We have an Android app. Users need to login using sms based OTP before app can be used.
Our request for OTP is public API. Attackers have started to abuse this API. 10x more API calls as compared to actual users.
What are the different ways this can be prevented? Solution should work at scale with response time and server resources should not get impacted.
This is called SMS pumping.
You could do some server-side throttling by IP address and/or telephone number. But a persistent abuser could have blocks of numbers and IPs available.
The best solution is to have your app sign the payloads you send to your backend. If an unsigned or incorrectly signed payload comes in, don't send an OTP.
For iOS there's attestation, for Android there's Play Integrity. These API's allow you to verify that a call to your backend originated from a genuine app.
