How can I prevent other iOS/Android apps from using my RESTful API?

Question

I have a pre-existing iOS & Android app, that I'm making an update for that includes a RESTful services API and Facebook login for user authentication. The general flow of the app is:

1. Users "logs in" to my app, via Facebook's SDKs, which return an access token to my app.
2. App calls a RESTful service, including the Facebook access token as a parameter (using HTTPS and SSL)
3. Service that is called, sends the received access token (and app secret stored only on my servers) to Facebook to verify who the user is, and performs actions based on that. Facebook is set to require app secret from server-side calls.

My app has gained popularity and has several clones already, and I want to prevent these clones from being able to use my RESTful API (as I am sure that they will try to do when I release the update). Let's assume that the clones are smart, are using the same Facebook access tokens that my app does (if this is possible), and are following a similar pattern & frequency of calling the API that my app does.

Is there anyway to ensure, or nearly ensure, that calls to my services are coming only from my app, and not the clones?

Thanks in advance!

Answer 1

You can do this by including a signature in the request, and verifying it.

App Side:

1. do something like: signature = md5( md5(url + data) + MY_RANDOM_KEY)

2. append signature to the data, or url, etc.

3. send call to REST api (as usual)

Server Side:

1. extract the signature from the body/url (and remove it from there).

2. calculate what you think it should be: signature_should_be = md5( md5(url + data) + MY_RANDOM_KEY) [keep in mind you've removed signature from url/data so that you get url/data in its original pre-hash state]

3. verify that signature and signature_should_be are equal

Doing this, along with SSL, should make your API secure enough.