Security is often an issue that arises when dealing with mobile devices. And as APIs have garnered increased importance with regards to mobile development, the need to create a secure API for that development becomes important as well. Here we examine the steps needed to create a secure API for mobile.
Inherently, all mobile devices are insecure. The approach to developing mobile apps is to secure all of the parts at play. APIs are an effective way to deliver solutions across multiple platforms -- think of Google Maps, one of the most popular API libraries -- and it is good to develop a secure API for mobile, ensuring it's locked down tight.
There are several steps to achieving a secure API. They include:
- Data at rest and data in transit. Your API will move data back and forth across the cloud and to devices. Leverage HTTPS to protect your data in transit and encrypt the data when at rest on the server and the client.
- API keys. Create APIs that require developer registration. The focus for API keys is to lock down and know which apps are using your APIs. The API key is unique to each developer and should be stored on your server in Base64 encryption.
- Oauth2. Oauth is a popular authentication format that has been improved with Oauth2, a token based authentication solution that is ideal for securing mobile
- JWT (JSON Web Token). Take security of your API over the top through the inclusion of a JWT, a new specification that gives you the tools to create random tokens that can be published to devices, expire at a specific time and can hold JSON information
The goal is to protect the data on the cloud server as it moves to the API; use tools that ensure the data is encrypted as it is stored on a device; and, finally, only show data with the correct authentication. This level of security is required for a secure API for mobile. Easy, right?
Securing APIs need to become a top IT priority
API security moves to center stage
OAuth speeds up application development
Six tips to accelerate your API production