R
R
Ruslan2020-07-13 11:23:03
API
Ruslan, 2020-07-13 11:23:03

How to allow API access only from a specific Android application (IOS, web)?

Is it possible on the server side, where the API works, to restrict access to it so that only certain applications (Android, web from certain url, IOS) can access it, and without checking users?

Previously, I thought that it was impossible to implement such a restriction, because the server simply won't be able to authenticate the source.

Today I had doubts when I saw the settings for accessing the Google Maps API, there are settings for the API key that restrict its use by a specific android application, for this they use the "checksum of the SHA-1 certificate".

The question arises how they do it and how sustainable this restriction is. The private key cannot be in the application, otherwise it will be compromised, if the public key is used for access, then why not extract it from the application and use it in the request?

If there is an explanation of how Google works, please share your thoughts.

Thank you.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
I
Igor, 2020-07-13
@igorhak

It is possible to identify the client from the request headers, which are easy to fake. Well, Google most likely has a key filter by client type.

R
Roman Khegay, 2020-07-14
@khegay

Perhaps the implementation is done through the User-Agent , but this is not certain

D
Developer, 2020-07-14
@samodum

I think that here Google uses some internal undocumented mechanisms in its Maps, knowing more about the application than ordinary developers. It is possible that they do not even transmit this information directly from the Maps application, but using some mechanism within the system. Because if you transfer all the headers and data from the application, then they are easy to track and copy to another device / system.

X
xmoonlight, 2020-07-14
@xmoonlight

Here

U
Uncle Seryozha, 2021-06-21
@Protos

Implement mitm through burp suite, business 20 minutes. Look at what kind of traffic flies to Google services and everything will become clear

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question