0

Say, I have an API /api/send-otp which takes phone-number as input and sends otp to user's phone-number. Now, this API can not be authenticated because auth token is generated after successful /api/confirm-otp call.

How to make sure that the /api/send-otp call is coming only from the authorized android app and not from any script/client.

PS: I can't embed any hashing logic in apk as it can be reverse-engineered. Is something provided by Google (safety-net)? Any relevant documentation/implementation link would be helpful.

thekosmix
  • 1,705
  • 21
  • 35
  • Well Safety-net is the best suitable scenario for your app...Refer this blog explain in detailed: https://medium.com/@hargoyal/secure-android-app-with-safetynet-8e367a1c8ad0 hope this will be helpful – Nikhil Lotke Jun 27 '18 at 14:13

1 Answers1

0

How to make sure that the /api/send-otp call is coming only from the authorized android app and not from any script/client

An easy way will be to pass along indicator param like app_version and check for it on the server side. If it doesn't exist un-authenticate the request.

Alternative, you can use old Google Play Services GoogleAuthUtil

You use the GoogleAuthUtil class, available through Google Play services, to retrieve a string called an “ID Token”. You send the token to your backend and your backend can use it to quickly and cheaply verify which app sent it and who was using the app.

Verifying Back-End Calls from Android Apps

Also, there is another way, Google Sign in, mention in this security blog

isamirkhaan1
  • 749
  • 7
  • 19
  • app_version can be easily intercepted and then the request can be sent via Postman/cURL – thekosmix Jun 29 '18 at 10:56
  • I agree. As your full code/resources are on the user side. they can get anything they want, it's just a matter of their seriousness.. – isamirkhaan1 Jun 29 '18 at 12:30