-1

I am building an app that will make HTTP requests to a server. I would like to know that the requests are coming from an app downloaded from an iOS App Store, or Android App Store. Is there any way to do this?

Maybe some kind of API on the phone allows signing with some Certificate Authority that is itself signed by Apple's Root Certificate Authority? Or something similar with Android?

Or maybe there is some way to use the "Advertising Identifier" like this but not running afoul of this ... is there something like this for Android?

I need this mostly to prevent sybil attacks (people making millions of accounts without buying a million iPhones).

But perhaps even more importantly, I want the app to establish an account on the server, and not let some joker send a request to the same server to override the user's "udid" willy-nilly so the app can't connect later. I guess I can prevent this latter thing by just saving a cookie or localStorage in a web browser under browser tabs and hope it doesn't get cleared.

Gregory Magarshak
  • 1,657
  • 2
  • 21
  • 32
  • Have you tried testing the User-agent from the request Header ? [This](https://stackoverflow.com/questions/21741841/detecting-ios-android-operating-system) thread might be useful . – Hamza Jeljeli Dec 23 '18 at 17:51
  • But the User-agent is still just sent by some client, it can easily be spoofed. I agree, however, that this does solve the second problem (not letting some joker send a request to the same server to override the user's "udid" willy nilly) because it would either happen in Safari or there would not be an authenticated session. However, it still doesn't prevent Sybil Attacks, as an attacker can generate millions of accounts without buying millions of iPhones. – Gregory Magarshak Dec 23 '18 at 18:51

1 Answers1

0

You may want to try setting the request headers to identify the agent,

You can set User-Agent: iOS or User-Agent: Android, and application-type to identify the device type.

x-application-key:38567940-b045-4b37-9999-d6c3b960af9e
application-type:iPhone
key-state:VALID
Content-Type:application/json
Accept-Language:en_US
x-type-mdm:ENABLE
User-Agent: iOS

HTTP Request

Bappaditya
  • 8,676
  • 2
  • 15
  • 27
  • Yes, I can do this in the app's WebView. But the User-agent is still just sent by some client, it can easily be spoofed. I agree, however, that this does solve the second problem (not letting some joker send a request to the same server to override the user's "udid" willy nilly) because it would either happen in Safari or there would not be an authenticated session. However, it still doesn't prevent Sybil Attacks, as an attacker can generate millions of accounts without buying millions of iPhones. – Gregory Magarshak Dec 23 '18 at 18:51