I am using a PHP APIs from long time, but I have a simple doubt. How to validate the API response is generated from the right server? To explain my requirement let me share an image. I hope it will help you to understand the scenario. Also to reduce server working complexity let's assume server will send only yes or no.
Requirement: Check user license validity via server API Call. Server: Example.com Client App: With local contents downloaded from Server or Product like Adobe CC. Client App may be
- An Android, or iOS or Flutter App
- An Angular or React or Flutter Desktop App packed with Electron or Flutter for Linux, Windows or Mac
In the above image we have two types of users 1. Normal users or genuine users. 2. Hackers or others.
- Normal users open the client app. The client app will trigger an API request to check license validity and our example.com server will generate the response. Which is valid.
- Now it's time for hackers, Hackers or pirated users can edit the hosts files point example.com to localhost, run any web server and then they can generate any response they want. Assuming they know the response body.
I can think of few tricks to avoid this, such as client app must know the Server IP (It may be altered some how I don't know.), SSLs which expires in every 1 year or in 90 days if we use Let's Encrypt SSL.
I want to know the best possible way to check if the API response is generated via a genuine server. Not from some localhost.
Finally, lets hope this is not a duplicate question on something very easy to implement.
