1

I am developing a webserver and provide an API to be used by mobile clients.
Some of my calls are without any authorization, for example, to start the authentication process.

Is there a good way/best practice to verify that these calls are made only from the device?
For example, my authentication process used a 3rd party service to send SMS messages, and if someone uses this API from the computer he can cause the sending of many SMS messages which would cost much. Is there a good way to prevent such attacks?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
eran
  • 113
  • 4
  • 1
    Short answer: you can't do this 100% securely. Long answer: Hold on, I'm looking for a duplicate of this question. –  Jan 22 '15 at 14:11
  • 2
    Your security shouldn't depend on the fact that a real mobile device is used, instead you should implement some rate limits and/or captchas to limit or thwart automated requests. Once the user is logged in, use OAuth and give them a certain amount of requests each hour, and let them spend these requests anyway they want, whether it's via your app, or a browser, or `curl`. –  Jan 22 '15 at 14:22

1 Answers1

2

Unfortunately no, there is no way to prevent this, but there are ways to mitigate and reduce the abuse. The reason is that eventually whatever process you are using to authenticate your client app, it can be reverse engineered and imitated in a third party app. Ways to mitigate are:

  1. using some kind of challenge response between the server and the app so that the client must respond to the server challenge with the correct response.

  2. code obfuscating the part that handles the challenge response in the client

  3. periodically changing the challenge response algorithm so that whomever reverse engineered it and imitated it will have to repeat the whole process.

  4. putting some hard limits on API usage so it can not be over abused.

aviv
  • 1,267
  • 7
  • 8
  • A good example is WhatsApp API and their efforts (or war?) to limit it for usage with their application only and block 3rd party implementations. http://www.androidpolice.com/2015/01/20/whatsapp-is-killing-popular-3rd-party-whatsapp-client-by-temporarily-banning-users-until-they-switch-to-the-official-client/ – aviv Jan 22 '15 at 14:01
  • I meant a good example for the challenges of limiting an API... not a good example of how an API should be handled... that's up to the API provider to decide according to their own considerations. – aviv Jan 22 '15 at 14:09