2

I've been working on a game for Android and iOS for a while. It uses a LAMP server backend.

I was told how it would be easy to extract information from the .apk once I had built my game. I tried it and sure enough I could find my network call functions and server passwords there.

The way how I ensure that only my app can make calls to the server is by using HTTP POST via SSL where the password is passed. If the password matches that of the server then the call gets approved. After that the server checks the actual user's ID and password and gets their data, etc.

The first time the game launches, the server will create a profile for the player. I had thought that this was secure, but now that I know anyone can just extract my .apk and repackage it and then use my server as a backend since they have the keys.

How on Earth can I protect my server from something like that? How can I be sure that only my app will be able to access my servers?

  • 1
    Does this answer your question? [Restrict API requests to only my own mobile app](https://stackoverflow.com/questions/21465559/restrict-api-requests-to-only-my-own-mobile-app) – Bö macht Blau Mar 06 '20 at 18:26
  • @BömachtBlau it does seem to describe the same SafetyNet Attestation API that IlyaGulya suggested, but I don't see anything for iOS. –  Mar 06 '20 at 18:52
  • Note that no solution will prevent an attacker from sending valid requests to your api, that is technically impossible. I think you misunderstand what the attestation api provides, and more importantly, what it doesn't. It won't prevent people from sending a higher score than achieved in your game, for example. – Gabor Lengyel Mar 06 '20 at 19:15

1 Answers1

0

You can use SafetyNet attestation API to check app package name on the server side:

https://developer.android.com/training/safetynet/attestation

  1. Implement everything as in the tutorial
  2. On the server side after response from Google check that package name of the app matches your one.
IlyaGulya
  • 957
  • 6
  • 18
  • This looks like exactly what I need. Is there something similar for iOS? –  Mar 06 '20 at 18:49
  • 1
    @JamesT. check out this article https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server – lights Sep 04 '20 at 18:45