5

I am working on an API-centric web application with a custom authorization method that consists of building a string based off of the request method, URL, params, public API key and encoded by a private API key. This works fine on the server side, but on client side the private API key (and authorization method) will be vulnerable. I've spent the last hour or so looking on a good way to secure this API key and the best method I could find is by proxying through my server, but I am still not sure 100% on this.

First of all, should I be worried? I want to make security a priority in my web application, but anything that will deal with modifying a user's account will need a temporary, encrypted token to authorize the request (in addition to the HMAC hash).

My understanding from proxying was that you would make a request to your server, which would then encrypt with the private key and return the information..but how would the server validate that the request came from a source with a valid API key?

Can anyone provide any insight as to what I should do? I feel like this could potentially be a vulnerability for any client-side code including JavaScript, iOS, and Android.

Improve this question
9
  • 1
    Please don't use signatures or taglines in your posts. Commented Jun 12, 2013 at 2:42
  • in what way would the private key be vulnerable? you have to give the key to the client or it won't work... Commented Jun 12, 2013 at 4:55
  • Currently the clients would only be my official apps (web and mobile). But the private key and authorization method would be visible in the JavaScript source for any AJAX calls to be possible on the site. Commented Jun 12, 2013 at 5:14
  • Why do you want to make a custom authorization method? You're usually better off using a standard method that's been thought through, stood the test of time, etc. What is the threat model that you're most concerned about? 3rd-party apps using your API? Commented Jun 12, 2013 at 6:19
  • 1
    Thanks. I guess I'll just do handful of obfuscation methods to make it more difficult to utilize (and I can always break an API key if it is being misused). The good news is there is no security risk because there is a whole secret (server side) tokening system for user accounts, and the only thing that is at risk with an API key is just stealing our search results in JSON format (rather than HTML scraping).. Commented Jun 13, 2013 at 18:52

1 Answer 1

Reset to default
6

You can never trust the client. Even if you obfuscate, someone could still figure it out. For example, an adversary could reverse-engineer the obfuscation algorithm, look at the device memory, or even capture what's sent over the wire.

However, you can still make a secure app by enforcing security on the server side. For example, users should need to be authenticated in order to successfully make privileged API requests.

Also, you can enforce API usage on the server side, whether by input validation, rate limiting, or IP address tracking.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Every time I come back to this because someone upvoted the question, I see "you can never trust the client." I have become a big fan of this mentality and it has even helped streamline some API creation (i.e. there's no need to take a password confirmation in registration, since the client could just fake this anyways).
@sam The confirmation is for the user to ensure they typed what they think they typed. It's less likely to mistype a password twice the wrong way.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.