0

We have a server with services and client side mobile app (Android, iOS). User authenticates with username/password but what about app itself? I want to limit access to server just to my app and I don't want to involve user in it, I want to keep it separated from user login process.

First idea is to keep some kind of key, password, certificate or the like in app (and use it to encrypt random challenges from server) but because it's hardcoded it can be taken out from code and used by some other app.

If phone has some security storage to keep certificate, password for accessing it will be kept in app so again it can be digged out.

Dark
  • 864
  • 9
  • 17
  • Can you explain why you need such level of security? Do you have to kill us if you tell? – Swapnil Luktuke Mar 30 '15 at 15:05
  • Go for something similar to OAuth / OAuth 2. If its good enough for Google, Facebook, Twitter, DropBox and so many others, should be good enough for you right? – Swapnil Luktuke Mar 30 '15 at 15:07
  • I don't think it's so high level of security, we just don't want our (or customer's) server to be accessed by unauthorized app. Btw I have some background in credit cards transaction protocols and standards, maybe it made me to ask too much :) – Dark Mar 31 '15 at 06:41
  • Am I right if I say that Google, FB etc have open API to third side apps, made and published by other companies? It's not our case – Dark Mar 31 '15 at 06:45

1 Answers1

2

You can have a database of "trusted" app devices and link that to your user or device database (a.k.a. who's using who). You can try the one-time password approach (behind the scenes with the app code) and authenticate every time the user interacts with the app.

I also agree that everything (hardcoded / stored) in the device may be obtained so time-based solutions may be effective in reducing attempts to do unauthorized actions.

Joshua Arvin Lat
  • 1,029
  • 9
  • 8
  • it looks like "device authentication", not "app authentication" :) even with the same key and the same challenge (and there's no reason to be the same challenge all the time) adding "salt" and using chaining will create always different answer. i can beat anyone listening communication. but one that knows how and has time can take key from apk, or during runtime – Dark Apr 09 '15 at 20:53