A big coincidence that last year, I wrote a post about securing a RESTful API, well this year, I experienced the same challenge, but this time in Socivy, we implemented the actual things that I mentioned in that post.
This semester, because of the price increases in our shuttle service, old
OzU-EMS, as Socivy team, we decided to do something about it. I attended to the Student Union’s meetings, which they came up with a solution. It was making a call centre that find drivers and passengers, and match them.
We thought that it’s a very inefficient and frustrating work. On that time, it was necessary to this manually, because there were not any available solutions. At 00:30 AM, we decided why not, let’s write something. A simple car-sharing app that has the popular stops in it and can send notifications to the passenger and driver. I started the initial designs of the iOS app for it. Well, the whole development process is a long story, which we did everything that can be possibly wrong and learn it by doing. I am planning to write it whole development process in detail some time.
After finishing our web site, and hitting almost 6.000 page views, it was time to write an API for our system. Since privacy related data(phone numbers, passwords, plate number etc.) transferred throughout our system, we thought it’s necessary to take some actions for it. We put a SSL layer, both to our web page and API. However we were uncertain about deciding:
- Saving email and password in the app or not.
- Sending the data over HTTP parameters or in headers
- Obfuscate or not (we are scared about decompilation of APK packages of Android)
- Storing our API keys inside the code or in a file or in an encrypted file
- Should we care about replay attacks which can exploit our API
Well, first thing about security, your protocols should be hidden. It’s very obvious to see that nobody knows how to do it best. By saying best, I know that it’s impossible, but we don’t want to left our front door open to bad people. For this reason, sorry I wish I could tell you all the technical details. 🙂
Even though, it is not a commercial application, but we wanted to make it in level that it can compete with them in terms of security.
- SSL is necessary, for lot’s of reasons.
- You should send your parameters in POST data or HTTP headers, not in parameters.
- Obfuscate it, if you can. if you don’t want your precious algorithm to be stolen, store it to your remote server.
- Well, it depends. You should be aware of that if someone installs your app and jailbreaks his/her iPhone. They can get access to the file that you provide. It’s better to an encrypted file, instead of putting inside the code.
- Even if you have SSL, you can get frustrated about replay attacks. You need to find a way to eliminate that. You can put the timestamp while using the API, but it can be trivially changed by hand. I recommend you to find a way to make requests expire, you may use tokens.
Bonus: What is Socivy? How to pronounce it? (it is not sokivay, soçayvi, sochaywi)
Until next time!