Restricting traffic to server from only my mobile application

Question

I have a requirement to secure my JAX-RS resources and only accept requests that originate from authorized mobile applications. Is this possible? How can this be done?

All of my resources are protected already with user authentication, the goal here is to reduce user ID fishing attempts. I know one solution would be to keep the response error with an invalid user ID generic, but the application is very large and at the moment this isn't possible.

One idea I came up with is to use JWT tokens signed with a shared secret. Then I could add an Authorization filter on the server to check the signature. If it doesn't validate then discard the request. Does this sound like a viable option?

My concern is the security of the shared secret on a mobile device, could it be compromised with a rooted device?

Answer 1

Using tokens is the preferred way. But the secret key is not shared. Only the server has access to it. That secret key is used to generate the message authentication code(MAC) of the JWT. Since secret key is only known by the server, no one else can generate a JWT with a valid signature. Secret may be persisted or application scoped.

• Once a client is authenticated using credentials, server must send a signed JWT to the client.
• That JWT must contains necessary information to identify the client and state(if necessary).
• Then client send that token in a header field along with all the other requests.
• Server validates the JWT using secret key and process the request.

Even though client can change the JWT body, he cannot get it verified. That's the whole point of using a signature.