没有用户名/密码的Phonegap身份验证

i have a phonegap app and i want only my app users to access the api from where i am getting the data.

I am using php as my back end.

What i did was i created a key and was authenticating the key on the server. But the key is hard-coded in the app meaning someone can look at the code and figure out the key and pass it as a parameter and gain access to my api which i don't want.

Furthermore the key also be seen by using a proxy.

is there a way to dynamically generate the key on both the app and the server so it gets authenticated? Or some other way.

i don't want the user to give any kind of username/password.

i don't want the user to register or login..the user has no role in the authentication..i am authenticating the app.

Use RSA, the popular Algorithm in SSL/TLS. The point is a private key and public key pair.

Here's the library and example for PHP:

Encrypt and Decrypt text with RSA in PHP

And here's the library for Javascript:

RSA Encryption Javascript

And my personal suggestion: to negotiate a random key store in ram for later usage rather than use the key pair for all message exchange. Because it's a high workload for server(15times more than client). And you can define a object to store the session key in private member.

funciton keyStoreObject() {
    this.publicKey = ''; //this is public
    var sessionKey = ''; //this is private
    this.negotiate() = function () { sessionKey = 123456; //You can access private sessionKey }
    this.decypt = function (str) {...}; //And write your code here
}

and so create a instance:

var keyStore = new KeyStoreObject;
//so now you can
keyStore.negotiate();

About private member, read more here: http://javascript.crockford.com/private.html

Also, you need to implement a session key store on server side and including a expire time. For small instance, serialize() or SQLite can be used.

Actually, the sessionKey is not fully secure(in theoretically). A desktop browser can make DDoS attack. Human validation like captcha code can help you.

Yes sure this can be done,

But several things before you should start.

  • Create a new table to store all the api keys which we are going to generate per user when they are registering through the app.

PHP Side:

  • Grab users password or any unique thing Eg: UDID Andriod, in IOS they have restricted access to UDID and you might have to store some unique generated id in the keychain.
  • Then When we have the password and UDID you can put them together (or anyway you want) and encrypt with Sha1 (or any encryption algorithm) And save it to the api key table
  • Every time when a request hit on the api you can grab the api key from the header and validate it with the database and see.

App Side:

  • When the user login through the app if it is successful, pass the api key to the user and save it inside the app for further use.
  • Also when your going to request the data from the api you can retrieve the api key stored inside the app, Then put it as a header in the request and send.

Few Extra things:

  • Also you can create a private key on both sides (Server and App) then store it in the api key table and encrypt the request which is the server and app only knows using the private keys stored on both sides.
  • Also you can go for advance authentications like oAuth