I am using an API , made using an AWS service named API Gateway [Which may not be of great importance]. I have gone through various articles mentioning that rather than storing secret keys directly on an APP, you should be retrieving them through an API. I made an API endpoint that triggers a lambda function on call, either GET or POST.
But of course anyone with a basic knowledge of programming could find my API through the network tab, plus the post request I made to that API replicating it to get those secret keys. I have heard of AUTH KEYS for an API but ain't that very easy to discover because of them being sent through a post request and being visible in the network inspector?
Here I am totally blank on how to secure an API so that no other person could actually call them. I cannot use the CORS rules because I am using a React Native application as well as a website for calling that API. CORS may help us with a website but what about the application? I cannot store keys on the app itself because I am wary of decompilers being able to peek into my secret keys. OR I can specify CORS to secure a certain android application? .
Asked
Active
Viewed 73 times
0
-
An app/site shouldn't use anything the user shouldn't be able to see, or else the design is flawed and vulnerable. If you want to, eg, use a premium api to fetch info for your visitors, you need to have your visitors talk to an api you make, which in turn calls the premium API with secrets, then returns to the visitors just the data needed w/o any secrets; an API proxy. for example, your customer asks for `my.com/api/day=243`, your api on my.com asks `data.com/api/?day=243&secret=123`, and returns the relevant bits to your customer. – dandavis Jul 19 '21 at 20:27
-
Assume a user A calls the ```my.com/api/user=1``` api and this API in turn calls another API with a secret key. The user gets his data, but what when another user B suspiciously calls the same API? He too gets the same response that was meant for user A which we don't want. Despite using another premium API, even though user cant see the secret keys, he is already able to get other users data!! How to solve this? – Jidnyesh AJ Aug 17 '21 at 03:48
-
don't use number values, use a hash or partial hash that your server turns back into a number. Perhaps something like `HASH( salt | id )` in crypto-speak so that `1` and `2` are radically different and un-guessable. You need a db table with fields for ID, SALT, HASH and you can cheaply lookup that `?user=a65b2f6ffd4` really means `?user=2`. do the same for transaction numbers and other sequential identifiers. – dandavis Aug 17 '21 at 06:59
-
Ok I got it, thank you so much for your efforts to answer my doubt. – Jidnyesh AJ Aug 17 '21 at 15:57