0

I have developed an app for Android/iOS which calculates a value based on the users input. If an event occurs, this calculated value will be sent to my Backend as normal HTTPS payload. My question is now, how can I make sure, that this value is really only calculated by the source code of my app? Is there a way to handle such a problem?

To make it clear: I want to avoid, that somebody is rooting his phone, extract the Auth-Token from the private storage of my app and sends a valid HTTPS-Payload to my Backend with fictitious payload, manually or by manipulating the source code.

From the view of the backend, it's difficult to evaluate the payload based on its values if it is valid or not.

Any suggestions appreciated!

----------EDIT-----------

For the sake of completeness: apart from the answers here, the following are also very interesting:

Where to keep static information securely in Android app?

How to secure an API REST for mobile app? (if sniffing requests gives you the "key")

eltitano
  • 3
  • 3
  • Welcome to Stack Overflow! It may help get better answers if you added some more details on how your application is calculating the input, or how are you performing validation on the backend. – llmora Nov 29 '20 at 16:53

2 Answers2

1

You can’t trust data coming from the client. Period.

You should consider moving the calculation logic to the server and just sending the raw values needed to perform the calculation. You can easily get sub-second response times sending the data to the server, so the user won’t notice a lag.

If you need offline connectivity, then you’ll need to duplicate the business logic on both the client and the server.

Scott McNeany
  • 400
  • 1
  • 8
  • But the raw values can still be compromised because eggs are eggs and i can’t trust data coming from the client, right? Too bad... would it be worth to do some source code obfuscation or other techniques to secure a static key or something? I have read about it in OWASP recommendations but it seems its more a compromise solution, isnt it? – eltitano Nov 28 '20 at 00:39
  • It really depends on your scenario how far you take it. If your user is entering the quantity of an item to purchase, send just the quantity to the server and have it calculate the total cost. I can’t think of a scenario where you’re allowing user input but need to trust it, because as you said there are many ways to manipulate it on the device or in transit before it reaches the server. – Scott McNeany Nov 28 '20 at 11:29
  • The scenario is a game and of course i want to reduce the number of cheater as much as possible. So, it should be guaranteed that the values are really from the users input (not a bot) and the values are measured and calculated in my way not the hackers way :D – eltitano Nov 29 '20 at 12:59
  • Thank you for the clarification. In that case I would make the user is authenticated using OpenIdConnect/OAuth and the request contains an a valid access token. For bot detection you can look at a web application firewall with bot detection. – Scott McNeany Nov 29 '20 at 19:24
  • I have to thank you for your time ;). "I would make the user is authenticated using OpenIdConnect/OAuth" - done. "For bot detection you can look at a web application firewall" - I wanted to give ModSecurity a try, but I can't imagine how that could detect bots. From my view it's very hard to distinguish. – eltitano Dec 01 '20 at 15:44
  • Azure Application Gateway has a built-in template for bot detection - https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection-overview. It will cost you $91/month as of the time of this writing - https://azure.microsoft.com/en-us/pricing/details/web-application-firewall/ – Scott McNeany Dec 01 '20 at 17:04
0

Short of doing everything on the backend, you can't very easily.

I'd recommend some reading around CSRF (Plenty of articles floating around) as that's at least a good mitigation against bots outside of your app domain hitting your backend. The upshot is that your application requests a unique, random, identifier from your backend (which ideally would be tied to the user's auth token) before submitting any data. This data is then submitted with your app's data to perform the calculation on the backend. The backend would then check this against the random identifier it sent for that user earlier and if it doesn't match, then reject it with a 400 (Bad Request), or 404 if you're paranoid about information leakage.

gplumb
  • 563
  • 3
  • 24
  • I have already read a bit about CSRF but as far as i understood, its nothing that secures me, for example from communication to my api outside of my app/source code or with values that are not generated from my app/soruce code. Instead its a way to secure the user from being hacked outside of his device/browser. Do you know what i mean or am i wrong? It seems to me there is no well-known concept which secure the app from the user. Instead all concepts and mechanisms are designed to secure the user from the app or from outside of his device. – eltitano Nov 29 '20 at 13:08
  • CSRF is one of many measures to guard against unsolicited/malicious server requests to your backend. Your question stated that you want to make sure the "value is really only calculated by the source code of" your app, so as a measure to ensure the legitimacy of that request, CSRF is a common first-step, but not a silver bullet (1 of 2). – gplumb Nov 29 '20 at 16:01
  • The scenario of someone rooting your phone is a completely different security concern. While there are techniques that can be applied to help mitigate this (encryption, obfuscation, rootkit detection, etc...), they just raise the bar. To paraphrase another answer here, clients can't be trusted. If you truly want to secure this workflow, all of your logic should be server-side. (2 of 2). – gplumb Nov 29 '20 at 16:02
  • "If you truly want to secure this workflow, all of your logic should be server-side" - too bad that this is not possible. I will search a bit about encryption, obfuscation and rootkit detection but as you said, it only raise the bar and that's a bit frustrating. Maybe a clever guy will develop a solution for securing code in external devices someday. – eltitano Dec 01 '20 at 16:02