How to keep my Rest Api safe from being requested by modified apps?


#1

I am using node js as a backend REST API but i feel my app very unsecure at the moment. If someone get my .apk for example, he can modify some code an sending notifications to users for example.

Is there a way to get the app credentials from the client and check if they are matching with those i keep in my server side ?

i think this article got the solution but i don’t how how to apply it for my react-native/expo configuration

What about ios security?

Any suggestion ?


#2

There’s nothing really Expo/ React Native-specific about securing a REST API. Your REST API is just a web application. It needs to be secured like any other web application. You’ll want a login endpoint that accepts a username/ password (or redirects to a social login) and returns a session ID or a token that can later be sent with each request. If your login endpoint returns a Set-Cookie header with a session ID, then that session ID cookie will be passed automatically to all future requests. You’ll want to use a standard library in your API to handle all this. Writing your own authentication/ security code is not recommended. These problems have been solved many times and lots of well-tested solutions are available regardless of programming language.

There’s also very little you can do to prevent your API from being called by an unauthorized client, be that a version of your app that has been modified, another app, or someone using Postman to contact the API directly. Hence, it’s really important that your API only permits actions someone would be able to take with your application. For instance, if a user is not allowed to delete another user’s comments, don’t expose an API endpoint that lets any user delete any comment.


closed #3

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.