How to uniquely identify your Android app for rest API

Question

Is there a way to uniquely identify my Android App in Java code? Maybe some combination of the package name and something else? I know there is a way to identify a unique Android device, but that is not what I am looking for.

I want to be able to uniquely identify my Android app that I made so that I can then pass that information to my own private RESTful API. This would allow me to verify that the call is coming from my Android App and not another unauthorized one. I want my RESTful API to only work with the app I made and so no one can spoof it or access it unauthorized.

Or is this an impossibility? I'm just wondering how apps like Snapchat have their own login and what not. Clearly something there is securing it.

Answer 1

If you want to use google maps from inside your app you need to supply an API key with every request. Google Maps Android Developer Site As far as I know that is the same mechanism that they also use to identify your app for advertisements. This key is transmitted in clear text so it can be intercepted. They do fraud detection to prevent misuse, so if your RESTful service is of the same kind as maps or ads this is the way to go for android apps.

If you have high value data like snapchat (nudes from people) the users have to provide a secret aka password to secure the connection. If you want to keep the effort for the user low you can use facebooks or googles authentication mechanisms.

Also take a look at Rest Security Cheat sheet it will give you a nice overview of the topic. (Especially the Authorization section.)