I am developing a webserver and provide an API to be used by mobile clients. Som

Question

I am developing a webserver and provide an API to be used by mobile clients.
Some of my calls are without any authorization, for example, to start the authentication process.

Is there a good way/best practice to verify that these calls are made only from the device?
For example, my authentication process used a 3rd party service to send SMS messages, and if someone uses this API from the computer he can cause the sending of many SMS messages which would cost much. Is there a good way to prevent such attacks?

Explanation / Answer

Unfortunately no, there is no way to prevent this, but there are ways to mitigate and reduce the abuse. The reason is that eventually whatever process you are using to authenticate your client app, it can be reverse engineered and imitated in a third party app. Ways to mitigate are:

1. using some kind of challenge response between the server and the app so that the client must respond to the server challenge with the correct response.

2. code obfuscating the part that handles the challenge response in the client

3. periodically changing the challenge response algorithm so that whomever reverse engineered it and imitated it will have to repeat the whole process.

4. putting some hard limits on API usage so it can not be over abused.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.