How to sign a request from an Android application to the server so that no one else can fake the request?

Z

zencd2016-11-02 11:43:46

Android

zencd, 2016-11-02 11:43:46

Some android application performs rest requests to the server.
What can be done so that only this particular application can send such requests? And, accordingly, no person with curl could mimic this application.
If the application were executed on a secure server, then it is clear what to do - read the secret key from the storage and sign the request with it. But what about a similar task in the world of mobile applications? It is executed on the client, where everything seems to lend itself to analysis ...

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

X

xmoonlight, 2016-11-02
@xmoonlight

Periodic update (every 3 months) of the application on the market with a new key and verification of data signed by this new key on the server side.
This will be enough so that they do not make their client and break something.
In general, I advise you to put everything that is secret on the server and constantly think that the client code is completely open to the user: these are just "control levers", and the "engine" should always be on the server.

T

TyzhSysAdmin, 2016-11-03
@POS_troi

Guaranteed protection does not exist - the task of any cryptography is not to protect data, but to make obtaining this data as unprofitable as possible - in terms of finances and time.
As xmoonlight already said , change the key more often, as a result, those who want to fake requests simply will not have enough time to solve the problem or a quick solution, the cost will surpass the profit.

M

mitaichik, 2016-11-02
@mitaichik

Everything is bad here: you can restrict by key, but yes - applications are decompiled and the key is torn out. You can try to somehow hide this key, but with due desire, this is all revealed.