科技回声

Hello HN! Hoping I can tap the colossal power of the HN hive-mind.Working on a project where an iOS client hits an API. How do I ensure that only my 'real' client is allowed to use it?I could bake a secret token into the app, but surely it will just be sniffed (HTTPS only, but a MITM proxy?) or the app decompiled and the token extracted (Like the Sony PS3 master key).Is there any reliable way to ensure that a hacked, dummy version of my app can't use the real API?Thanks HN!

This is not possible. You should design your architecture so that this either does not matter or has a bounded cost.

This is something that the BBC did with iPlayer: <a href="http://po-ru.com/diary/device-discrimination-on-the-internet/" rel="nofollow">http://po-ru.com/diary/device-discrimination-on-the-internet...</a>I've not quite worked out how to implement it though

How about this:1. Use the current GMT date/time to generate an encrypted api point like adfa923asdf.yourdomain.com. 2. Make it change every day. 3. For all other hostnames besides the correct one for the day, dump random data so the fake app cannot tell whether or not the api is giving out the right results for sure. All your apps will be pining the right api end point where as the fake ones will have a hard time catching up.Also, use authentication on top of all of this.

This is not possible. You should design your architecture so that this either does not matter or has a bounded cost.

Ask HN: How do I ensure that a real iOS client is using an API

3 条评论

Ask HN: How do I ensure that a real iOS client is using an API

3 条评论