Search Hashnode

Search posts, tags, users, and pages

Comment by Sergio on "How to build APIs that can be consumed only by my Android app?" | Hashnode

Thread

Sergio

Web Developer & curious mind

May 27, 2016

Well, I think one point is to have a secret token inside your APP, that only you and your endpoint API knows, for other side you can check a header that is sending the operating system of the user and check if is an android device.

For other side why you only want the API only used by the android app?

Ivan Bernatović

Full stack web developer

May 27, 2016

Is that secret key really safe? Can someone capture network traffic on that device and analyze request headers and payload?

As for why I want to make it private, it's not mandatory at this stage. I'm just experimenting with stuff I'm not doing every day and I'm curious how to handle that kind of problem. Since I must develop an Android app for college project, why not doing it the proper way and learn new things along the way :)

Sergio

Web Developer & curious mind

May 28, 2016

Yes, always have the problem of the sniffers, but for the moment i don't have more ideas about making an private API only for one kind of device, another thing is maybe change the secret every request, but i think this is a little more complicated to implemend

Sriraman

Software Engineer @ LifeOn24

May 29, 2016

If you want to make it more secure. Just encrypt the request time with some secret string when you are sending the key from Android phone to Server. In server decrypt it by using the same secret string. If the request time is old, then block the access. Even, If some hacker finds the key. It will be invalid in few seconds.