stackoom
  简体   繁体   中英

How to secure Web API for android/ios apps with basic authentication

 原文  2015-07-29 21:40:21       android/ ios/ asp.net-web-api/ basic-authentication

Question

I am trying to secure a Web API which will be used by a mobile app running on Android and iOS . The way it works now is with Basic Authentication with SSL , it sends the username and password with each request to the Web API . I validate the credentials in the Web API in a filter before the action is called. This works great. The problem is, after users login I have to store the password on the device ( Android / iOS ) to save the session or they will have to login all the time. This isn't secure because if the device is hacked the credentials can be accessed. I'm looking for a way to user basic authentication without storing passwords on the device.

I think the solution in this article can work but I am unclear how to make it work. In the accepted answer it says

Generate a key for each of your apps and have them pass the key in each request as a token. Your server can then verify the key and authenticate the request.

Take a look at the Basic Authentication module from the ASP.NET site. The sample uses 'basic' as the authorization scheme but you can change it use 'token' instead.

I am not clear exactly on the process here. In this example there doesn't seem to be any username/password involved even during initial login. How would the user obtain the key without logging in? Then, what exactly is the "key" referred to in the quote. That could be anything such as a Guid ? I am also not understanding how this is anymore secure than storing a username and password on the device if is hacked. The hacker could use the "key" just as the username and password correct?

1 answers

solution1
 3  2015-07-29 21:57:29

that's basics of authentication, I'll explain the process in a simplfied way. Hope you understand.

  • user types name and password and tap login.
  • device send name and password to server.
  • server authenticate and respond with a long random unique sequence of characters (aka the key).
  • Both device and server stores the key.
  • All other requests uses the key to authenticate.
  • For every call, the server checks if the key matches the one it have stored.
  • device never stores the username or password.
  • server can disable/delete that key if suspect of breach, in which case user will have to login again

Do all of this using encryption. Everything!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Basic Authentication Android API 20 How to create REST authentication for iOS and Android mobile apps How can I design a secure API/Authentication for mobile apps to access a service? Basic user authentication works on Android, does not on iOS How to limit the web content to be view/consume by specific iOS and Android Apps? how to secure rest api with query authentication how to use basic authentication in Android/IOS app with Google Cloud EndPoints(java) How to implement authentication for Web API services that are used by an Android App? How to call rest api that require basic authentication? Facebook API Android Authentication used for the Web API
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM