Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Archakov Dennis2016-01-18 23:24:36
API
Archakov Dennis, 2016-01-18 23:24:36

How will a self-written API be protected?

Good day!
I am engaged in the implementation of the API for my applications on Android / iOS. The API has the ability to purchase goods, and I'm sure that there are "smarts" who will catch requests transmitted. And then there can be bad consequences.
There were several security options:
1. client_id & client_secret of type oAuth 2.0 . But this principle is the most banal. I just give open access to an attacker and he can easily use the API using client_id and client_secret.
2. There was an implementation idea where, when a user was authorized in the application, a request was sent to the server. Next, a key was issued that I generate and store in the database. And for important requests (purchase, profile editing) using this key, the application encrypted JSON parameters in AES256 using this key. And sent the data to the server. But after all, you can initially poison the key to find out what is stored in the request being sent.
In general, there are a lot of options. But very weak! Suggest something worthwhile. Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
S
Sergey, 2016-01-18
Protko @Fesor

SSL + SSL Pinning.
about payment - the server, as it were, should validate transactions separately, and not just trust everyone.

Report
E
Evgeny Elchev, 2016-01-18
@rsi

And how do you think authorization in web applications works? It can be caught in the same way and compromise the client.
1) Use https
2) Add a unique signature to each request
You can mix unique data into the signature, device id, some parameters from api, current time, and encrypt it in some popular way.

Report
A
Andrey Kulikovsky, 2016-01-18
@by25

Look in the direction of JWT (@Fesor somehow advised before;)
https://jwt.io/ A lot of both for mobile platforms and for PHP
If you briefly understand the essence, you can quickly look at this - habrahabr.ru/post/243427

Report
A
Andrey, 2016-01-19
@VladimirAndreev

https.
and payment - for sure, the market and the store offer good ways

Similar questions
B
bychok3002017-06-07 15:32:49
I don't receive my name and address, why? 3Reply
O
Orbb2017-06-20 18:34:45
Operation of the news complex component from the root, is it possible? 2Reply
I
Igor Bezlepkin2017-09-25 15:41:01
Is there a widget for the site + application for admins? 2Reply
V
Valery Efremov2017-02-06 14:05:35
Delivery modules for different CMS? 1Reply
S
stepan-neretin72019-07-04 20:34:46
VK api keyboard? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question