i have a phonegap app and i want only my app users to access the api from where i am getting the data.
I am using php as my back end.
What i did was i created a key and was authenticating the key on the server. But the key is hard-coded in the app meaning someone can look at the code and figure out the key and pass it as a parameter and gain access to my api which i don't want.
Furthermore the key also be seen by using a proxy.
is there a way to dynamically generate the key on both the app and the server so it gets authenticated? Or some other way.
i don't want the user to give any kind of username/password.
i don't want the user to register or login..the user has no role in the authentication..i am authenticating the app.
Use RSA, the popular Algorithm in SSL/TLS. The point is a private key and public key pair.
Here's the library and example for PHP:
Encrypt and Decrypt text with RSA in PHP
And here's the library for Javascript:
And my personal suggestion: to negotiate a random key store in ram for later usage rather than use the key pair for all message exchange. Because it's a high workload for server(15times more than client). And you can define a object to store the session key in private member.
funciton keyStoreObject() {
this.publicKey = ''; //this is public
var sessionKey = ''; //this is private
this.negotiate() = function () { sessionKey = 123456; //You can access private sessionKey }
this.decypt = function (str) {...}; //And write your code here
}
and so create a instance:
var keyStore = new KeyStoreObject;
//so now you can
keyStore.negotiate();
About private member, read more here: http://javascript.crockford.com/private.html
Also, you need to implement a session key store on server side and including a expire time. For small instance, serialize()
or SQLite can be used.
Actually, the sessionKey is not fully secure(in theoretically). A desktop browser can make DDoS attack. Human validation like captcha code can help you.
Yes sure this can be done,
But several things before you should start.
PHP Side:
App Side:
Few Extra things: