Security of Mobile Backend API key
Suppose I am developing a mobile application that makes calls to an API server. The API server is secured by an API Key.
I cannot hard-code the API Key inside the mobile application because it can be stolen.
How can I protect the API key?
How is that problem usually solved?
(It sounds like the API-key you are trying to protect is for an API service that you don't own.)
One approach is by using an authentication server. The private API-key is kept on the authentication server and only shared after a valid login.
So how does this work?
- User on the mobile client enters a login & password
- These credentials get sent to an authentication server where they are verified
- If the login is valid, the API-key is sent to the mobile client
Architecturally, you would need a separate authentication server which would leave you with 2 different servers:
Some API-key server that you need a private API-key to use
Authentication server (used to verify user login and exchange private API-keys)
A second approach is to use a pass through server. The private API-key is never shared in this approach. It is possible to add authentication onto the pass-thru server, but not required.
So how does this work?
- Mobile user contacts the pass-thru server for data from the API
- Pass-thru server makes the api call (with the stored private API-key)
- The API server responds with data to the pass-thru server
- Pass-thru server forwards the API response to the mobile app
In this case, you own the pass-thru server so you never need to share your API keys and user authentication is optional.
- How to disable security in Quarkus
- SNC name of ABAP System
- Is MD5 a good way to generate account verification code
- Is there any relationship between Secure Boot and Kernel Lockdown?
- CryptographicException: Access denied - How to give access on User store?
- How to use an API from my mobile app without someone stealing the token
- Symfony security component - Unable to find key \"username\" in the token payload
- Is it a good praxis to secure an webservice endpoint with a simple token string?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- Are there CSRF attacks that don't use cookies?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- vulnerable Tomcat 10.1.31 embedded in Artifactory 7.98.13
- Why CSRF token should be in meta tag and in cookie?
- How can I prevent SQL injection in PHP?
- How/why is login page redirect required?
- Do Electron apps enforce CORS restrictions in the renderer process?
- How can i use a reverse shell over global Internet?
- Should I Manually Patch the Pandas DataFrame.query() Vulnerability or Wait for an Official Update?
- C# - Securely storing a password locally
- how to secure keys for API calls from android device to amazon services
- Should I add application.properties to .gitignore if the Git repository is private and both the server and DB are on an internal network?
- Understanding the port numbers of a network connection strings in systemd output of an ubuntu device
- Disable firefox same origin policy
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Securely decoding a Base64 character array in Java
- Is There a Security Risk Using ADB Over TCP/IP for Wireless App Development in Expo?
- Is it a good idea to distribute docker image containing my selfsigned certificate?
- Is it possible to externalize nested components
- How can I make a file trully immutable (non-deletable and read-only)?
- Buzz words in architecture document