I am building a mobile app and I was wondering if my API key can be seen when I make a GET request to my database through the API?
What I am currently doing is making an HTTP GET request where one of the params is the API Key. So if any user were to see this URL, they also can fetch this data.
Can any user see this URL being sent? I am doing this through the Flutter HTTP package.
CodePudding user response:
Yes if you are not using ssl you are sending everything in plain text which can be intercepted. if you are using ssl still your URL can be stored in logs on api server so instead of sending key in query parameter use POST request and append the key in custom header or form parameters.
CodePudding user response:
Sensitive Data in URLs
What I am currently doing is making an HTTP GET request where one of the params is the API Key. So if any user were to see this URL, they also can fetch this data.
Using sensitive data, like API Keys, as an URL query parameter was made popular by many popular internet services since earlier days, thus a lot of tutorials and docs use this approach and this is a huge disservice for the security of any application, but a huge gain in terms of developer convenience.
Keeping sensitive data in an URL query parameter is a security disaster waiting to happen at any moment, but it's the type of disaster that happens and you don't notice until is too late, like when you discover you have been data-breached because an attacker was able to get the API Key from the logs server that was left open to the public or because you use a CI/CD pipeline that logs them by design (yes a famous one does that).
The correct place for an API key is as an header in the request, not as a URL parameter or a post parameter, but can still end-up in your logs server, but is less likely.
Extracting an API Key with a MitM Attack
I am building a mobile app and I was wondering if my API key can be seen when I make a GET request to my database through the API?
Yes, it can be seen and extracted from your mobile app binary or by intercepting the API requests made through HTTPS, also known as a Man in the Middle (MitM) attack.
Can any user see this URL being sent? I am doing this through the Flutter HTTP package.
To see how this can be easily achieved with MitM attack I invite you to read the article Steal that Api Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
If you want to learn more about API and Mobile security then I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.