Verify that network request was sent by iOS application

Question

I'm trying to verify that HTTP requests from iOS application were really sent from mobile application. Currently server code just checking 'User-Agent' HTTP header and of course it's not very reliable solution.

Here is how I see current iOS SDK can be used to verify that client is an actual iPhone user.

Push notifications

1. iOS app requests push token from the operating system and sends it to server
2. Server sends push notification to application with hidden identifier
3. iOS app sends received identifier to server
4. Server responds with cookie

Here on the first stages of communication we can verify that user is mobile user because how else she got identifier from push notification to specific app.

dis. Not quite reliable even if we can repeat push notification. Misuse of push notifications.

In-App purchase

It is possible to reuse receipt verification here.

dis. Obvious misuse. Confusing.

---

So the question is – are there any proper ways to confirm that request was sent from iOS application, from iOS device ?

Answer 1

iOS11 introduces new API https://developer.apple.com/documentation/devicecheck#overview It looks like it solves the problem.