0

I am developing an android application and in the future also for IOS, and I use a server in PHP.

Is it possible for my server to know the source of the application sending the requests?

For example, if someone modifies the apk of my application and creates another one, they may have access to all the security data that is received with each request. This can make it easier for the attacker to understand how my server works and can either send attacks or create another application and even send it to the playstore, selling data from my server.

Is it possible to discover and prevent a certain user from using a modified application? Is there a security method for this?

Fernando VR
  • 101
  • 1
  • You will see from numerous posts on this site - anything an attacker has (the device, data on it etc) cannot be secured completely. – Rory Alsop May 07 '20 at 19:10
  • @RoryAlsop But is there not even a method together with google that can identify if the application is still the official one? Maybe using my app's unique identifier next to the playstore. If Android can prevent an application from seeing data from another application, or that someone creates a new application using the same id. Is there not some kind of security that can also be identified with requests? Some kind of authenticity header, maybe... – Fernando VR May 07 '20 at 19:22
  • @RoryAlsopThere was a time when some users created modified versions of WhatsApp, and WhatsApp was able to identify and ban users who used any unofficial version of their application. So I think there must be some verification technique. I just don't know how. – Fernando VR May 07 '20 at 19:24
  • Digital Rights Management is an eternal bugbear for companies, as it is impossible to fully enforce. Digital signatures are likely to be your best bet, but please read all the other posts on this topic here – Rory Alsop May 07 '20 at 19:26
  • @RoryAlsop This problem tortures me for days. Hahaha. Thanks for answering. Read all posts on which topic? Should I search for "Digital Rights Management"? – Fernando VR May 07 '20 at 19:36
  • 2
    Does this answer your question? [Ensure web service only accessed by authorized applications](https://security.stackexchange.com/questions/42586), [Verifying android application integrity from server side](https://security.stackexchange.com/questions/112312), [How to ensure that only my single page app can make requests to an API](https://security.stackexchange.com/questions/64055). – Steffen Ullrich May 07 '20 at 20:09
  • @SteffenUllrich Thank you. These posts helped me a lot. – Fernando VR May 07 '20 at 20:48

0 Answers0