How do I secure this API in the APK file
I’m currently developing an API for the website I’m running. The API will be used in many places, one of which is Android applications.
Its purpose is to allow users to log in and download files. I have the api build and it will use HTTPS, so all data is fine when it comes to transmission.
The problem I’m having is that API calls require API keys. Using this key, you will be able to access some features of the API that may be causing problems.
What I’m wondering is, is there a way to secure this API key? I’m not an Android developer at all, but people use APIs on Android, so I need to come up with a solution.
The following is an example of the flow used by the API:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
Download the file
}, 'POST');
}, 'POST');
Solution
No. Once you embed an API key into an Android application, you cannot secure it. The app needs access to the API key, so someone with access to the app will be able to recover that key from the app and use it for their own purposes. The best thing you can do is obfuscate your application and make reverse engineering harder (the goal is to make it harder for an attacker to reverse your application than to be worth his time). You need to decide how much effort you need to put into this based on the risk of the exposed API key, but you can never make it unrecoverable, it will only become more difficult. In fact, your best bet is most likely to open Proguard during your build process (so the content in the APK gets confused to a considerable extent that you don’t need to do any work) and hope for all the best.