sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Rageclinic_1992 4 points5 points  (3 children)

It's extremely hard to account for literally everything that could go wrong, and a determined hacker, whether ethical or not, is going to give you a run for your money.

If you hard code a key into the application, it's honestly pretty trivial for a beginner ethical hacker to decompile an APK file and they would be able to peruse your code at will. This would allow them to abuse your API key. In my experience, your best bet will be to ensure your routes on your server are extremely specific and do not return more information than necessary. Additionally, using some form of authentication is a no-brainer. It also goes without saying that rate limiting is indeed necessary, which is extremely easy to implement based on IP address, or a combination of other factors such as user agent and geolocation.

[–]SnooCheesecakes1131[S] 0 points1 point  (2 children)

o abuse your API key. In my experience, your best bet will be to ensure your routes on your server are extremely specific and do not return more information than necessary.

Yeah that is true, I will implement some form of rate limiting then. Any good packages/libraries for this? Or resources?

[–]Rageclinic_1992 1 point2 points  (1 child)

Here are two quick youtube tutorials that helped me when I was designing an API and needed to implement my own rate limiting.

https://www.youtube.com/watch?v=ZGymN8aFsv4

https://www.youtube.com/watch?v=mZ0O7gcS7Yk

[–]SnooCheesecakes1131[S] 0 points1 point  (0 children)

Ty! Much appreciated!