I am currently developing an api for a website i run. The api will be used in a number of places, and one of those places is an Android app.
It’s purpose is to allow users to login, and and download files. I have the api build, and it will be using HTTPS so all of the data is fine when being transferred.
The issue i am having is that the API calls require an API key. With this key you will be able to have access to certain functions of the API that may cause issues.
What i was wondering, is there a way to secure this API key? I am not an Android developer at all, but people will be using the API that are on Android so i need to work out a solution.
Below is an example of the flow that the API uses:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
// Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
// Download the file
}, 'POST');
}, 'POST');
No. You cannot protect the API Key once you embed it into an Android application. The app needs access to the API Key, so someone with access to the app will be able to recover that key from within the app and use it for their own purposes. The best you can do is to obfuscate your app so that reverse engineering it is more difficult (the goal is to make it more difficult for the attacker to reverse your app than is worth his time). You need to decide how much effort in this regard is called for, based on the risk of an exposed API Key, but you can never make it impossible to recover, just more difficult. In reality, your best bet is most likely to turn on Proguard during your build process (so things are obfuscated to a decent degree in the APK with no work on your end) and hope for the best.