Strong mobile app identification on BACKEND?

V

Vadim Kalmykov2020-07-16 15:09:51

Android

Vadim Kalmykov, 2020-07-16 15:09:51

Good afternoon.

It is planned to develop a mobile application for Android with a standard user registration procedure - a phone number and its confirmation by SMS. When a registration request is received, the BACKEND part must have a reliable mechanism to verify that the request is from the correct application and not from some alternate client.

How is the issue of application identification reliably solved, for example, in banking products?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Denis Zagaevsky, 2020-07-16
@zagayevskiy

First you need to determine if someone needs this Elusive Joe :)
If you suddenly need it, start simple - sign requests with a key that lies inside the application. In the license agreement, write that only you or those who bought access for millions of money can use it. If competitors violate, there are official procedures on how to squeeze them.
If you really really need it, buy protection, something like https://licelus.com/ or analogues.

X

xmoonlight, 2020-07-16
@xmoonlight

The application is not protected in any way: it is simply impossible. All the functionality of the client application is only "management levers" for the parameters of a specific account and / or work under this account.
They protect only the network traffic exchange channel using existing software crypto solutions and various methods of reliable authorization.

U

uvelichitel, 2020-07-16
@uvelichitel

Banking products protect with a physical USB tablet. Apple and android applications are protected by the signature of the product packer, the technology has been debugged. Client-server interaction is protected at the protocol level: in the case of http, almost nothing, https - with a certificate (yes, the client can also be identified by a certificate), with a self-made non-public protocol, you are limited only by your imagination.