How to procect API from man in the middle attacks

Question

I will build a cross platform application (WP8, IOS, Android) and those apps will use my server to make API requests.

My server also will call different type of APIs (google, facebook, etc) and return some results. And application owner does not has to be logged in to make those calls.

If there is man in the middle, he can track api calls and use it for his own usage drain my quota against api services I am using.

I only want phone who has application be able to make those calls. What would be the best way to detect api calls to my server should come from my application?

Answer 1

In your specific case you should use HTTPS and in the client, not only check that you are using an HTTPS connection, but that the certificate presented by the server and its certificate chain are the ones you expect. If you fail to do so, you could still perform a MITM attack. For example:

• The MITM proxy could act as the client to the server and use an HTTP connection to serve the contents to the real client.
• The MITM proxy could act as the client to the server and use a self-signed SSL certificate to present the real client an HTTPS connection.

Answer 2

You can use SSL to prevent man in the middle attacks but there really isn't a way that you can be 100% certain that you are communicating with your application.. You can make it harder to do by requiring some sort of access token or using custom encryption but if somebody can decompile your app they can do whatever they want.