Securing Android Application API access

Information Security Asked by A-Android UCG on January 13, 2021

While creating an Android App that uses an API, the most difficult problem to solve is API security.

Creating a token and securing it in KeyStores is one thing. But what about a guest user?

A guest user requires a Token, and acquiring that Token from the API is not secure, as this API should not require any signing credentials. And creating a temporary Token for the guest user in the Application side is not secure as anything on the Application or Device is accessible one way or another.

I have searched about the thing, and these are the solutions I’ve found.

  1. Creating a 2-part key : This is not secure, as there is still something on the Application side.
  2. Google’s Application authorization : I’ve found that there is a way to use Google’s services to determine whether this client (Application or whoever sent the request) is a valid (legitimate) user, i.e, the request was sent from the Application for which the API was designed for. However, I’ve seen that this method requires waiting, as the validation is not immediate.
  3. SSL Pinning : I’m not very familiar with the concept, but from what I understand, it’s basically creating a Certificate that only your app and the server trust. But that seems to also put code (or in this case, a .crt file) in the app package, which can be compromised and used.

I understand that there are tactics such as ProGuard and DexGuard, but these only make it harder for someone to break into your app, and in DexGuard’s case, it’s paid.

I thought about using the API to identify that only the client is the app using the package name, but that’s not possible since the HTTP/S Client requesting the API is not the app, it’s the system’s, or in some cases the library’s, own HTTP/S Client implementation, which does not contain any information about the app, only the system/client.

From my understanding of application security, these are the main security flaws to be noticed :

  1. Anything inside the application code, files, or resources can be accessed using the APK or the application’s own folders on the system.
  2. Even HTTPS SSL certified requests can be sniffed and the attacker can obtain all information about the API (URL, Parameters, etc).
  3. Even if something was protected by the system (such as files), rooted/hacked devices can get access to these resources (there are also legitimate reasons to root your Android device, which means you cannot just block rooted devices).

Searching around in Information Security questions most focus about the Android system’s security, not the security between an App and it’s API. And the few that do, discuss the security from the server’s side, or simply give an example about using a certain technology (Certificate Pinning or Certificate Transparency) in plain code, which is still not secure.

Question :

What are the tactics used to protect an Application from an attacker?

What methods should I be researching to make 95-99% sure my application won’t be attacked (there is no 100%, I know, but that 1-5% are dedicated attackers, which wouldn’t waste time on such applications from a less known provider)

Possible Attack :

The App has a guest user, meaning they need a temporary Token to use the app. This token cannot be generated from the API, as it does not require any authorization. And cannot be generated from the App since breaking the application code is simple and the attacker can discover the method of generating a temporary Token.

This leads the the API and Application being exposed to the attacker, giving them access to the API’s data.

One Answer

I wanted to comment on your question, but I don't have enough reputation for that. You're discussing various things surrounding API and application security. Maybe this article: could gives you some insights. If you apply these practices you should be pretty good.

Like you said, you can't be 100% safe and you have to weigh the risks. Most companies accept certain risks.

Answered by Puremonk on January 13, 2021

Add your own answers!

Related Questions

Jenkins malicious process identification

2  Asked on October 28, 2021 by nemanja-martinovic


Does encrypted content in a database need to be signed?

1  Asked on October 28, 2021 by ian-warburton


WhatsApp account got “hacked”/hijacked?

1  Asked on October 28, 2021 by d-a-vorm


iCloud deletion

1  Asked on October 28, 2021 by mp115


Difference between Zeek (Bro) and Snort 3

2  Asked on October 28, 2021 by ustavsaat


Help Understanding PHP Reverse Shells

1  Asked on October 28, 2021 by pdawg


Refresh token using a separate auth server?

0  Asked on October 28, 2021


Is the perfect MITM attack possible?

1  Asked on October 28, 2021 by user238715


What attack vectors does arbitrary JS on a user profile allow?

2  Asked on October 28, 2021 by sellarafaeli


Processing Exceptionally High Volume Singular Flows

1  Asked on March 9, 2021 by reedghost


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir