer. Because of the nature of mobile devices and how they work, all data is retrieved through an API I have created.

For example, if the user is trying to find something specific to do with the application on a page (a search maybe), the application would make a request:

http://mydomain.example.com/api/search?param1=hello&param2=world

If these calls are made from the mobile device through the application I know they are legitimate requests (what I class as legit, anyway). If they're coming from somewhere else I really need to stop that. For example, another developer could copy the exact same application and use the API I have built on my server and there is no way I know of that can stop them doing that.

Is there a way I can secure the API some how to stop the API from being accessed outside the app?

Improve this question
5
  • Assuming there are no user accounts for authentication? Commented Dec 22, 2013 at 10:46
  • @Scuzzy That is correct. Users don't have to register to use the application. Commented Dec 22, 2013 at 10:47
  • @sskoko Tell me more? As far as I know I cannot disclose anything secret inside of the application in the case it's decompiled and can be viewed. Commented Dec 22, 2013 at 10:48
  • I assume the app is free? If it is a paid app, I would think there is some kind of identifier you could use from whatever app store it was purchased from. Commented Dec 22, 2013 at 10:53
  • @Indigenuity It is a free app, yes. Do you think it would be a good idea to just pass a secret as a param inside the app? It would at least keep most out, right? At least they then have to put effort in to use the API Commented Dec 22, 2013 at 11:03

1 Answer 1

Reset to default
3

Assuming there are no user accounts for authentication, the only way to secure the app is to hardcode a security token in the mobile app. And even doing so, it won't be 100% secure, because of reverse engineering.

Your API only receive HTTP requests, so the only way to differenciate a legitimate with a non-legitimate request is to send a further information that will be considered as valid on your server side (as OAuth tokens), but if there are no user accounts, you will have to send an identical token shared by all apps (or following a commnon rule).

I think that the best solution here is to hardcode the security token, it will at least force "hackers" to reverse engineer your app and not just sniffing the network.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Can i just ask... what would be the best way of going about this token generation?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.