REST API authentication for mobile application iOS and Android

1
votes

I want to securely access the REST API(.net) through a mobile application(react-native). I had the following solutions but each one has its drawback. Can someone suggest me the solution to the problem?

1.

REST API: secure rest API with username & password.

Mobile App: send username and password with every rest API call.

Drawback: On reverse engineering username and password is obtained which is stored in the mobile application. The code was obfuscated and password was stored at places but hackers were successful to obtain password after doing certain efforts.

2.

REST API: auth 2 implemented

Mobile App: call Rest API to obtain Token for future use but the first time required to pass auth credentials to obtain token. Same problem username & password can be obtained by reverse engineering.

How we can move app secrets out of the app and can access REST API securely from the mobile application?

2
restreact-nativesecurityasp.net-web-apioauth-2.0
I prefer using Oauth 2. I used it on my react-native project. Lost your token is not like you lost your username and password. By using Oath2, if you lost your token, hacker can not do too much things with it. In addition, we can revoke token as need - Vu Luu
But how you obtained token for first use? did you pass username and password to the API? If yes where did you stored username &password? @VuLuu - devedv
I don't storage password. When user login, we create a POST request, . If hackers stole that request, they can not read username and password, because the credential was encoded. When user login success, you should storage Token only - Vu Luu
My app does not have a login but it creates a user on background with a unique ID on every install. - devedv

2 Answers

1
votes

You should look to implement the Authorisation Code Grant with PKCE.

Here is an example project doing something similar.

0
votes

Three things for you:

1) I would definitely recommend OAuth2 over repeatedly sending username-password. It's well understood and there are both open source and free commercial implementations available. On mobile, PKCE is very important to prevent Auth Code interception attacks.

2) Using HTTPS for your REST API calls is a given, but I would encourage you to pin those connections as well. An attacker can easily compromise a mobile device and man-in-the-middle your API calls otherwise. Pinning is tricky for React Native; take a look at the react-native-cert-pinner npm package and/or read Strengthen TLS in React Native through Certificate Pinning (Android) or iOS.

3) OAuth2 with PKCE won't stop an impersonation attack, and especially if you are creating users with trust-on-first-use, you will be even more vulnerable to bot attacks. You should do more than just simple API keys. I would recommend some well-obfuscated signing of API calls or, even better, some form of app attestation. For React Native, see First experiences with React Native: bridging an Android native module for app authentication or similarly for iOS.