Private API Publicly Accessible?
74 views
Skip to first unread message
deshantm
Oct 4, 2012, 2:02:18 PM10/4/12
to api-...@googlegroups.com
I'm just trying to understand how a private API is specifically defined.
Can the URI of a private API be publicly accessible (perhaps not published), or does the fact that the URI can be reached from the public Internet make it public?
For a bit of context, if we were to have public apps (web, mobile, or otherwise) that access our API and the code uses the API URI, it could be implemented such that it uses the public URI, does that imply it is a public API or could it still be considered private?
Thanks,
Todd
Can the URI of a private API be publicly accessible (perhaps not published), or does the fact that the URI can be reached from the public Internet make it public?
For a bit of context, if we were to have public apps (web, mobile, or otherwise) that access our API and the code uses the API URI, it could be implemented such that it uses the public URI, does that imply it is a public API or could it still be considered private?
Thanks,
Todd
Bill Wilder
Oct 4, 2012, 3:22:58 PM10/4/12
to api-...@googlegroups.com
Todd - this is an increasingly important scenario: mobile apps and single-page web apps outside of a firewall need accessible endpoints to function.
These are clearly publicly visible. However, there is no law that says you need to document them publicly or support them for other than your own internal purposes.
They may be hard to lock down.
If your users need to have an account, you can choose to reject unauthenticated API calls as appropriate. (Think about gmail - what could you do if you were not logged in?) This is not bullet-proof though - an otherwise legit user with credentials could potentially write their own application against your API and your API won't be able to tell it isn't your app calling (assuming the calling application wishes it that way - emulating valid user agent and referred headers for example).
There are some measures you can take to discourage casual or unintended use of your API. You can check http headers for user agent (is this really iOS device?) and referrer (is this really coming from page from my web app?) or even add a custom HTTP header (X-MyCompany-InternalUseOnly). If any of these are not as expected, your API could return something different - for example "this is an internal use only API" message. You could also use SSL to complicate discovery of how the API works.
But none of these are bullet-proof in the face of a motivated hacker; I'm not sure it is possible to really lock down an API that needs to be publicly visible and available to unknown clients.
-Bill
These are clearly publicly visible. However, there is no law that says you need to document them publicly or support them for other than your own internal purposes.
They may be hard to lock down.
If your users need to have an account, you can choose to reject unauthenticated API calls as appropriate. (Think about gmail - what could you do if you were not logged in?) This is not bullet-proof though - an otherwise legit user with credentials could potentially write their own application against your API and your API won't be able to tell it isn't your app calling (assuming the calling application wishes it that way - emulating valid user agent and referred headers for example).
There are some measures you can take to discourage casual or unintended use of your API. You can check http headers for user agent (is this really iOS device?) and referrer (is this really coming from page from my web app?) or even add a custom HTTP header (X-MyCompany-InternalUseOnly). If any of these are not as expected, your API could return something different - for example "this is an internal use only API" message. You could also use SSL to complicate discovery of how the API works.
But none of these are bullet-proof in the face of a motivated hacker; I'm not sure it is possible to really lock down an API that needs to be publicly visible and available to unknown clients.
-Bill
--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group, send email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft?hl=en.
Jack Repenning
Oct 8, 2012, 8:12:20 PM10/8/12
to api-...@googlegroups.com
On Oct 4, 2012, at 12:22 PM, Bill Wilder <coding...@gmail.com> wrote:
There are some measures you can take to discourage casual or unintended use of your API.
We (https://api.cloudforge.com/api/1/doc) require every session to include a "developer key," which we issue, in addition to several kinds of authentication. The Developer Key is intended to identify who *wrote* the app, as distinct from who is *using* it. We advise our partners to use at least a little obfuscation when embedding the dev_key in their apps.
None the less, I totally agree:
But none of these are bullet-proof in the face of a motivated hacker
<><
Jack Repenning
Jack Repenning
Reply all
Reply to author
Forward
0 new messages