0

I have written an application which I would like to offer via REST API to customers.

In the task which is executed on the server there is some sensitive user data involved, e.g. the user's login to a third party service. There is no way to execute the transaction client side as the code which handles this data must stay proprietary.

Now a user of my API would have to trust me that the service does not steal his data. But is there any way to process such data in a trustless way? I would really like to guarantee my customers that data theft is impossible.

Johnny93715
  • 1
  • You are looking for homomorphic encryption. – Tobi Nary Nov 14 '17 at 05:19
  • Does the third party service implement some form of delegated authority approach (i.e. OAuth) where they could log in and grant your application an access token instead of giving you their username / password? – Adam Luchjenbroers Nov 14 '17 at 06:02

1 Answers1

1

If I understood correctly, no. You're logging in and retrieving data on behalf of your customer.

The best you can do is use delegation, as Adam Luchjenbroers commented, but even then you would still have access to the user's data (albeit not their login). If this is acceptable then Adam supplied the answer. If not, uses will have to take you at your word.

If the third party service supports encryption and you do not need to actually interpret the third party data, you might implement that decryption client side and reassure customers that while you could steal their data, they are theoretically capable of verifying whether you do (by reverse engineering the client code in their possession and ensuring its current version is not transmitting the deciphered data, or your decryption key, anywhere).

LSerni
  • 22,521
  • 4
  • 51
  • 60