I have never used Snapchat and do not intend to but I have been reading up about what happened to them with respect to the recent media coverage about pictures being leaked especially because I am also writing an api for my app right now and I want to avoid this from ever happening to me.
Having looked into what happened it seems Snapchat has not actually done anything wrong. It appears a third party web app sniffed out their api calls – not something to be surprised about, anyone can do it, and that's why apis should require authentication, how this is done can vary but probably through some kind of token.
In any case, Snapchat api did require authentication so I thought they would have been safe but it turns out that the third party apps got users to voluntarily enter their usernames and passwords into the app, thereby allowing login and authentication.
Remember this was a third party app, not the official snapchat app. I would never have expected users to do something like this, it's like giving away the keys to your car to anyone who passes by instead of the hotel valet.
Now to the point, are they any techniques to avoid this from happening that I can apply for my api? I am not sure how I can prevent myself from ending up in the same situation.
Best Answer
It is impossible to prevent this issue from happening completely. There are two things you can do that will help but not completely migrate the problem:
Use SSL only: If you control both the client and the server than there is no reason you can't encrypt the traffic, this prevents people from sniffing out your API calls by studying your traffic - it also protects user secrets and help prevent man-in-the-middle attacks.
Use a Api Key. This should be a hidden key that can be attached to transactions that validates that the API call came from an approved application. Note that this is only useful if the traffic is encrypted, since the key is useless if it's visible over plain text.
Again, it is not possible to protect oneself completely as the nature of the web is pretty insecure. It wasn't built with security in mind initially so you should assume that anything exposed publicly can/will be used by another party at some point.