Reputation: 360
Make sure an http(s) request is coming from my iOS app
I'm developing an iOS App where users are displayed content related to their surrounding. I have a username/ password authentification. So a user sends his gps data along with his login information to my PHP/ MySQL backend, which then returns the data.
However, I fear somebody might decompile my app, register and then "scan" my entire database by simply sending requests with different gps data that doesn't actually come from an iOS device. Is there any way to prevent this? I've googled already and found this threat:
How to make sure API requests come from our mobile (ios/android) app?
But I think the problem there is slightly different and does not solve my issue.
I've looked into API keys but didn't find a way how to stop a malicious user from gaining access to the API through registering/ decompiling and then use his login information along with the key from the code.
Any help is appreciated. Jan
Upvotes: 4
Views: 2287
Answers (3)
Reputation: 8400
I had the same problem with such an app before. In the end, you cannot really rely on a device based coupling and access rule being checked.
First thing to consider is some form of authentication. But guessing you already considered that, it might not be applicable to your app.
My approach was to check and restrict the number of queries that can originate from a certain origin for a day. Calculate based on refresh intervals, what amount of data you would expect to be pulled from your backend, put some 10% on top of that, and stop providing data to that destination once exceeded, and sent an email to the admin about the event so he can look into it, and maybe ban the client permanently.
As stated in a comment before, not waterproof either, but it works in a device agnostic way, and the harder you make it to abuse, the better it is.
Upvotes: 1
Reputation: 52210
You could log all of the requests per user, then use the GPS coordinates to apply rules to the user's movement. For example, set a rule that fires if the the coordinates suggest the user is moving faster than 500 mph, or travels more than 10,000 miles in one day, that sort of thing. If the rules fire then the movement is artificial and you're being scanned; if the rules don't fire it means the user is moving in an ordinary, human way as expected.
Upvotes: 3
Reputation: 118
Well, i am not a mobile device developer, but if you have no other options, you could generate a token (some hash), and every call to your API needs to be verified against the token ?
Upvotes: 2
Related Questions
- Secure API so usage only available inside mobile application
- Check if PHP-page is accessed from an iOS device
- Server protection in iOS app
- How do I only allow access to my MySQL database from my iOS app? (Using webapp as gateway to db)
- HTTP Request, PHP, MySQL - iOS
- How to secure traffic between iOS-app and server?
- How to accept only Mobile App (iOS) to let data from a PHP Script?
- Securing a PHP REST Service
- Validating iPhone http requests
- Preventing PHP scripts used in a iPhone app from being access via web browser