1

I'm new to React Native development. I made an app that calls an HTTPS POST API using fetch method. After that I began with the security layer and for that, I was managing to do:

  1. To ensure that my app calls my server and there's no man in the middle.

  2. To ensure that only clients who have the app installed can call the APIs on the server

In another way, I'm trying to establish the two-way SSL.

For that I used for each case:

And it worked.

But I'm not able to find a solution for case 2:

In other words, how to make only clients who have installed the app to call the APIs?

halfer
  • 19,824
  • 17
  • 99
  • 186
Kaboom
  • 21
  • 1
  • 5
  • It is ideal not to add any material that presupposes certain voting patterns, or that asks people (not) to vote in a certain way. Detailed questions that do not make requests for preferential treatment are, on the whole, not downvoted on Stack Overflow. – halfer Apr 24 '19 at 20:36
  • 1
    I'm sorry for that – Kaboom Apr 24 '19 at 20:37
  • For your second problem, I imagine that calls for authentication, i.e. a username and password is required to ensure that certain parts of your API can only be called by users you allow. – halfer Apr 24 '19 at 20:38
  • First, thanks for your suggestion. But, I'm asking a kind of handshake between the mobile app and the server . I don't want the control to be on API app level . – Kaboom Apr 24 '19 at 20:44
  • Well, let's assume you could modify something in the SSL handshake in order to identify the app as authorised to contact the API (e.g. a secret added into a header or something like that). What would stop someone decompiling your app to discover that secret, and using it outside of the app? – halfer Apr 24 '19 at 20:48
  • (Of course, the RN platform may not permit that, or Android/iOS may not permit that, which would also be worth considering). – halfer Apr 24 '19 at 20:49
  • The client certificate will be installed on server side, so when the client calls the API, a handshake between those 2 will be established – Kaboom Apr 24 '19 at 20:57
  • Yes, that's how TLS certificates work. Would you respond to my point about someone finding out how to connect to your API by decompiling your app? If you are only after a low-security option (i.e. with a trivial technical workaround) then perhaps that is an option for you. – halfer Apr 24 '19 at 20:59

0 Answers0