Problem
Thinking about the Snapshat clones, that stole API credentials, and then used an API without permission.. I think the underlying hardware and OS should have prevented this.
Proposed solution
In other words, I think that hardware-verified API calls from a phone, to a device should be possible... where API endpoint can determine that a call was permitted by an underlying cryptographic verification process.
Simply speaking, if Apple wanted to expose an API that only its devices can access, they could put a private key on the secure element, and then use a fixed API to sign the API call with a key, which would then be verified by the 443 endpoint.
Taking this a step further, if apps in the AppStore can be considered to be a controlled "extension" to base iOS, then I would think that 3rd party users would be able to construct similarly signed APIs.
The result is that their endpoints can verify that it was their signed application, on an iOS device, that caused the API call to occur. No more spoofing.
Question
Does anything like this exist?
Can we leverage what is exposed to us today to have this additional level of authenticity on API calls to our mobile servers?