3

So I've been searching a while about this whole private API keys security and I'm kind of confused about the approach I should take simply because I haven't found yet someone with the same particular issue/approach than mine is.

I'm developing an Android app that works through a third-party API which I gained access by requesting a private key. Now, 2 points:

  • my app doesn't request directly to the API I'm using, instead, it requests to a set of PHP files (hosted on the app website) I coded to simplify the requests and retrieved data from the API I'm using, lets call it a "sort of API", if you allow so. So, from the app only requests specifying what my sort of API should request to the original API are sent, and, in consequence of this, the requests doesn't need the original API private key, because I can store it in one of the php files and use when needed.
  • my app doesn't require the users to register their accounts, so I don't have any user IDs or names to work with in requesting.

So, from this you can see that I'm not trying to hide the API key in the app code neither I'm trying to use user ids and signatures to allow access to my sort of API and consecutively to the original API..

The thing is that despite of the fact that php code cannot be seen in the browser, it isn't impossible to do so in other manners, so I'm not secure in storing my key there either. So my question is simple, is this still the best approach for me to use to hide my private API Key or should I re-think the way I doing all this process?

Improve this question

2 Answers 2

Reset to default
5

If I understand you correctly, you don't want to store the API key in your public web folder, because it could then become publicly accessible under certain conditions.

The recommendation I've followed is store the API key in a file outside of the root web folder. You then require/include that file in the script in the public folder.

In a Linux environment, something like this: 

/var/www/your_script.php (public access)
/var/secure/api_key.php (private, web server doesn't access this directory)

in your_script.php

require_once 'api_key.php'; // example only, you will need to use the correct path
echo $api_key; // testing, you can use the key in the script

in api_key.php

$api_key = '15r723er8q5re';
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

that's actually pretty simple and exactly what I wanted, thanks!
0

Your app should connect to YOUR SERVER, which then sends information on behalf of your user to the API SERVER that requires the api key. The only time the api key should be transmitted is when YOUR SERVER talks to the API SERVER.

Improve this answer

3 Comments

That is what I've done.. Sorry if my question wasn't clear enough, going to edit it.
I don't see where your app would reveal your api code, if it only sends it to the api server.
I wasn't concerned about the app revealing the api code, but about someone doing a MITM attack and then (already knowing my request urls) using some sort of method to read the php file with the api key.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.