BBVA API Market
Mobile application developers are increasingly basing the launch of new products on prior work with mobile APIs that provide services necessary to develop their creations. Either the mobile applications designed need access to a REST API with specific services, or it is necessary to encode a REST API to launch determined applications with specific services. In any case, the fact is that teams are increasingly required to develop mobile APIs. Their security, as in other APIs, becomes an essential element.
Unless the API has totally open access – nowadays strange but not entirely unheard of –, professionals who want to use it will normally need to identify themselves using some specific method. Using an optimal credential or authentication system is vital to ensure the security of an application programming interface, whether it is a traditional API for desktop project development or a specific one for mobile apps.
We have talked before about how the different API authentication methods have developed over time into the most common one used today: the OAuth method, the latest version of which is OAuth 2.0. Actually, we analyzed how open APIs based on OAuth 2.0 have become a standard in the current interface market. Is OAuth 2.0 the only authentication method? No, there is another one known as HTTP basic access authentication, based on user name and password. We will start with an explanation of this simple method, which is less used today:
To prevent the basic HTTP access authentication method causing the browser to launch a username and password request for each access, the browser must store this information in the cache for a prudent length of time that doesn’t reduce security excessively. These security credentials are usually stored for 15 minutes.
What is this basic HTTP access authentication method like in the real world?
1. The access credential provided to third-party developers who want to connect to a mobile API is a totally secret alphanumerical ID.
2. This alphanumerical API key is stored in a secure space on the server.
3. The developer making requests for a particular service contained in this API should place this secret ID within the HTTP authorization header along with the word Basic. The two elements together allow the server to recognize the alphanumerical credential and provide access.
GET /private/index.php HTTP/1.1
Authorization: Basic alphanumerical ID
The authentication process is as follows:
1. A user launches a native application and is asked to give a username or email address and a password to identify themselves as a user.
2. The type of request used to send this credential to the API is a POST request, which ensures private delivery of secret data. This request is sent via the SSL (Secure Sockets Layer) protocol, designed to enable applications to transmit outbound data securely. SSL facilitates giving and receiving encryption keys between applications.
3. This request allows to validate user credentials and to create ad hoc an authentication or access token that will expire after a time, or if the user or developer responsible for the API believes it to have been breached.
4. This authentication token is stored in the device to facilitate access to the API’s services that support the application itself.
If we compare both methods, OAuth 2.0 provides better security criteria because any initial request for credentials is made under the SSL protocol and because the guaranteed access object is a temporary token. In the basic HTTP access authentication process, access to API services always relies on sending credentials via the web, specifically in the HTTP header, which makes it much vulnerable to third parties.
Taking a customer through the entire buying process until it is formalized is an arduous journey and one that faces the constant possibility of the customer leaving. However, there are ways to make the buying decision happen if you are given facilities such as agile, secure financing.
The digital transformation has not been fully implemented in the automotive sector yet, at least not as quickly as in other distribution sectors. APIs can be this sector's best ally by speeding up its digitization, especially in those areas involving the purchasing process.