1

I'm starting to have a look at mobile development and precisely Android Development.

The mobile App will be mainly UI, and all the business will occur on a web application hosted by Google App Engine (the communicaiton will be in rest I think).

How can I make sure that my rest api is not called by any other software/app ? Because anyone can sniff the network, get my api calls, then forge theirs. That shouldn't be a problem if my api was well designed and flawless, but that's certainly not gonna be the case.

  • Login/Password is not a solution because it can be sniffed

  • SSL communication also because the user can use the same certificate for his own app

I think that there is not perfect way, but only partial solution (like hiding the certificate with any ugly technique so even the decompilation wouldn't help).

EDIT :

I found this : How to make sure API requests come from our mobile (ios/android) app?

But I wonder if there is any already existing way of doing this in Http or App Engine or anything else. I don't really like to code security code myself.

RĂ©mi

Community
  • 1
  • 1
remi bourgarel
  • 9,231
  • 4
  • 40
  • 73

1 Answers1

0

It seems that in most cases, it's sufficient to the REST API down to the user, rather than the app. This is often seen as a benefit since it allows an API to be used by multiple apps easily.

The question that you linked to still isn't entirely secure, the answer doesn't really tell you how to ensure that it is your own app participating in the registration process.

Creating something hackproof is near impossible. Usually it's just a matter of making it more difficult to hack, so it isn't worth trying.

You may want to implement a custom hash function on your client, send a some data from your server->client, hash it with your custom function, and send it back to your server. The next step would be to obfuscate this code and add debugger detection to make it difficult.

People that really care about security (ie Netflix DRM) take advantage of a "secure OS" with hardware support running on the various devices. I'm not sure whether Apple supports this; it's available on various Android platforms, but last I checked there wasn't an Android java API for it (you'd have to access it via native code).

http://www.globalplatform.org/mediaguidetee.asp

http://www.globalplatform.org/specificationsdevice.asp

dragonx
  • 14,963
  • 27
  • 44