Seeking Feedback on API Data Security Approach for Location API

[bigludo7]

Hi everyone,

I am currently thinking on securing our API, which contains sensitive data. My idea is to encrypt the response body before sending it to the client, so that any intermediaries between our server and the consumer cannot read the content. I'm thinking first on the Location-retrieval API as this where we have the most sensitive data.

During onboarding, the consumer could provide a public key. The server would then encrypt the response using this key, ensuring that only the intended recipient can decrypt and access the data.

I would like to get your thoughts on this approach:

• Do you think it's a valid concern?
• Do you think this is a practical and secure method?
• Are there any potential issues or better alternatives we should consider?
• Thanks to the Operate API I guess we have the capability to transfer the developper public key

WDYT?
Thanks,

[alpaycetin74]

Hello,
why do we consider https is not enough and add one more layer ?
Do you know if there are any other APIs doing the same, maybe this could be a commonality discussion ?
Thank you.

[bigludo7]

@alpaycetin74 I was thinking the case with channel partner(s) on 'the road' between the MNO and the API consumer. For 'direct' API consumption yes https is good enough.
yes perhaps this is a good topic for commonalities - I was not aware of previous discussions in others APIs.

[bigludo7]

Thanks to @rartych : camaraproject/IdentityAndConsentManagement#310

[jlurien]

@bigludo7, this issue in ICM is not in scope for Spring26, so if there is interest in progressing with this topic towards a next release of our APIs we should push for it (cc @jpengar)

[abhigyan17]

Your approach of end-to-end encryption using public key infrastructure is solid, but there are some important security considerations to think through. The idea of the consumer providing a public key during onboarding is good, but make sure you're also thinking about key rotation, key compromise scenarios, and how you handle certificate validation.

One thing I'd recommend is implementing perfect forward secrecy if you're not already. This means even if a private key is compromised, past traffic remains secure. Also consider adding additional layers like mutual TLS for API communication to ensure both client and server authentication.

For location data specifically, which is indeed sensitive, you might also want to consider implementing rate limiting and anomaly detection around location queries. An attacker with stolen credentials could enumerate locations or identify patterns. Think about adding audit logging for all location data access requests.

Also ensure you're following location privacy standards like GDPR requirements around data minimization. Only request the precision level needed by the application, not maximum precision by default.