0

We have few restful endpoints service developed in Quarkus. We test all the endpoints using CURL and POSTMAN or similar tool. After testing, We call all the endpoints from Andriod code from our mobile app.

Now, we want to validate that the endpoints are only called from Andriod code (mobile app) and not from any curl or postman or any such kind of tool?

Please suggest.

Regards, Prakash

Prakash Dutta
  • 81
  • 9
  • You could make sure, that your android app creates some sort of payload that gets send to the server with each request and the server validates this payload. This may ensure that not anyone can use your API. But that has downsides in terms of complexity and performance, – phaen Nov 23 '21 at 08:50
  • E: And since you deliver that app-code to the end users devices, this tackles the most users, but again there may be some reversing that app that find out the way you generate that payload. So this does not make your API bullet-proof. – phaen Nov 23 '21 at 08:55
  • @phaen1 Thanks a lot for responding. Adding Extra payload in Request body is not possible anymore. We want that by any chance, anyone from our team also can't make any mistake to call prod api without using APP. There may be a possibility that one team member who left the team and he/she is vary much aware about the payload, is calling the APIs using curl/postman. How to protect this kind of situation so that the APIs would be called only from the APP? – Prakash Dutta Nov 23 '21 at 09:01
  • Well, payload does not mean its a hardcoded piece of information rather then something that is generated from your app using any kind of secret, e.g. a cert. This is what I mean by it adds complexity, you have to ensure you have a safe mechanism to generate that payload, validate that payload. – phaen Nov 23 '21 at 09:04

1 Answers1

1

This is typically done in User-Agent request headers that are sent from clients. So with curl for instance

$ curl -v www.google.com

> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.76.1 # the server can check the request was made with curl
> Accept: */*

And requests from Android should have different values for this header - https://deviceatlas.com/blog/list-of-user-agent-strings#android.

xstefank
  • 434
  • 1
  • 3
  • 8