The Ultimate Guide To Mobile API Security: by Randall Degges - March 23, 2015
The Ultimate Guide To Mobile API Security: by Randall Degges - March 23, 2015
The Ultimate Guide To Mobile API Security: by Randall Degges - March 23, 2015
by Randall Degges
March
| 23, 2015
|
Mobile (https://stormpath.com/blog/category/mobile)
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 2 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 3 of 20
M2JiNzQzYmJkNDVkNGViOGFlMzFlMTZiOWY4M2M5YmE6ZmZiN2Q2MzY5ZWI4NDU4MGFk
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 4 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 5 of 20
BUT WHERE?!
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 6 of 20
Access Tokens
Let’s talk about access tokens for a little bit. What the
heck are they, anyway? Are they randomly generated
numbers? Are they uuids
(http://en.wikipedia.org/wiki/Universally_unique_identifier)?
Are they something else? AND WHY?!
Great questions!
• A random number
• A random string
• A UUID
• etc.
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 7 of 20
• Issue it to a client,
• Verify that it was created by you (using a strong
signature),
• And assign it an expiration time…
You’re golden!
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 8 of 20
But I can also verify that it is still valid because the JWT
spec supports expiring tokens automatically. So when
you’re using your JWT library in whatever language
you’re writing, you’ll be able to verify that the JWT you
have is valid and hasn’t yet expired (cool).
Now, once you’ve got a valid JWT, you can also do cool
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 9 of 20
NOPE!!
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 10 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 11 of 20
In this section, we’re going to get into the nitty gritty and
cover the entire flow from start to finish, with all the low-
level technical details you need to build a secure API
service that can be securely consumed from a mobile
device.
First off, here’s how things will look when we’re done.
You’ll notice each image has a little picture next to it.
That’s because I’m going to explain each step in detail
below.
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 12 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 13 of 20
=)
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 14 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 15 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 16 of 20
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 17 of 20
Simpler Solutions
As this is a high-level article meant to illustrate how to
properly write an API service that can be consumed from
mobile devices, I’m not going to get into language
specific implementation details here — however, I do
want to cover something I consider to be very important.
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 18 of 20
Hopefully this article has helped you figure out the best
way to handle API authentication for your mobile
devices. If you have any questions (this stuff can be
confusing), feel free to email us directly
(mailto:[email protected])!
-Randall
Comments Community
1 Login
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 19 of 20
Search …
.NET (https://stormpath.com/blog/category/net)
General (https://stormpath.com/blog/category/general)
Java (https://stormpath.com/blog/category/java)
Javascript (https://stormpath.com/blog/category/javascript)
Mobile (https://stormpath.com/blog/category/mobile)
Node (https://stormpath.com/blog/category/node)
PHP (https://stormpath.com/blog/category/php)
Python (https://stormpath.com/blog/category/python)
Share a Post
19 125 18 85
About Support
(https://stormpath.com/about) (https://support.stormpath.com/home)
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19
The Ultimate Guide to Mobile API Security Page 20 of 20
(https://stormpath.com/customers) (http://status.stormpath.com/)
Blog Resources
(https://stormpath.com/blog) (https://stormpath.com/resources)
Jobs Compliance
(https://stormpath.com/jobs) (https://stormpath.com/resources/compliance)
(https://stormpath.com/press) (https://stormpath.com/resources/security-
Contact and-availability)
(https://stormpath.com/contact)
Stormpath HQ:
1825 S Grant Street, Ste 450
San Mateo, CA 94402
CO P Y RI G HT 2017 S T O RMP A T H | A LL RI G HT S RE S E RV E D | P RI V A CY
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security?utm_campaign... 2017/01/19