1

How can one detect an http request came from a mobile app?

One option might be adding a input parameter and send it with the http request, but anyone would be able to easily fool the Web service into thinking the request came from a mobile app.

saladi
  • 3,103
  • 6
  • 36
  • 61
001
  • 62,807
  • 94
  • 230
  • 350

3 Answers3

1

You can try implementing SSL (we currently use mutual SSL in our apps). Another option would be to use existing Google Play Services to verify back-end calls from apps.

Smi
  • 13,850
  • 9
  • 56
  • 64
Krauxe
  • 6,058
  • 2
  • 24
  • 22
  • As always with this kind of DRM-esque goal, there is no foolproof way to do it - a determined enough adversary can make their requests look like they came from your app. These two options are probably a good balance of simplicity vs difficulty of bypassing. – Michael May 26 '13 at 09:58
  • Nice. Thanks about sharing this – Vlad Feb 28 '19 at 12:05
0

you can check request headers for the user-agent. but even that can be manipulated.

Sam
  • 3,413
  • 1
  • 18
  • 20
0

In case your service provider can't provide you with SSL infrastructure, you can make a hash string that came from some information sent in the request. For example, you could create a hash from the request's body, the URL, the method, and maybe some user access token or API key.

If you know how that hash is created in the client, you can recreate it in the server side and compare it to the hash your mobile app sent. Given that only you, the developer, knows how that hash was created, no one will be able to fool it.

lucaslt89
  • 2,431
  • 1
  • 20
  • 30