0

GOAL : I am creating a mobile app that needs to hit an AWS server and I want to make sure only my app can hit the server.

CONSTRAINTS : I never want the user to have to login to the app. If my research is correct, I believe this eliminates the use of tokens (such as JWT). I think this eliminates the use of tokens because I would have no way of refreshing the token in the user's app.

PROPOSED SOLUTION : Encrypt a key (a string) in the app (let's say the string is "allow") using bcrypt in the mobile app. Use a HTTPS POST request to hit my server with the encrypted key "allow" embedded in the body. In my server logic I would read the contents of the HTTPS POST body, decrypt the string, and allow further logic to be done in the server if the decrypted string = "allow".

QUESTION Does my proposed solution make sense? If not, could I get guidance to what I should do?

I believe this is possible because I read here that the the body of a HTTPS POST is encrypted. Therefore I think placing a bcrypt encrypted key in the body should be an extra layer of security to my server.

Community
  • 1
  • 1
Hokie2014
  • 35
  • 1
  • 8
  • You really, really do not want to try to invent a security mechanism. The first problem is that bcrypt is a hashing function, not an encryption algorithm, so can't be used as described, and the second is that if you use HTTPS, the entire transaction is encrypted, so the first problem was pointless, but the key issue is this: if users don't log in to your app, why exactly does it matter if what's communicatig with your server is in fact your app? There are many possible answers, some valid, some not, but I think that needs to be clarified in order for the actual problem to be understood. – Michael - sqlbot Jul 22 '16 at 04:21

1 Answers1

0

Is this for an API? Instead of adding a key value to the POST body, add it to a header value. It will be encrypted over https. If ONLY your mobile app will be using it then you can probably even use the "User-Agent" header.

Whatever header you choose, you would then evaluate it on the server just like you mentioned.

However, do note that someone could figure out how it works. It will only prevent most people from trying to figure it out.

I'm not convinced about the bcrypt key. If you are using https it will be encrypted anyway.

agriffin
  • 541
  • 5
  • 10