Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Securing Native Mobile connecting to a GraphQL API

Certificate Pinning is highly recommended. OWASP has outlined the Who, What, Why and How.

Static keys (as opposed to user generated keys with randomness) need to be, at a minimum, obfuscated away. There are many ways (and in complexity) to do this (e.g. at a minimum, Proguard for Android) and Carve Systems has a good write-up on this.

It should go without saying, but all APIs (not just GraphQL) should only be served over HTTPS and every request authenticated (e.g. HMAC and many libraries in all languages already implement this).

Common attacks on a GraphQL API with best practices and recommendations outlined here by OWASP.

A good GraphQL security audit tool here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment