API Security and Application Security!

Emre_Karci · February 24, 2023, 8:16am

Hello everyone! We are waiting for help from everyone regarding security issues in the mobile applications you made in Mit App Inventor 2 today!

1-MOBILE APP SECURITY
2-API SECURITY

If there are people or extension who can help with these issues, please share!

The AES and hack protect extension in this example are an example of a protected mobile application! if the hack is successfully passed through the protect extension, the API is being solved inside, how do you think such a method is experimented with AES data replacement?

BLOCKS:

Peter · February 24, 2023, 8:43am

What issues would that be?

Emre_Karci · February 24, 2023, 8:47am

No problem, I was just wondering your thoughts, what is the percentage of API key security in such an example?

Emre_Karci · February 24, 2023, 8:48am

What can be done for more security?

Peter · February 24, 2023, 8:52am

How should that be calculated? Everything is hackable, especially when you are putting the code inside your app, even when using the obfuscated text block.

You could put the code in a database somewhere and get it from there so it wouldn't be in your app.

Is there a special reason why you are asking this? Is this related to a project you are making that needs high security?

Emre_Karci · February 24, 2023, 8:54am

There is a financial project that I am really working on and I am dealing with vulnerabilities and trying to ensure the security of my API key and the application to protect the data of my users.

Emre_Karci · February 24, 2023, 8:55am

Please help!

Emre_Karci · February 24, 2023, 8:58am

I'm using Airtable and I have a lot of API keys the first priority is I pull the other API key from the server that can access the other user base from one base and process it like that, but I'm still worried!

Peter · February 24, 2023, 9:32am

How did you find these vulnerabilities? Did you extract the apk you build?

Gordon_Lu · February 24, 2023, 11:21am

Still, hackers would be able to obtain the URL of your database and still might access the data.

Peter · February 24, 2023, 11:26am

yusufcihan · February 24, 2023, 12:56pm

For these types of "critical" projects, I recommend building an API on your own, and require users to have an account before connecting anywhere. When your users register with your app, you can give them a unique ID in your API side, and require all connections to be bound to that ID, so if someone is using your API for "bad faith", you will know who is doing that, and you will be able to take the related action.

You are putting the encrypted data in the app, and decrypting in the app again. It just feels like leaving a house key under the mat.

It of course slows someone who wants to inspect the app, when compared to storing credentials in a single text block, however, unless credentials are stored outside your app, the chances to get your credentials exposed will stay the same.

Emre_Karci · February 24, 2023, 1:15pm

it's just an API key inside other important data APIs are pulled from the server and decrypted and used!

A problem comes from the server with the network capture, the API is solved and the request is sent, can it be hacked?