BBVA API Market
Mobile application developers are increasingly basing the launch of new products on prior work with mobile APIs that provide services necessary to develop their creations. Either the mobile applications designed need access to a REST API with specific services, or it is necessary to encode a REST API to launch determined applications with specific services. In any case, the fact is that teams are increasingly required to develop mobile APIs. Their security, as in other APIs, becomes an essential element.
Unless the API has totally open access – nowadays strange but not entirely unheard of –, professionals who want to use it will normally need to identify themselves using some specific method. Using an optimal credential or authentication system is vital to ensure the security of an application programming interface, whether it is a traditional API for desktop project development or a specific one for mobile apps.
We have talked before about how the different API authentication methods have developed over time into the most common one used today: the OAuth method, the latest version of which is OAuth 2.0. Actually, we analyzed how open APIs based on OAuth 2.0 have become a standard in the current interface market. Is OAuth 2.0 the only authentication method? No, there is another one known as HTTP basic access authentication, based on user name and password. We will start with an explanation of this simple method, which is less used today:
To prevent the basic HTTP access authentication method causing the browser to launch a username and password request for each access, the browser must store this information in the cache for a prudent length of time that doesn’t reduce security excessively. These security credentials are usually stored for 15 minutes.
What is this basic HTTP access authentication method like in the real world?
1. The access credential provided to third-party developers who want to connect to a mobile API is a totally secret alphanumerical ID.
2. This alphanumerical API key is stored in a secure space on the server.
3. The developer making requests for a particular service contained in this API should place this secret ID within the HTTP authorization header along with the word Basic. The two elements together allow the server to recognize the alphanumerical credential and provide access.
GET /private/index.php HTTP/1.1
Host: example.com
Authorization: Basic alphanumerical ID
The authentication process is as follows:
1. A user launches a native application and is asked to give a username or email address and a password to identify themselves as a user.
2. The type of request used to send this credential to the API is a POST request, which ensures private delivery of secret data. This request is sent via the SSL (Secure Sockets Layer) protocol, designed to enable applications to transmit outbound data securely. SSL facilitates giving and receiving encryption keys between applications.
3. This request allows to validate user credentials and to create ad hoc an authentication or access token that will expire after a time, or if the user or developer responsible for the API believes it to have been breached.
4. This authentication token is stored in the device to facilitate access to the API’s services that support the application itself.
If we compare both methods, OAuth 2.0 provides better security criteria because any initial request for credentials is made under the SSL protocol and because the guaranteed access object is a temporary token. In the basic HTTP access authentication process, access to API services always relies on sending credentials via the web, specifically in the HTTP header, which makes it much vulnerable to third parties.
Are you interested in financial APIs? Discover all the APIs we can offer you at BBVA
The cash flow and payment management departments must consider the way in which payments to suppliers are made, because each type of payment has its own advantages or is better suited to the company’s strategy, the relationship with the supplier, or the respective needs of both. Far from being a trivial matter, choosing the payment […]
Businesses, from self-employed to SMEs and large companies, need financing solutions that suit their needs. Leasing is a method that can optimize the use of resources and which combines business liquidity (or lack of) with the use of assets. What is leasing and how does it work? Leasing is a financing method by which a […]
An API is a very useful mechanism that connects two pieces of software equipment to exchange messages or data in a standard format such as XML or JSON. Thus, it becomes an instrument that can be used to search for revenue, open the doors to talent or innovate and automate processes.
