How can a server authenticate an iPhone app (the code, not the user)?

Question

Let's say I have a solution involving an iPhone app that generates some information and then sends that information to a web service for processing. It is important that ONLY requests from instances of this particular iPhone app are allowed to be processed (there may be many instances of the app used by many different users, but I want to be sure they are all using code that I trust). In other words I want to be sure that my iPhone app cannot be (easily) impersonated by other clients. How would you do this?

Answer 1

All other answers give legitimate ways to provide some additional, but not perfect, security. You should know up front (since no one else has been so explicit) that it is not possible to provide theoretically secure communications such that your server can always validate that the client on the other end is a purchased copy of your application running on sanctioned hardware. You can't do this because whatever hardware level security Apple has built in to kick off a chain of trust (so that this may actually be possible for them), they don't expose to you.

Your strategy thus should be one of "many barriers", some larger, some smaller, designed to thwart varying degrees of complexity of attack and sophistication of attacker. See other answers to this question for some good ideas. How many barriers you need, and of what sophistication, depends entirely on the cost to you (economically, trust, whatever) of having an attack succeed.

Do consider also the idea that if you can avoid a "reproducible" security attack, you're better off. In other words, if someone breaks your app/protocol, and the data for other people to do that is the same for every copy/instance, then you're in more trouble, because the instructions/keys can be just posted to the web somewhere. If you can figure out a way to make every copy/client unique, then you can observe on the server and at worst, cut off known broken clients, etc. (This is hard on the iPhone platform.)

Answer 2

Another possibility is to ask the app for some portion of the contents of the application bundle - something like byte 59967 of the application executable, or an included plist or xib. By keeping both the file name and position asked for totally random, anyone spoofing has to embed an entire copy of your application - which makes it very easy to determine if they are spoofing your app, and possibly very easy to google for occurances.

You basically just would have the client give you a version number, and on the server you would have copies of all files for all public versions to check answers against (and to decide what challenge to send).

Since it's impossible to actually prevent this, the next best thing is to make detection of spoofing as easy to scan for as possible and so I'd think about solutions that help you n that regard rather than trying to block the unblockable (though some trivial initial blocking will keep out the riff-raff).

Basically, more layers rather than one really hard layer are what you want in securing something.