android - 如何在没有人窃取 token 的情况下使用我的移动应用程序中的 API

Question

我正在构建一个使用 OpenAI 的应用程序接口(interface)

他们为我提供了一个 API token ，我用它来从我的 Android 移动应用程序进行 API 调用( react native )

我知道将此 API token 存储在移动客户端上是一种不好的做法，因为攻击者可能会保留它并使用我的配额和金钱。

我有哪些选择？简单的解决方案是构建后端，但我不想开始实现所有原始 API 方法，我只是更喜欢直接从客户端使用它。

我曾尝试以无法找到的方式存储 token ，但找不到方法。

Answer 1

你的问题

They provide me with an API token which I use to make the API calls from my android mobile app (react native)

I know it is a bad practice to store this API token on the mobile client because attackers might still it and use my quota and money.

是的，这确实是一种非常糟糕的做法，但至少你意识到了风险，虽然很多人使用这种方法却没有意识到攻击者获取这些 secret (Api token 、API key ，无论你叫什么)有多么容易他们)。

在我撰写的一系列关于移动 API 安全的文章中，我展示了使用静态分析和 MitM 攻击是多么容易:

How to Extract an API key from a Mobile App with Static Binary Analysis :

The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

一些攻击者更喜欢直接进行 MitM 攻击，因为他们将了解应用程序如何与 API 后端通信并提取所使用的 secret ，以及他们发出请求和解析响应所需的蓝图。

Steal that Api Key with a Man in the Middle Attack :

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

可能的解决方案

反向代理

The trivial solution is to build a backend but I don't want to start implementing all the original API methods, I just prefer to use it directly from the client.

你不需要，你只需要你的后端代理你在你的移动应用程序上使用的第三方 API 的请求，在你的情况下，这似乎只适用于 OpenAPI。

例如，当您的移动应用需要向 openapi.io/some/resource 发出请求时，它会将请求发送到 your-reverse-proxy.com/some/resource 然后将获取 /some/resource 部分并构建对 OpenAPI openapi.io/some/resource 的请求，向其中添加 API token header ，即现在它已安全地存储在您的反向代理服务器中。

Using a Reverse Proxy to Protect Third Party APIs

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.

A recurring theme in this article was the advice not to access Third Party APIs directly from a mobile app. As we have discussed, once your mobile app is released any secret in it becomes public, thus up for grabs by attackers to use on your behalf. If you are not careful you will be the one paying the bill or finding that your free tier resources have been exhausted by someone else.

这种方法的缺点是您仍然有一个需要保护的 API key ，用于访问反向代理的 key ，但至少您没有暴露您的 OpenApi secret ，并且您可以使用多种机制来限制请求并确保对您的反向代理的安全访问，以确保仅响应来自您的移动应用程序的真实且未修改实例的请求。

运行时 secret 保护

您可以设计或使用现成的机制，以便在需要在向 OpenAPI 发出的 API 请求中使用 secret 时，及时将 secret 传送到您的移动应用程序，但您需要确保 secret 仅交付给您的移动应用程序的真实且未修改的实例，这些实例未受到 MitM 攻击，在运行时被 Frida 等工具篡改/检测，否则您的 secret 很容易通过 Hook 到将它们添加到API 请求中的 header 或通过 MitM 攻击拦截请求，即使通信 channel 通过证书固定进行保护，因为在攻击者控制的设备中绕过它并不难。

在my reply问题Storing Api Keys Securely in Flutter or Sending Payment Details to my Server?我将更详细地介绍运行时 secret 保护方法。

您想加倍努力吗？

在任何对安全问题的回答中，我总是喜欢引用 OWASP 基金会的出色工作。

APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

对于移动应用

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide :

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.