About Resume Blog Projects

Client-side api auth

Been contemplating a problem recently, that concerns client-side usage of an api. We have an api endpoint that is under "attack" by someone malicious. This endpoint is one that we use to "log in" a user, and takes in a username/password, along with a basic-auth header that contains credentials that are used to authenticate and authorize one as a valid caller of that api endpoint.

It seems to like our Android app has been decompiled, and someone seems to have accessed the obfuscated api creds within. Now what they're doing is using those creds, and any combination of username/password to "crack" accounts. Our current conundrum is how to find a way to prevent these "attacks".

In my searching online, I've found several discussed approaches: There's Max Katz's website that tends to show in the top google results, talking about appery.io.

Neil here talks about obfuscation, session tokens, bearer-auth and how there's no silver-bullet solution to this problem. How truly secure communication is really only possible in server-server communication.

There's also a post by noob Mama about this same issue, discussing SSL/TLS and OAuth.

Then I also thought of how someone like Google handles api authentication and client-side api usage. They obviously have several products that are consumed this way e.g. Google Maps, Google Analytics etc. It seems like smart decisions about api security include things like:

This means that the credentials should be valid only for a specific period of time and should regularly expire, and be renewed. This prevents a potential malicious user from abusing the same token/api key for a long period of time e.g. a week.

This ties an api-key/token to a specific user. You can do this by using their IP address, username, sessionId, or some other unique identifier. This way, if they're abusing your api, you can rescind just their credentials, and add them to the naughty-list.

If you have partners using your api, who aren't end-users/consumers, consider white-listing them, and settling on a standard-operating-procedure for how to consume your api.

Wherever you may host your application, you should have a good relationship with the people who manage and operate your physical infrastructure. This will come in handy for load-balancing, identifying D/Dos attacks and blocking malicious users, come time you're being attacked.