Question 192746 in React native Question posted in
The official React Native documentation can be found here.

React native – How to check the request is coming from my mobile application only

Hi I have my mobile application developed in react native and it is doing REST api calls to the server.We have authentication token for users who are signing into the application . I want to make more secure the app that means i want to authenticate that the request has been came from our deployed app only .How can i achieve this approach .

I want to know the solution how can i achieve this .

Tags:

2

Answers


  1. 0

    This is not possible.

    A REST-API means, that you mobile app is sending HTTP calls to your server. Those requests can be sniffed on the device and resent from any other client. There is no way to prevent this.

    Your API should also be designed according to the Open Design principle, which means that the API has to be secure without making access to it secretive.

    Login or Signup to reply.
  2. 0

    The Difference Between WHO and WHAT is Accessing the API Server

    Hi I have my mobile application developed in react native and it is doing REST api calls to the server.We have authentication token for users who are signing into the application .

    Before I dive into how its possible to lock down your backend API to genuine instances of your mobile app I would like to first clear a misconception about who and what is accessing an API server.

    I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:

    The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

    The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

    So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

    After you understand this idea and it’s ingrained in your mindset, you will look into mobile API security with another perspective, and you will be able to see attack surfaces that you never though they could exist.

    Lockdown an API server to Genuine Instances of a Mobile App

    I want to make more secure the app that means i want to authenticate that the request has been came from our deployed app only .How can i achieve this approach .

    I hope that by now you already have a solid understand why the who and the what are not the same in an API request, which why its very hard to lockdown an API server to only serve requests to genuine instances of your mobile app.

    To lockown your API to genuine instances of your mobile apps you will need to apply a security solution that is able to work in tandem between mobile app and API server. The mobile app must use Runtime Self Protection (RASP) techniques, ideally with decision about the integrity of the mobile app and device its running on being made outside of the app and device, also known as Remote Mobile App Attestation (RMAA). The RMAA receives signals from the RASP running on the mobile app and makes decisions on the fly about the integrity of device and app, informing the backend of the app by signing a JWT token with a secret known only by the backend (not by the app) for successfully attestations, while for apps that fail attestation the JWT is signed with a secret unknown to the backend. This JWT is passed to the mobile app that adds it to the header of each API request and then the backend only serve requests that have a JWT signed with a valid token, and that hasn’t expired. All other requests must be reject, because a JWT that fails a signature verification signals to the backend that it cannot trust in the request, while its absence means that the request is not from the mobile app at all.

    want to know the solution how can i achieve this .

    I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

    Do You Want To Go The Extra Mile?

    In any response to a security question I always like to reference the excellent work from the OWASP foundation.

    For APIS

    OWASP API Security Top 10

    The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

    For Mobile Apps

    OWASP Mobile Security Project – Top 10 risks

    The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

    OWASP – Mobile Security Testing Guide:

    The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search