Secure API without a user registration - php/Laravel

Question

I have an API in Laravel with mostly GET endpoints and an android application.

The application is meant to be open without the need to authenticate, i.e like booking.com where you can browse hotels without the need to login or register.

Anyone can hit my endpoints and get raw JSON data or even make an app that utilize my endpoints in their own app.

How can I secure my endpoint? For example with a token based or any other signature to trust my client app only.

actually I copy pasted this question from stack exchange, but this is exact my question

Answer 1

The Difference Between WHO and WHAT is Accessing the API Server

The application is meant to be open without the need to authenticate, i.e like booking.com where you can browse hotels without the need to login or register.

Bear in mind that even when user authentication is used the API is still vulnerable to be used from other scripts, apps, botnets, etc., provided that they have a user authentication token, and how this can be done this is out of scope for this answer. User authentication only serves to identify who is in a request, not what is making it, therefore, even if your mobile app had user authentication, the API backend would not be locked down to the genuine and untampered versions of your mobile app.

The difference between who and what is accessing an API backend is a usual misconception among developers of any seniority, therefore don't feel "guilty" if you don't get it yet ;)

I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

Think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

So, once you don't have user authentication in your mobile app you cannot authenticate and authorize who is in the request, therefore you can only authorize what is doing the request to your API backend.

Lockdown the API to the Android App

How can I secure my endpoint? For example with a token based or any other signature to trust my client app only.

This is a very hard task to achieve, but not an impossible one, and I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Securing the API Server and A Possible Better Solution, that will let you know about some basic and advanced techniques or link to resources to learn about them, like for example:

• Certificate Pinning
• HMAC
• reCAPTCHA V3
• WAF's
• UBA
• Mobile app hardening and shielding
• Mobile App Attestation

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

Answer 2

You could use the OAuth 2.0 client credentials grant, which is suitable for machine-to-machine authentication.

This would mean that your Android app (or any other first-party app) can use a client ID and secret to generate an access token to authenticate against your API, and your API can be locked down to only return responses to requests that contain a valid Bearer token (i.e. no longer public).