Question
I am testing an iOS application developed using Xamarin.iOS. I have APIs in it. Since the app is still in very early stage of development, the API URL is accessible from the Internet.
How do I secure the API URL in the iOS application so that user will not able to post or delete by guessing the API URL?
Answer
In general ideal, API users will get their own credentials. Let’s say you have a user with a username of john.smith and a password of 12345.
The john.smith user makes one initial request to the API, providing his username/password, and the server checks to see if the credentials are correct. If they are, then the server generates a token of some kind. There are different tokens, like JWT, but for simplicity’s sake, let’s just say it’s a unique string like a GUID or something, like “f3ef72e4-6adf-4f6d-a2aa-c948dc15955e”.
Whatever that token is, it is created on the server and associated with that user in some way (e.g. a record in a database table or something saying that “john.smith” = “f3ef72e4-6adf-4f6d-a2aa-c948dc15955e”) and is then returned to the user.
From there, all the other API requests will not send username/password but will instead pass the token as part of their API requests.
When the server receives an API request, it can check to see if that token is valid, who it belongs to, what permissions they should have, etc… and then it can process the API request if everything is valid.
Often times these tokens are passed within cookies or HTTP headers, so the tokens don’t show up in any logs and do not make the body of the API request messy.
After a certain period of time, the token won’t work anymore (when you generate it, you can store a date/time to indicate how long the token can work for), and the user will have to generate a new one with their credentials.
There are a variety of types of tokens – JWT is a very popular format, so it’s up to you to choose the right type for your API.
Firstly, get the basic idea at: Overview of ASP.NET Core Security | Microsoft Docs
This article will help preventing issue as you move forward with the implementation.
You may also read: JSON Web Tokens – jwt.io
After that, follow the steps given here to secure your APIs: Secure ASP.NET Core API with JWT Authentication – Detailed
Refer to this article for how to implement refresh tokens, How to Use Refresh Tokens in ASP.NET Core APIs – JWT Authentication
Note: Remember to go through the steps carefully and keep in mind that these are just sample code and you will have to make appropriate changes to make them useful for PROD scenario.
