Signing REST requests for Android app

Question

I projecting REST API service for application where users are competing with each other. Off course, one of the main question is cheat-attack protection.

For example, app sends this request to add a new score for this scheme:

HTTP PUT /score
    "value" => 72
    "access_token" => XXXXXXX

And then malefactor make same request with modified value:

HTTP PUT /score
    "value" => 9000
    "access_token" => XXXXXXX

So, this is vulnerability. The solution is in the signature queries in a predetermined pattern:

sig = hashF(params + salt)

where salt is client_secret. But for Android I can decompile app and copy client_secret. I can move client_secret to native code, but it's still be vulnerability - anyone can use my native library or decompile it.

I thought use for this fingerprints of my app certificate. It's can be used inside the code. Like this:

PackageInfo info;
try {
    info = getContext().getPackageManager().getPackageInfo("com.mypackage", PackageManager.GET_SIGNATURES);
    for (Signature signature : info.signatures) {
        MessageDigest md = MessageDigest.getInstance("SHA");
        md.update(signature.toByteArray());
        return new String(Base64.encode(md.digest(), 0));
    }
} catch (PackageManager.NameNotFoundException e) {
    e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
} catch (Exception e) {
    e.printStackTrace();
}

Suprisely, but with this code I can get access to any app fingerprint. So what I can use as a salt?

Answer 1

You cannot completely protect any secret due to the nature of the platform, as you noted already. It's just all about adding layers of protection. If your competition is casual and there isn't much on the line, what you have already is is fine.

If you are doing something with real money involved or other highly valuable making your application a target, you need to at least do something with a user authentication to protect it. For example, user logs in to app (SSL request to server) -> gets token from server -> uses token to sign requests.

At least then you aren't storing anything in your APK required to post a new score. But this can get really complex to do it right, and it still isn't totally bulletproof. Somebody how really wants to can still engineer how it works and fake it.