I\'m building a backend for the mobile app with a public-facing HTTP API endpoin

Question

I'm building a backend for the mobile app with a public-facing HTTP API endpoint. Despite being publicly visible, this endpoint is only meant to be used by my app, i.e. I don't want people to send random requests to it using wget or anything similar.

My idea was to configure a SSL/TLS on my server, thus making the API only available over HTTPS and enforce a client certificate check on the server. Every copy of the app will have the (same) client certificate bundled with it.

Note that I'm not doing this for the purpose of a user authentication, just for limiting access from sources other than my app.

Is is a valid solution? It appeals to me a lot because of how simple it is. Are there any obvious flaws with it? How likely is that the certificate will be unbundled from the app and used for malicious purposes?

Explanation / Answer

Ok, that's a bad idea. It won't work. Roughly summed up: if a secret value is copied into more than two places, then it no longer is a secret. In that case, if some people have any interest in "sending random requests using wget", then they just have to extract the certificate and private key from any copy of your application, which is a trivial bout of reverse engineering.

Think about it: if hiding a secret value in a widely copied application worked, then there would be no possible DVD ripping. Music editors would not wail and grind their teeth at the thought of software-based piracy. There would be no cheating in online games.

The usual catch-phrase used to describe this situation is: client-enforced security does not work.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.