2
votes

I want to securely access the REST API(.net) through a mobile application(react-native) which has no login but a user is created on the background with a unique ID when the app is opened for the first time.

client app - which can be identified with some UID.

backend service - which the client app needs to call to retrieve some listings.

What would be the best practice to secure this backend service? I don't want to protect by login/password (because the client should not be required to "login" to retrieve the listings), however, I'd not want anybody easily to call this backend API and retrieve those listings for their own purposes.

Specification: the app has no login. so how I can obtain token for first-time use and can make the API secure.

REST API: secure rest API with username & password.

Mobile App: send username and password with every rest API call.

Drawback: On reverse engineering username and password is obtained which is stored in the mobile application. The code was obfuscated and password was stored at places but hackers were successful to obtain password after doing certain efforts.

How can I send a secure call to REST-API since the app does not have a login and cannot send credentials over HTTP to obtain token?

2

2 Answers

1
votes

You cannot avoid that people reverse engineer and obtain your API key (or hard coded user/password combo). You can make it harder, for instance by enforcing HTTPS with Certificate Pinning during the communication with your server or applying IP based API rate limiting, such that people cannot easily spy on the communication or dump whatever your API returns en masse, but you cannot make it impossible. Expect people to always have the same privileges that your App (on their device) has. In your case, that means that an attacker could also generate unlimited UIDs, since they are generated by a client request. That makes using the UID for any kind of serious authentication pretty useless.

I mean, after all, an attacker also could write code to automatically use your app to extract the information you are trying to protect, even if he would not be able to disassemble your application. What you are requesting is not possible.

0
votes

This looks very similar to your question REST API authentication for mobile application iOS and Android of a few days ago.

1) It sounds like user authorization is not the main issue here, but I would definitely recommend OAuth2 over repeatedly sending username-password. It's well understood and there are both open source and free commercial implementations available. On mobile, PKCE is very important to prevent Auth Code interception attacks.

2) Using HTTPS for your REST API calls is a given, but I would encourage you to pin those connections as well. An attacker can easily compromise a mobile device and man-in-the-middle your API calls otherwise. Pinning is tricky for React Native; take a look at the react-native-cert-pinner npm package and/or read Strengthen TLS in React Native through Certificate Pinning (Android) or iOS.

3) Using static API keys will be almost impossible to defend. If using OAuth2 as well, PKCE won't stop an impersonation attack, and especially if you are identifying users with trust-on-first-use, you will be very vulnerable to bot attacks. One step better than API keys would be to sign your API calls using your API key. That way, at least your API key is not visible in the API call itself. You need to add some entropy to prevent replay attacks, and obfuscating your API key in the app is critical. Better than that, use some form of app attestation that removes the API key from the app entirely. For React Native, see First experiences with React Native: bridging an Android native module for app authentication or similarly for iOS to get an idea of this approach.