BBVA API Market
Mobile application developers are increasingly basing the launch of new products on prior work with mobile APIs that provide services necessary to develop their creations. Either the mobile applications designed need access to a REST API with specific services, or it is necessary to encode a REST API to launch determined applications with specific services. In any case, the fact is that teams are increasingly required to develop mobile APIs. Their security, as in other APIs, becomes an essential element.
Unless the API has totally open access – nowadays strange but not entirely unheard of –, professionals who want to use it will normally need to identify themselves using some specific method. Using an optimal credential or authentication system is vital to ensure the security of an application programming interface, whether it is a traditional API for desktop project development or a specific one for mobile apps.
We have talked before about how the different API authentication methods have developed over time into the most common one used today: the OAuth method, the latest version of which is OAuth 2.0. Actually, we analyzed how open APIs based on OAuth 2.0 have become a standard in the current interface market. Is OAuth 2.0 the only authentication method? No, there is another one known as HTTP basic access authentication, based on user name and password. We will start with an explanation of this simple method, which is less used today:
To prevent the basic HTTP access authentication method causing the browser to launch a username and password request for each access, the browser must store this information in the cache for a prudent length of time that doesn’t reduce security excessively. These security credentials are usually stored for 15 minutes.
What is this basic HTTP access authentication method like in the real world?
1. The access credential provided to third-party developers who want to connect to a mobile API is a totally secret alphanumerical ID.
2. This alphanumerical API key is stored in a secure space on the server.
3. The developer making requests for a particular service contained in this API should place this secret ID within the HTTP authorization header along with the word Basic. The two elements together allow the server to recognize the alphanumerical credential and provide access.
GET /private/index.php HTTP/1.1
Authorization: Basic alphanumerical ID
The authentication process is as follows:
1. A user launches a native application and is asked to give a username or email address and a password to identify themselves as a user.
2. The type of request used to send this credential to the API is a POST request, which ensures private delivery of secret data. This request is sent via the SSL (Secure Sockets Layer) protocol, designed to enable applications to transmit outbound data securely. SSL facilitates giving and receiving encryption keys between applications.
3. This request allows to validate user credentials and to create ad hoc an authentication or access token that will expire after a time, or if the user or developer responsible for the API believes it to have been breached.
4. This authentication token is stored in the device to facilitate access to the API’s services that support the application itself.
If we compare both methods, OAuth 2.0 provides better security criteria because any initial request for credentials is made under the SSL protocol and because the guaranteed access object is a temporary token. In the basic HTTP access authentication process, access to API services always relies on sending credentials via the web, specifically in the HTTP header, which makes it much vulnerable to third parties.
Fintechs are financial platforms that democratize finance, as well as the ecosystem, technology and companies on which they rely Fintechs are the next iteration of the financial world. What are these financial platforms and what types are there? In Spain, fintech companies are creating a mature and growing market thanks to the inherent advantages of […]
Thanks to its decentralized operation, Forex offers automatic 24/7 solutions that are more interesting for companies looking to integrate FX into their ERP. Forex is one of the most relevant markets for companies, especially if they are able to connect to FX from their Enterprise Resource Planning (ERP) system. Companies that are able to automate […]
The foreign exchange (Forex) market is the world’s largest financial market. This market trades in the exchange rates of the entire planet through decentralized market mechanisms; this is where the value of each currency is traded. But what is a foreign currency and how is it different from a domestic currency? How and why was […]