How do I authenticate an internal API for an iPhone app?

Question

We have a simple API that we dont want the external world using, and only want our iPhone clients to use.

How can I authenticate the client for the API for a mobile device?

Answer 1

Here is the question which is internally similar to what you are asking:

Provide secure Facebook authentication with my Server

Here is what I replied over there:

It's called remote attestation. There are A LOT of problems with this.

Before you go into this direction, you need to ask yourself two questions

• Who are you protecting against?

• How much am I willing to invest?

If you are protecting yourself against a student with very limited knowledge, who may write another mobile app which will use your sever then you are fine with some shared secret.

If you are protecting against just a little bit more sophisticated software engineer (who can reverse engineer your application) - it won't be enough. This engineer can extract a secert from your app and use it in his application.

You can read about remote attestation here and here.

Solutions which can protect you from simple reverse engineering are quite complex.

Answer 2

If you have an API that your client can access, you won't be able to prevent a determined skilled person from also using your API (as the user can identify any secrets stored in the client).

If you just want to prevent casual use then a relatively simple way to authenticate a client would be to have a shared static secret that is stored in the client and use that with for example an HMAC based API authentication scheme.