Secure REST API without User Authentication

IndyJones72 · January 18, 2018, 7:45pm

I know this is very similar to an older ionic-1 post, but I thought maybe it needs a refresher. So I have an app which a few commentators/reviewers felt would benefit from just having it as a paid app and not require any type of user registration/login.

My issue with this are the RESTful API calls to the backend server. How can we make sure it’s just our app calling the API method? I honestly don’t see how it could be done other than embedding a Secret Key or something inside of the app…but that could easily be sniffed out.

Ideally, it would be great if there was a self generating token inside of the app itself which could then be somehow authenticated by the API backend much like we do when using Firebase tokens.

I’m open to any suggestions, but I really don’t see how this really could be done securely and allow us ways to “change” the SecretKey to make sure they are an authorized user of the app. Personally I think registration for any platform these days is pretty much expected and I think the posters are a bit unrealistic, but again…open to any thoughts on this subject.

AaronSterling · January 19, 2018, 1:02am

You could connect a license key or other transaction ID with a device ID. Then you would be able to detect abuse if someone were spoofing the device ID – using the database from two points simultaneously, or making a query from London an hour after making a query from Singapore.

IndyJones72 · January 19, 2018, 2:35am

That’s an intriguing proposal. You’re making the correct assumption that
what we’d be serving back is really not something so private it would be
devastating if a few thousand spoofed items gained access to the calls.

I might try that out tonight and see how that looks. Thanks for the quick
reply.