PHP Classes
elePHPant
Icontem

Improving the Protection of your PHP OAuth Client Application Against User Account Leaks - PHP OAuth Library API package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP OAuth Library API PHP OAuth Library API   Blog PHP OAuth Library API package blog   RSS 1.0 feed RSS 2.0 feed   Blog Improving the Protect...  
  Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  

Author: Manuel Lemos

Posted on:

Package: PHP OAuth Library API

When your application needs to call an API with tokens obtained using OAuth, if your application OAuth credentials are stolen, it becomes a security problem that may cause you big headaches.

Read this tutorial to learn about good security practices to minimize the possible damages to your application if your developer user account details in the API site get stolen.




Contents

Introduction

Keeping Your Application Credentials Secure

The Sensitivity of Developer Accounts and Application Credentials

User Accounts versus API Developer Accounts

Discover Which APIs of Sites that You Use Which Leaked User Account Data

Conclusion


Introduction

Nowadays, OAuth is the most popular protocol used by millions applications to call HTTP based APIs.

Usually application developers need to register an application to get its credential values. For OAuth version 2, the credential values consist of a client id and a secret key. These values are used to obtain a token value from the OAuth API server. This token is used perform the actual API calls.

The PHP OAuth client library class takes care of the whole process in a smooth way, so PHP developers do not have to get buried in the OAuth protocol documentation to learn and implement OAuth protocol steps. The class supports APIs that implement OAuth 1 and 2 protocol versions seamlessly.

However, it is important to understand some security aspects regarding the OAuth protocol, so developers can realize about certain risks that may compromise their applications, regardless if you use the PHP OAuth client library or any other client library in PHP or any other language.

PHP OAuth

Keeping Your Application Credentials Secure

As you may have understood from the introduction above, your application credentials, the client id and secret key, are the values that identify your client application to the API server.

If for some reason your application credentials are exposed to third parties that are unrelated to your application, other people may call the APIs as if they owned your application.

Depending on the sensitivity of the information exchanged with the API your application is using, leaking your application credentials may cause you serious security problems.

Therefore your application needs to store the credentials in a secure place, like for instance configuration files that only your server side application can access.

The Sensitivity of Developer Accounts and Application Credentials

Whenever a developer needs to get the API credentials of his OAuth based application, he usually needs to login into a developer account of the API server to register a new application or access a previously created your application.

So it is very important to secure the access to your developer account in the API server. If somebody breaks into your developer account, your application may be compromised.

User Accounts versus API Developer Accounts

If you as an application developer use a given site or mobile application as regular user, ideally you should not use the same account as a developer. This way, if somebody breaks into your regular user account, he will not have the access to the API credentials that your account.

For instance if you have Google user account under email regularuser@gmail.com, it is recommended that you use a different Google account to register applications in the Google Developer console, for instance as developer@mysite.com, maybe even using different Google accounts with different email addresses for each Google API application that you register.

Then do not use the same email address or developer account password in any other application of the same or another API, so it reduces the opportunities of abuse of stolen developer account information.

Keep in mind that some sites that provide APIs require that you use an account of a real person that also uses the same site. That is the case for instance of Facebook.

Discover Which APIs of Sites that You Use Which Leaked User Account Data

Unfortunately sometimes it happens that sites get compromised and the data of many user accounts is leaked.

Leaked user data does not mean that the user passwords or developer account application credentials also get leaked, but if any of those account details are also leaked, your application may be compromised.

We do not know all the sites that provide APIs that had user account information leaked but that is a site called ';--have i been pwned? that has a database of many publicly known sites that had user account data leaked in the past.

Just go to the site, enter your email address of the developer account that you used to register API applications, and it will tell you if the given email address was found on data of sites that had leaked user data eventually due to security breaches.

What Can You Do to Mitigate the Problems of Developer Account Data Leaks?

Well the first thing you need to do is to change your developer account password on the discovered API sites. Your developer account data may still be around, but a least account passwords (or hashes of passwords) will no work anymore.

Another think is that you may want to consider using a new developer account with a different email address for new applications registered with given API servers.

If you cannot do this because you need the current applications to continue to work, so you can continue to use previously obtained access tokens, you may request to reissue a new client token secret keys for your application, so the same application API calls continue to work and if the old client secret key will no longer work, in case it was leaked too.

Conclusion

There is nothing 100% secure in the Internet, nor even in life in general. Many sites were invaded and their user account data was stolen.

If you have developed applications that use OAuth, these facts should concern you because if your developer account information on API server sites gets stolen.

This articles proposed several ways to mitigate the problem and minimize the chances of causing damage to your applications.

If you liked this article, share it with your colleagues as they will like that you share useful information like this with them.




You need to be a registered user or login to post a comment

1,409,896 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

No comments were submitted yet.




  Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  
  All package blogs All package blogs   PHP OAuth Library API PHP OAuth Library API   Blog PHP OAuth Library API package blog   RSS 1.0 feed RSS 2.0 feed   Blog Improving the Protect...