Is it possible to have an ASP.NET Web API that can be only accessed by mobile native apps (iOS, Android, Windows Phone, etc.)?

Question

Let's say I have a public Web API, which does not need authorization, like:

public class MobileDataController : ApiController
{
    [AllowAnonymous]
    public IEnumerable<string> Get()
    {
         return new string[] { "One", "Two", "Three" };
    }
}

Is it possible to make this Web API only available for my iPhone and Android native app?

Basically I do not want the Web API to process any request that is not coming from my phone native app.

Answer 1

No. What you want is what's called device attestation, which is a concept bundled under Trustworthy Computing. However it's impossible, unless you own the device and can ensure it cannot be jailbroken and all communications cannot be intercepted.

No matter what code you add an attacker can reverse engineer it. An attacker can use fiddler to add the headers you send to indicate it's a mobile device. If you use OAuth with client IDs the client ID needs to be inside your software, and thus can be reverse engineered out.

For example, SnapChat doesn't support Windows Phone. There are SnapChat clones for Windows Phone, and the only thing SnapChat can do is to file a takedown notice, as, if they're done well, they're indistinguishable from the real clients running on an iPhone.