Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict API requests to only my own mobile app

Is there any way to restrict post requests to my REST API only to requests coming from my own mobile app binary? This app will be distributed on Google Play and the Apple App Store so it should be implied that someone will have access to its binary and try to reverse engineer it.

I was thinking something involving the app signatures, since every published app must be signed somehow, but I can't figure out how to do it in a secure way. Maybe a combination of getting the app signature, plus time-based hashes, plus app-generated key pairs and the good old security though obscurity?

I'm looking for something as fail proof as possible. The reason why is because I need to deliver data to the app based on data gathered by the phone sensors, and if people can pose as my own app and send data to my api that wasn't processed by my own algorithms, it defeats its purpose.

I'm open to any effective solution, no matter how complicated. Tin foil hat solutions are greatly appreciated.

like image 746
Thiago Avatar asked Jan 30 '14 19:01

Thiago


People also ask

How can I protect my mobile API?

API calls are typically protected by a simple API key and user credentials, most often in the form of an access token. These tokens are like cash, so if you can get one, by registering for your own account or stealing someone else's, you can spend it however you wish.

Can you use REST API for mobile app?

RESTful APIs can help make your mobile app more reliable, portable, simplified, and visible. Mobile APIs can enhance the core features of an app, like GPS data and databases. This will improve the experience on each mobile device of end users. Finding the right tools can help you implement a RESTful API.

Do mobile apps need API?

APIs are essential to the functionality and efficiency of mobile apps. They help developers create immersive digital experiences for their end-users, and they make aspects of the development process smoother and more efficient too. Mobile apps are always going to rely on solid application programming interfaces.


1 Answers

Any credentials that are stored in the app can be exposed by the user. In the case of Android, they can completely decompile your app and easily retrieve them.

If the connection to the server does not utilize SSL, they can be easily sniffed off the network.

Seriously, anybody who wants the credentials will get them, so don't worry about concealing them. In essence, you have a public API.

There are some pitfalls and it takes extra time to manage a public API.

Many public APIs still track by IP address and implement tarpits to simply slow down requests from any IP address that seems to be abusing the system. This way, legitimate users from the same IP address can still carry on, albeit slower.

You have to be willing to shut off an IP address or IP address range despite the fact that you may be blocking innocent and upstanding users at the same time as the abusers. If your application is free, it may give you more freedom since there is no expected level of service and no contract, but you may want to guard yourself with a legal agreement.

In general, if your service is popular enough that someone wants to attack it, that's usually a good sign, so don't worry about it too much early on, but do stay ahead of it. You don't want the reason for your app's failure to be because users got tired of waiting on a slow server.

Your other option is to have the users register, so you can block by credentials rather than IP address when you spot abuse.

like image 71
Marcus Adams Avatar answered Oct 06 '22 17:10

Marcus Adams