

Ask HN: How do I ensure that a real iOS client is using an API - evilswan

Hello HN! Hoping I can tap the colossal power of the HN hive-mind.<p>Working on a project where an iOS client hits an API. How do I ensure that only my 'real' client is allowed to use it?<p>I could bake a secret token into the app, but surely it will just be sniffed (HTTPS only, but a MITM proxy?) or the app decompiled and the token extracted (Like the Sony PS3 master key).<p>Is there any reliable way to ensure that a hacked, dummy version of my app can't use the real API?<p>Thanks HN!
======
saurik
This is not possible. You should design your architecture so that this either
does not matter or has a bounded cost.

~~~
evilswan
Had a hunch this was the case, just needed someone smarter than I to confirm.

How do banks ensure nobody makes a phishing version of their apps?

~~~
saurik
They can't. If "no phishing" is a desired property, then it would be up to the
distribution ecosystem to either carefully monitor for such products and deny
them, or to at least allow some mechanisms for users to verify products
themselves (such as SSL combined with URL bars do for general web traffic).

------
edlea
This is something that the BBC did with iPlayer: [http://po-
ru.com/diary/device-discrimination-on-the-internet...](http://po-
ru.com/diary/device-discrimination-on-the-internet/)

I've not quite worked out how to implement it though

~~~
evilswan
That is interesting, but surely the client-side cert could just be copied and
used in a dummy app?

------
toolmaker
How about this:

1\. Use the current GMT date/time to generate an encrypted api point like
adfa923asdf.yourdomain.com. 2\. Make it change every day. 3\. For all other
hostnames besides the correct one for the day, dump random data so the fake
app cannot tell whether or not the api is giving out the right results for
sure. All your apps will be pining the right api end point where as the fake
ones will have a hard time catching up.

Also, use authentication on top of all of this.

