I am working on a website for which I hope to have an application for as well. Because of this, I am creating PHP API's which will go into my Database and serve specific data based on the method/function called.
I want to protect these API's from misuse however, and I plan on implementing Authentication Digest to do so. However one of the OS's I want to support is Android. And I know that a malicious user would be able to reverse engineer the Android app and figure out my authentication scheme.
I am left wondering:
- Is there a better way to protect these API's from misuse?
- Is there a way to prevent a malicious user from reverse engineering the app and potentially seeing the source code for it, enabling them to see my authentication scheme?
- If none of these are preventable, then is my only option to have a Username/Password cred specifically for the Android app, and when eventually hacked, change the creds and issue an update for the app?
Best Answer
In my opinion, talking about authentication, you could give a look to OAuth | http://oauth.net/.
I've recently implemented a RESTful service (using other techs, .NET/NancyFX). In my case the mobile app needs access to public available content (the same published in companion website). In a case like mine the real concern wasn't security but some sort of misuse.
I've protected my service using an API Key:
http://yourhost.com/api/{api-key}/xyz. Valid keys are stored in a persistent repository (in my case a mysql instance) and checked on every request. This worked great for me.You may also find this useful too | https://stackoverflow.com/questions/6004068/restful-api-keys-suggestions.