Reputation: 1
Android Loopback Server: Restrict API calls to only apps installed in the managed work profile
I have an app installed on a managed work profile with a loopback server, that starts a localhost webserver. I want the 3rd party app to make request calls with my local server. I have no access to the 3rd party apps.
how i can differ the request API call between calls coming from Personal profile and calls coming from work managed profile.
for example: I have chrome installed on work and personal profile. and my localhost have this endpoint: GET http://localhost:8080/user
i want to return success for API request coming from chrome installed on the managed profile and return Failed for the API request the chrome installed on personal profile
I've explored various avenues to identify if a request originates from a managed work profile, including inspecting headers and request properties. I even granted network logging permissions to my app delegate, but the logs weren't detailed enough and had significant delays. I suspect there's a straightforward solution that I'm overlooking. I'm hoping someone in the community has encountered a similar challenge and can offer guidance
Upvotes: 0
Views: 38
Answers (1)
Reputation: 93688
This is the entirely wrong approach for Android. Android is not a OS designed to run servers. It does not reliably run background processes by design, any non-foreground process is killed after about 2 minutes. There are a thing called Services which can be started when an API request comes in, but you would never run a local HTTP server on an Android device- it won't be around by the time you need it.
IN addition- you really wouldn't expect the kind of security you're asking for over HTTP. Even on the web, there's no way to assure that a call to endpoint X comes from your code and not a 3rd party. The most you can do is authenticate the user and assure the user is allowed to make the request. You can't know it came from your code. Sure, you could use a secret key param to the request, but that will be sniffed out within minutes by a competent hacker. What you're wanting isn't cryptographically possible.
Upvotes: 0
Related Questions
- Filter LogCat to get only the messages from My Application in Android?
- Android "Only the original thread that created a view hierarchy can touch its views."
- Invoke-customs are only supported starting with android 0 --min-api 26
- Sending Email in Android using JavaMail API without using the default/built-in app
- Android App Link not working when apps are installed on "Work" profile
- how to manage personal profile using android management api?