0

I have some API that should be accessible from a very long list of devices (some of them can reach my Oauth2 server and get some token, some of them cannot).

These devices are mobile phones (IOS, Android) and in the future could be any device that has an HTTP client.

But I need to secure my API from everyone.

I'm thinking about some header that calculates from some algorithm including hashing some parts of the request, for example.

But I also think that I'm reinventing the wheel and such a solution already exists.

Some sort of CAPTCHA maybe?

P.S.: Requests to such API will doing not users, but an application doing in the background.

Alexey Vinogradov
  • 1
  • 1
  • 1
    Your question is too broad and unspecific in my opinion. It is not clear what you mean with "secure my API from everyone" in the first place. If you mean that you want to restrict who can access it than you need to specify what the difference is between the clients who should be able to access it and the ones who don't. Right now you just have "very long list of devices" on the one side and "everyone" on the other which is not a useful distinction. – Steffen Ullrich Sep 06 '19 at 09:30
  • @SteffenUllrich A difference between legit and malicious clients is that so a legit client must send a request from the mobile app. And a malicious client sending his request, not from such an app. – Alexey Vinogradov Sep 06 '19 at 09:34
  • Is this mobile app strictly in your own control? Do you care if an attacker reverse engineers the communication to extract any tokens in order to reuse these outside the app? Do you care if an attacker reverse engineers the app itself to extract any secrets (like client certificates) in order to use these outside the app? – Steffen Ullrich Sep 06 '19 at 10:40
  • Well, you usually have authentication, which I would suggest using OpenID Connect to verify valid clients. There's no point in restricting the API authentication part just from the App users, an attacker can reverse engineer the app and use the certificate or single constant API key to access the internal parts. – Raimonds Liepiņš Sep 06 '19 at 11:09
  • 3
    Possible duplicate of [Securing an API for mobile access](https://security.stackexchange.com/questions/16126/securing-an-api-for-mobile-access), [How can a web API for a mobile app be protected from unauthorised access?](https://security.stackexchange.com/questions/141104/how-can-a-web-api-for-a-mobile-app-be-protected-from-unauthorised-access), [How to protect API endpoint from abuse in mobile App?](https://security.stackexchange.com/questions/198921/how-to-protect-api-endpoint-from-abuse-in-mobile-app). – Steffen Ullrich Sep 06 '19 at 12:34

0 Answers0