-1

Say I build a mobile app. For the sake of the example, the app is an Android App and let's call it the Client

And this mobile app communicates with a server application. For the sake of this example, the server is a NodeJs Express server and let's call it the Server.

Is there a way we can tell for sure that an Http Request going to the Server actually comes from the Client , not anything else (Webscrapper, Postman, Web site, ....)

IF the client was a web client, I know this is impossible. But the client is a mobile app, so probably the Operating System provides some sort of fingerprint system that can be used to ensure that the http request actually comes from the app.

TSR
  • 185
  • 2
  • 5

2 Answers2

3

No, there isn't. Not even remotely possible.

HTTP is just text. The client sends some text strings to the server, and the server sends replies. Those are divided into headers and content, but either is trivially modifiable, and there's many clients which lets you write content in HTTP-requests as you want. The simplest is perhaps netcat, which provides no framework. Others, like curl, may be easier to work with, and very flexible, allowing you to craft your request as you want.

HTTPS is just http wrapped in TLS.

It boils down to this: you can never trust the client. You should verify all data sent by client, and you cannot force your clients to behave in any specified manners. You can't trust your client to not lie, and you can't trust them to follow appropriate standards.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
2

Bytes are just numbers, they don't come with a certificate of authenticity. There's no way that you can be absolutely certain that your app created a request.

You need to make sure that you don't give your app any permissions that you don't want an attacker to have.

Jasen
  • 834
  • 5
  • 8