We’ve created and released a Mobile App that uses the API, and have been keeping a close eye on usage and cost as our user base grows. Everything was looking normal, and we were seeing very modest API cost, day over day, $0.05 $0.07 $0.06 etc. Then, out of nowhere, it jumped to over $120 in a sing…

It sounds like they were able to monitor the network traffic and capture your key. It’s just a bad idea having your API key exposed anywhere in the front-end of your service [image] gregyoung14: The only thing I could imaging is building our own API layer Great thought. Maybe consider exten…

It’s been some time since I’ve used Wireshark to intercept network traffic, I guess that’s still very much a thing. Thanks for the advice!

Yup, I haven’t released an AI app for security reasons like this. It’s not just network traffic monitoring, but they can also decompile your app. Assume that Android code is exposed just like a website with JavaScript would be. I’d recommend you put your calls in a cloud. It protects your API key a…

GPT-4 walking me through setting this up on the cloud [image]

It’s very easy to take an iOS or Android app and search for strings. Secret keys tend to be very easy to extract. You should always wrap the OpenAI APIs in your own API so you can control access. If you don’t currently have your users create an account to use your app I would suggest doing that so…

Spot on answer! I’ve seen a few cases like this where Keys have been misused and it’s normally people embedding them in things that they then give out to users. From C#, iOS, Android etc., there is little you can’t break into and extract data from if you put your mind to it.

The most popular packages in GitHub for iOS all require you to expose your key.

Can you explain how this is very easy? If you download a Signed IPA from Apple, and decompile it in a popular tool like MobSF, all the Strings are still obfuscated. I tested this myself. So now, how does one go about reverse engineering that? To actually extract entire Strings in their original form…

This is true, and we should probably link this thread to those Libraries before more iOS Developer make this same mistake, and warn them of the security vulnerabilities

Something to think about. The ones I have seen have the generic “You shouldn’t include your API key in your code message” but they don’t provide an alternative and junior developers just build their entire apps around the package, then they are stuck an publish. I think the creators know and publis…

Unauthorized API Key Usage

API

challengepact September 13, 2023, 3:25pm 21

gregyoung14, how did you go about mitigating this? Did you go with an APIGateway or? If you can point to things you did to address this it would be appreciated!

Topic		Replies	Views
API key compromised, API key security API api	23	4431	March 23, 2024
Repeated Fraudulent Use of My API Keys API api	6	935	November 17, 2023
My API is getting leaked.. need advice! API	10	3162	July 13, 2023
Unknows API usage and costs API api	8	585	September 16, 2024
API key stolen, charged lost of $, no response from support Community	25	4184	February 22, 2024

Unauthorized API Key Usage

Related topics