1

I have a REST api on a server and an application for android phones that mostly makes calls to that api and presents the info to the user.

Because the application needs to be a quick way to lookup public info, it was required that there not be any kind of authentication by the final user.

Now this opens the server where the api lives to attacks. We're not concerned with the information being stolen by impersonating an app user or anything because all the info is publicly accessible either way, but an attacker could, for example, make a script to continuously make calls to our api and overload the server.

Quotas and such can't be used without authentication and an extra user info load on the database, user agent can be faked... In the end the closest thing to what I need I could find was in this answer to a similar question, where it's suggested I store an access key in my app and use that to make calls to my API.

Now here's my questions regarding the whole situation and security:

  1. It's implied that if I use HTTPS I'm all set if I just include the key in the headers. Is there really no way to see this key in the request? (I'm using Angular's HttpClient). The test server's url is https but since I'm in debug mode I can clearly see all of the request's info at application level, is the application running on my phone safe from attackers somehow looking at the app's memory space or such?
  2. Coming from the last question, what's the best way to store this app key within the apk? A json file, a string within the angular code...?
  3. The test server is HTTPS but there's some discussion about dropping the api service in a secondary server that's still HTTP. The linked answer implies I should then hash the key myself somehow, but isn't it thereon available to being fished out of the request? Surely it would imply an extra effort of keeping the hashed key changing in a way that the server can keep checking it's a hash of the original key, but doesn't it then become a matter of finding the hashing algorithm in the code? (Is this a good place to ask for secure hashing that could be implemented/used in an Angular application?)
  4. Is there any other way to secure the api in this setting that I'm not aware of? Again, it's basically a public api, but we need it to be accessible only from an application with no user authentication.
Nicolás Marzano
  • 11
  • 2
  • The only way to prevent attackers from touching your services is to shut them down. The rest won't solve the task. And any solution you mentioned is vulnerable in one or another way. – Crypt32 May 21 '18 at 21:10

0 Answers0