While creating an Android App that uses an API, the most difficult problem to solve is API security.
Creating a token and securing it in KeyStores is one thing. But what about a guest user?
A guest user requires a Token, and acquiring that Token from the API is not secure, as this API should not require any signing credentials. And creating a temporary Token for the guest user in the Application side is not secure as anything on the Application or Device is accessible one way or another.
I have searched about the thing, and these are the solutions I’ve found.
I understand that there are tactics such as ProGuard and DexGuard, but these only make it harder for someone to break into your app, and in DexGuard’s case, it’s paid.
I thought about using the API to identify that only the client is the app using the package name, but that’s not possible since the HTTP/S Client requesting the API is not the app, it’s the system’s, or in some cases the library’s, own HTTP/S Client implementation, which does not contain any information about the app, only the system/client.
From my understanding of application security, these are the main security flaws to be noticed :
Searching around in Information Security questions most focus about the Android system’s security, not the security between an App and it’s API. And the few that do, discuss the security from the server’s side, or simply give an example about using a certain technology (Certificate Pinning or Certificate Transparency) in plain code, which is still not secure.
What are the tactics used to protect an Application from an attacker?
What methods should I be researching to make 95-99% sure my application won’t be attacked (there is no 100%, I know, but that 1-5% are dedicated attackers, which wouldn’t waste time on such applications from a less known provider)
Possible Attack :
The App has a guest user, meaning they need a temporary Token to use the app. This token cannot be generated from the API, as it does not require any authorization. And cannot be generated from the App since breaking the application code is simple and the attacker can discover the method of generating a temporary Token.
This leads the the API and Application being exposed to the attacker, giving them access to the API’s data.
I wanted to comment on your question, but I don't have enough reputation for that. You're discussing various things surrounding API and application security. Maybe this article: https://dev.to/bearer/api-security-best-practices-3gjl could gives you some insights. If you apply these practices you should be pretty good.
Like you said, you can't be 100% safe and you have to weigh the risks. Most companies accept certain risks.
Answered by Puremonk on January 13, 2021
2 Asked on October 28, 2021 by stone-true
8 Asked on October 28, 2021
2 Asked on October 28, 2021 by kepotx
2 Asked on October 28, 2021 by nemanja-martinovic
2 Asked on October 28, 2021 by tomi-begher
1 Asked on October 28, 2021 by ian-warburton
2 Asked on October 28, 2021 by alehandro
0 Asked on October 28, 2021
1 Asked on October 28, 2021 by user238715
4 Asked on October 28, 2021 by m-vencel
2 Asked on October 28, 2021 by sellarafaeli
3 Asked on October 28, 2021 by nkl
1 Asked on March 9, 2021 by reedghost
1 Asked on March 3, 2021
Get help from others!