Restrict API requests to only my own mobile app

Thiago picture Thiago · Jan 30, 2014 · Viewed 18k times · Source

Is there any way to restrict post requests to my REST API only to requests coming from my own mobile app binary? This app will be distributed on Google Play and the Apple App Store so it should be implied that someone will have access to its binary and try to reverse engineer it.

I was thinking something involving the app signatures, since every published app must be signed somehow, but I can't figure out how to do it in a secure way. Maybe a combination of getting the app signature, plus time-based hashes, plus app-generated key pairs and the good old security though obscurity?

I'm looking for something as fail proof as possible. The reason why is because I need to deliver data to the app based on data gathered by the phone sensors, and if people can pose as my own app and send data to my api that wasn't processed by my own algorithms, it defeats its purpose.

I'm open to any effective solution, no matter how complicated. Tin foil hat solutions are greatly appreciated.

Answer

Marcus Adams picture Marcus Adams · Jan 30, 2014

Any credentials that are stored in the app can be exposed by the user. In the case of Android, they can completely decompile your app and easily retrieve them.

If the connection to the server does not utilize SSL, they can be easily sniffed off the network.

Seriously, anybody who wants the credentials will get them, so don't worry about concealing them. In essence, you have a public API.

There are some pitfalls and it takes extra time to manage a public API.

Many public APIs still track by IP address and implement tarpits to simply slow down requests from any IP address that seems to be abusing the system. This way, legitimate users from the same IP address can still carry on, albeit slower.

You have to be willing to shut off an IP address or IP address range despite the fact that you may be blocking innocent and upstanding users at the same time as the abusers. If your application is free, it may give you more freedom since there is no expected level of service and no contract, but you may want to guard yourself with a legal agreement.

In general, if your service is popular enough that someone wants to attack it, that's usually a good sign, so don't worry about it too much early on, but do stay ahead of it. You don't want the reason for your app's failure to be because users got tired of waiting on a slow server.

Your other option is to have the users register, so you can block by credentials rather than IP address when you spot abuse.