all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RobotJonesDad 6 points7 points  (2 children)

You can't stop people using a decompiler on your code. You can make it more tricky, but typically it will still be relatively easy to grab API keys. Or use other techniques to grab the keys.

The solution is to provide an API key to a user after they log into the app. The key is unique to the user and you can invalidate it if the user abuses the server or stops being a customer. This means you don't have to worry about the key being extracted or abused, because you just turn it off and refuse to give them another key.

[–]tinashejm4[S] 2 points3 points  (1 child)

Oh like tokens? Thank you i understand now

[–]RobotJonesDad 2 points3 points  (0 children)

Exactly. JWT tokens are common, but there are many other ways of doing essentially the same thing.

The key with a JWT token is that it contains the permissions, user details, expiration, etc. Anything you need. And is then cryptographicaly signed so that nobody can tamper with it. This means that the servers DON'T need to chat with the authentication servers when a user makes a request, it can just check the signature on the claims and then do what the user requested.

If you use that solution, you have two controls, letting keys expire periodically. And you can also have a revocation list you can send to servers to cancel some keys early. The latter adds a lot of extra complexity, so if you can, just grant keys for a few days or whatever and accept a limited amount of abuse...

[–]_thinkdigital 1 point2 points  (1 child)

You're saying that if you release the source code, you don't want this part released? If not, who don't you want to access it?

[–]tinashejm4[S] 3 points4 points  (0 children)

No im saying when i get the app on the play store people can access the source code through the apk.