Ask HN: How do I ensure that a real iOS client is using an API
Hello HN! Hoping I can tap the colossal power of the HN hive-mind.
Working on a project where an iOS client hits an API. How do I ensure that only my 'real' client is allowed to use it?
I could bake a secret token into the app, but surely it will just be sniffed (HTTPS only, but a MITM proxy?) or the app decompiled and the token extracted (Like the Sony PS3 master key).
Is there any reliable way to ensure that a hacked, dummy version of my app can't use the real API?
Thanks HN! This is not possible. You should design your architecture so that this either does not matter or has a bounded cost. Had a hunch this was the case, just needed someone smarter than I to confirm. How do banks ensure nobody makes a phishing version of their apps? They can't. If "no phishing" is a desired property, then it would be up to the distribution ecosystem to either carefully monitor for such products and deny them, or to at least allow some mechanisms for users to verify products themselves (such as SSL combined with URL bars do for general web traffic). This is something that the BBC did with iPlayer: http://po-ru.com/diary/device-discrimination-on-the-internet... I've not quite worked out how to implement it though That is interesting, but surely the client-side cert could just be copied and used in a dummy app? How about this: 1. Use the current GMT date/time to generate an encrypted api point like adfa923asdf.yourdomain.com.
2. Make it change every day.
3. For all other hostnames besides the correct one for the day, dump random data so the fake app cannot tell whether or not the api is giving out the right results for sure. All your apps will be pining the right api end point where as the fake ones will have a hard time catching up. Also, use authentication on top of all of this.