How would "hardware verified" API calls be constructed?

Question

Problem

Thinking about the Snapshat clones, that stole API credentials, and then used an API without permission.. I think the underlying hardware and OS should have prevented this.

Proposed solution

In other words, I think that hardware-verified API calls from a phone, to a device should be possible... where API endpoint can determine that a call was permitted by an underlying cryptographic verification process.

Simply speaking, if Apple wanted to expose an API that only its devices can access, they could put a private key on the secure element, and then use a fixed API to sign the API call with a key, which would then be verified by the 443 endpoint.

Taking this a step further, if apps in the AppStore can be considered to be a controlled "extension" to base iOS, then I would think that 3rd party users would be able to construct similarly signed APIs.

The result is that their endpoints can verify that it was their signed application, on an iOS device, that caused the API call to occur. No more spoofing.

Question

Does anything like this exist?

Can we leverage what is exposed to us today to have this additional level of authenticity on API calls to our mobile servers?

Answer 1

Client-side certificates, in software, provide exactly this purpose.

Apple, for instance, bundles each of it's devices with certificates signed by itself as the CA. Thus any communication from an Apple device requires the server to authenticate the identity of the device. Having been signed by Apple, the client is thus authenticated and the communication proceeds.

As to can this be done in hardware, I think the only issue would be on the methodology to revoke the certificate.