Apologies if this has already been asked and answered; I've looked around a bunch but haven't found exactly what I'm asking.
--
Suppose my web app at http://example.com/ uses a private and undocumented web API at http://api.example.com/ to fetch data, e.g. via XHR or JSONP.
Also suppose that this web app is anonymous — it does not require user login.
Since there's communication between client and server, anyone can open Fiddler, etc. to see the exact request and response, not to mention inspect the client-side JS code.
In a case like this, how can you prevent someone from using your API in a non-web client app? E.g. an iPhone app, or server-side.
To my understanding, point #2 removes the option of something like OAuth, and point #3 removes the option of e.g. API keys or even SSL.
I've thought about things like time-based tokens or secret salts that are injected into the page on first load, but an iPhone app could easily just secretly load your webpage before making API requests.
So is there any way besides just plain obfuscation — security through obscurity?
--
In case all that is too abstract, here's a simple example:
Google.com fetches its auto-complete data via some API that's private and undocumented — but open on the web. What's to stop me from using it in my iPhone app?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
