Reputation: 2207
How to prove a request is coming from a real iOS or Android device?
I am building an app that will make HTTP requests to a server. I would like to know that the requests are coming from an app downloaded from an iOS App Store, or Android App Store. Is there any way to do this?
Maybe some kind of API on the phone allows signing with some Certificate Authority that is itself signed by Apple's Root Certificate Authority? Or something similar with Android?
Or maybe there is some way to use the "Advertising Identifier" like this but not running afoul of this ... is there something like this for Android?
I need this mostly to prevent sybil attacks (people making millions of accounts without buying a million iPhones).
But perhaps even more importantly, I want the app to establish an account on the server, and not let some joker send a request to the same server to override the user's "udid" willy-nilly so the app can't connect later. I guess I can prevent this latter thing by just saving a cookie or localStorage in a web browser under browser tabs and hope it doesn't get cleared.
Upvotes: 0
Views: 1594
Answers (3)
Reputation: 3738
I would suggest to use Firebase App Check which works really well in this situation. But anyways the technologies used at this moment in time are:
Android
- Play Integrity
- SafetyNet (deprecated)
iOS
- DeviceCheck
- App Attest
Upvotes: 1
Reputation: 2207
Answering my own question: this is called Attestation.
On iOS, in Swift and Objective C it's called DCAppAttestService:
https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity
Google has SafetyNet attestation API, but they're deprecating it:
https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline
On the Web, you also have webauth attestation sometimes available, but they are for authenticators, which may or may not be the phone itself. Regardless, it does sort of guarantee scarcity:
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Attestation_and_Assertion
Upvotes: 0
Reputation: 9652
You may want to try setting the request headers to identify the agent,
You can set User-Agent: iOS or User-Agent: Android, and application-type to identify the device type.
x-application-key:38567940-b045-4b37-9999-d6c3b960af9e
application-type:iPhone
key-state:VALID
Content-Type:application/json
Accept-Language:en_US
x-type-mdm:ENABLE
User-Agent: iOS
Upvotes: -1
Related Questions
- How to determine whether HTTP API request came from iPad
- How to make sure API requests come from our mobile (ios/android) app?
- Are there any mechanisms to detect whether a request is coming from a system level mobile browser?
- How to verify https requests coming from android app on server side?
- Detecting http request from a mobile app
- Determine if a http request is coming from a phone app or browser
- How can I guarantee that requests to my server were generated by my iOS app on a real device?
- How can distinguish the request on HTTP from web browser or mobile device(app) in PHP?
- Determining if a request came from an iPhone app
- Prevent "fake-client" for ios app