I'm building an iOS app for a company whose website currently makes use of an embedded webpage for login/account creation. This embedded webpage handles some cryptographic logic that is complex to replicate. On the web, they restrict what external webpages can load the embedded webpage by checking the origin, so that only whitelisted domains can load it (e.g. third party company's webpages).
Ultimately they want to make a native version of this login for mobile, but for v1 are considering just embedding the webpage to avoid rushing the API/client side encryption. But they would need the same ability to restrict where it can be embedded.
Is it possible to get the bundle id/app id of the mobile app requesting the page, in a way that can't be modified programmatically e.g. I can't just add a header, because any app could just add the same header. I'm also looking to avoid hardcoding any credentials in the source code.
Youtube has a similar functionality to what i'm looking for, giving the option to restrict video embedding by bundle id. But says its currently not available to iOS apps: https://support.google.com/youtube/answer/6301625?hl=en
However tools like google's OAuth dashboard, require inputting the iOS apps bundle id when setting up an app. Which makes me think it is possible. But experimenting with Charles proxy and WKWebView or SFSafariViewController didn't result in it being sent up by the system. Is there anyway for a website, either through initial load or redirects etc, to get the bundle-id in a safe way?
