Flutter Question posted in
The official Flutter documentation can be found here.

Flutter – How to make sure server accepts request from mobile applications only

I have a Node.js server that will handle requests from my flutter mobile application. The flutter application uses http module to send the requests to the server. The Node.js server uses CORS. How do I make sure that my server only accepts requests made from my mobile applications ?.

I noticed one method is to use an In app API-Key that is generated in the app and it must be sent to the server. If the API-Key is valid then the server responds with the appropriate response. However my sole problem is if anyone intercepts those http requests made from the mobile application, they can look at that API-Key and mimic their own http requests as though it is coming from my mobile application.

Another solution posted was to use something like OAuth. But I am not sure if that’s a solution, if it is then please explain how I would implement it.

Another solution that was shown was to use some sort of SSL. But it requires a certificate or something and I do not understand how it actually works nor do I know if it can be used with flutter apps.

Please provide any other solutions to this problem that you think is apt.

Tags:

2

Answers


  1. 0

    Your problem here is that your mobile app is a "public client". That means it can’t securely store any sort of secret that would identify itself to the node.js API. This is why an API key approach would be ineffective; an attacker could extract it from the app on their device.

    The best way would be to forget about the identity of the device and use the identity of the user. Get them to authenticate, and use their identity to confirm if they are allowed to use the API. This is where OAuth / OIDC comes in. OAuth allows one service (in this case your mobile app) to access the resources of another (your API) on behalf of a user. OIDC is a simple authentication protocol on top of OAuth that would allow you to authenticate your users.

    To do this, you first need to find an OIDC provider. You can use one where your users might already have an identity – e.g. Google or Facebook – if appropriate, so they can log in with an existing account. Or you can set up your own using a service like AWS Cognito where your users would sign up for a new account. Then your app -> API call would go something like this:

    1. App initiates authentication flow with OIDC provider, directs user to the OIDC providers authentication page.
    2. User authenticates, OIDC service redirects back to app with some details for the app to get access / id tokens from the OIDC service.
    3. App makes requests to the API using tokens from the OIDC service.
    4. API validates that tokens received from the app are valid and allow access.

    These steps are simplified; look up implementing OIDC with PKCE with your OIDC provider of choice.

    Finally – SSL, or more accurately now TLS, is required between the app and the API or an attacker will be able to see data and the tokens between the app and API.

    Login or Signup to reply.
  2. 0

    Recently Firebase released a Service called Firebase App Check Please have a look. It may resolve your problem statement.

    https://firebase.google.com/docs/app-check
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search