Can apps keep secrets?

Question

A given server API should be publicly accessible to all unauthorized users, but requests should only be allowed to originate from one specific app.

This should, in theory, be accomplished by having the app HMAC-sign all API requests, and by having the server correctly issue and store nonces (to avoid replay attacks).

Question::

Are there any known methods for a mobile app to slice, dice, chop and XOR a secret, in a way that makes it extremely hard, if not impossible, for hackers and crackers to retrieve the key?

You could encrypt all data using SSL/TLS and/or AES alle messages. — rckoenes, Feb 21 '13 at 14:48
not that I know of. one way or another, the key must stay secret, and the APK is not really secret. — njzk2, Feb 21 '13 at 14:57
Besides, even if you "slice, dice, chop and XOR" all you want, it will take but minutes to create a modified version of your APK file where somebody splices in code to intercept the decrypted secret as it is being used. — CommonsWare, Feb 21 '13 at 15:08

score 3 · Accepted Answer · answered Feb 21 '13 at 15:51

3

Create a free in-app purchase with iTunes connect and have users "buy" it (even though they won't be charged anything)... then verify the receipt with your servers... Apple will provide a transaction receipt which will verify that it originated from your app.

https://developer.apple.com/library/ios/#releasenotes/StoreKit/IAP_ReceiptValidation/

answered Feb 21 '13 at 15:51

Albert Renshaw

17,282
18
107
195

Good idea, but can you really make a free IAP? – augustzf Feb 22 '13 at 14:52
1

Yes, it's one of the options. :) – Albert Renshaw Feb 22 '13 at 16:11
"Free Subscription" it's the second to last option in iTunes connect. – Albert Renshaw Feb 22 '13 at 16:12

Can apps keep secrets?

1 Answers1