Menu
Is it possible to only accept requests that our coming from my applications? Say for example I have an iOS app called 'Best App' and it uses Django as its backend. How can I make it so that only requests coming from Best App are accepted and everything else is rejected?
I was thinking of checking the 'HTTP_USER_AGENT' key in the request and if the HTTP_USER_AGENT is 'Best App', I will allow the request to go through. But I recently found out that anyone can modify their USER_AGENT from applications like Chrome and make requests to access our resources.
Is there any other way that I can restrict access just to my particular application? I would like to open up my backend service to other developers by giving white-list access. But for now, I would like to keep access to our back-end private.
Your advice and insight on this matter is greatly appreciated.
571
Good application security solutions are non-trivial. You cannot use any simple, plain-text object like HTTP_USER_AGENT. One common approach is an "API Key" - where a key that is obtained from a registration page is supplied along with the request, but unless you combine this with some other "secret" it can be trivially copied and supplied by the "false" app.
One reasonably strong solution would be some form of challenge/response using a shared secret. A determined attacker could, theoretically, extract your secret from your app and use it, but that requires a reasonable deal of effort - first they need to decrypt your app bundle and then extract the secret. The flow is something like -
To protect this approach from man-in-the-middle attacks you need to run it over SSL and ensure that your app validates the server certificate.
You also should implement some form of protection against brute-force attempts, such as locking an API key after 'x' failed challenges
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
