1

I want to use HMAC to verify data integrity transmitted between our IOS\Android mobile app and API,I want to prevent data tempering either by authenticated user or man-in-middle, completely trustless.

I know we need a shared secret key to be used by both mobile app and server, I know we can establish key exchange by RSA, But want to sure this exchange come from mobile and not Postman or keys can intercepted by a proxy.

Should I have a secret key embedded inside mobile code and server? What do you recommend for a complete trustless mode? API can be used completely by postman and We want to make sure requests sent by our mobile app and data not altered at middle. it is a web3 app, so no authentication like traditional user and pass.

Baloo0ch
  • 43
  • 1
  • 9

1 Answers1

2

There is no guaranteed way to be sure the code has not been tampered with on the client device. Anyone who has physical access to the device is assumed to be able to execute arbitrary code on it, and so you can't guarantee that someone hasn't changed the data with a proxy.

Furthermore, in general, you would want to avoid embedding secrets into your code, including for HMAC. Anyone could disassemble the code and extract them.

Since you're presumably using TLS for your server, you could try to pin your CA certificate in the app, which could be bypassed, but would be more difficult. If you wanted to allow only trusted clients, you could then issue the client an HMAC key to sign its requests or have it create a TLS key and then issue it a certificate chained to an internal CA that it used for mutual TLS. Both of those would allow you to control the clients and revoke their access in the future, but you'd still have to come up with a way of determining whether the client is trusted.

My advice here is to not worry about whether the binary itself is trusted and just implement features like throttling, credential revocation, and other abuse prevention mechanisms so that even if there are unauthorized clients, they can't do much damage.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • Isn't Certificate pin is same as embedding a shared secret in binary? Instead of certificate pin I can just hide certificate public key in code and use private key on server for decryption of value which represent message signature. – Baloo0ch Jun 02 '22 at 11:35
  • No, a certificate pin is embedding a hash of a trusted certificate. The hash is not a secret. – bk2204 Jun 02 '22 at 22:00
  • Certificate pinning is good when need to make sure response come from a trusted source, Api to Client. We trust API but need to make sure requests sent by our App, not just a Curl or Postamn, since API can be used without authentication and request payload is json which represents score calculated by app, Subject to change by user itself. – Baloo0ch Jun 03 '22 at 13:33
  • You're proposing using authentication for your API anyway, but just based on the client. What I'm saying is that if you do so, your secret will leak, and it will be able to be used without your app, and there's no way to avoid that. If you want authentication, use real authentication and issue a token based on that. – bk2204 Jun 03 '22 at 20:16
  • App is architected like web3 project, only identifier is a public wallet address. somehow we need to make sure data are submitted from app, I think we need to make it hard for cheaters. I found some SaaS service on cloud like Aproov, we need to embed something in app to make sure data are submitted by app, not by same user in different way, that is why authentication is not case here, – Baloo0ch Jun 05 '22 at 17:03
  • @Baloo0ch Hello, have you found any solutions that works or at least make it hard for cheaters? I also searching for such mechanisms – melnynet Sep 28 '22 at 21:15