How can I check on the backend that the data comes from a mobile application?

A

AlexWinner2014-01-13 01:46:30

Android

AlexWinner, 2014-01-13 01:46:30

Good afternoon!
The situation is this - there is a mobile application that sends some data to the backend server, let's say via http.
Please tell me, are there any ways to check on the backend that the data is really sent by the application, and not the attacker emulates these requests using, for example, curl?
I thought that it was possible to send data via https, then they could not be intercepted simply by a dump in order to understand the structure. However, this does not save from decompilation.
What remains? Obfuscation? Or are there some other ways?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

M_PRO, 2014-01-13
@M_PRO

Most likely not. Because https is usually quite easy to bypass, although it can spoil the blood if implemented correctly, and obsfurcation complicates life by an order of magnitude. In extreme cases, no one bothers to run the application in the emulator.
In such a situation, the only correct solution is to check the incoming data from the point of view of the logic of work. You can, if you really want to, try to collect some data from the phone and, on their basis, try to identify the client as a real one.

M

maxaon, 2014-01-13
@maxaon

HTTPS with server certificate fingerprint verification and two-way authorization will well complicate the life of an analyst. Classics, like obfuscation of program code, various anti-debugging techniques. If you work with GPS, then at least check where the data comes from. A good way is to transfer the logic of work to the server, however, users will be extremely unhappy with this approach.