3

Let's suppose I have an Android application that needs to make some API call. I want to authenticate the deployed applications to that my API cannot be used by unauthorized clients.

I can put anything inside the application - HTTP headers that sign the requests, complete with nonces. However, if someone decompiles the application he will be able to replicate the method of authentication, like the algorithm for generating the signature and the shared secret. With Java and Android this is not unfeasible.

Is it possible to avoid? Probably not, but I wanted to be sure that cryptography has no solutions for me.

giorgiosironi
  • 1,077
  • 1
  • 11
  • 18

1 Answers1

3

There is no solution to this problem. It is not possible for your server to know that it is talking to "your" client. The only thing you can reasonably authenticate is the user, not the application. It is also possible to reasonably authenticate certain secure hardware devices, but this is very expensive, and still does not ensure that your client is being used; it only demonstrates that the user has access to one of your secure hardware devices.

This has been discussed many times across SO. These posts discuss the issue and link to many more of these discussions:

While the posts above are framed in terms of iOS, the issue is universal.

Community
  • 1
  • 1
Rob Napier
  • 286,113
  • 34
  • 456
  • 610