Reputation: 894
How a mobile app can authenticate itself to a server?
We have a server with services and client side mobile app (Android, iOS). User authenticates with username/password but what about app itself? I want to limit access to server just to my app and I don't want to involve user in it, I want to keep it separated from user login process.
First idea is to keep some kind of key, password, certificate or the like in app (and use it to encrypt random challenges from server) but because it's hardcoded it can be taken out from code and used by some other app.
If phone has some security storage to keep certificate, password for accessing it will be kept in app so again it can be digged out.
Upvotes: 0
Views: 490
Answers (1)
Reputation: 1039
You can have a database of "trusted" app devices and link that to your user or device database (a.k.a. who's using who). You can try the one-time password approach (behind the scenes with the app code) and authenticate every time the user interacts with the app.
I also agree that everything (hardcoded / stored) in the device may be obtained so time-based solutions may be effective in reducing attempts to do unauthorized actions.
Upvotes: 2
Related Questions
- secure verification process between android app and server
- Authenticate a mobile app on the server side
- How to do Authentication between a webservice and a mobile phone?
- Steps to create user authentication system between mobile and server
- Using certificates or other authentication for validating against webservice
- How to securely save credentials into a mobile application?
- secure mobile app to communicate with web app, determine it is actually the mobile app communicating
- How to put user authentication into a mobile application
- How do IPhone apps authenticate with server side technologies?
- How to authenticate a Windows Mobile client calling web services in a Web App