3

I'm sketching out a solution where an Android app connects to a REST API on the web. Users should be able to create a profile, and then perform certain requests on that profile (change name, email etc.). Searching around for similar questions yielded a recommendation for a private/public key solution from a good portion of the answers.

This guy explains the procedure very well: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

This procedure depends entirely on the prerequisite that the private key is indeed private. And I didn't find any answers that address this. But if the server and client has to have the same private key, then it would have to have been transferred between both parties at some point, which would inevitably expose it to somebody watching the traffic. So is there a secure way to establish the same private key between both parties?

Another question, when the client obtains the private key (securely), how should it be stored? Is something like Shared Preferences secure enough? My concerns are that somebody with rooted access could access this easily.

Improve this question
1
  • 2
    Use SSL + basic/digest authentication. Commented Feb 20, 2012 at 14:44

1 Answer 1

Reset to default
2

Just use TLS to establish a secure connection.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

And then all my troubles will be gone? I'd appreciate a bit longer answer.
You could share some details, so far it's simply not helpful.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.