Verifying API response integrity
https://stackoverflow.com/questions/12761168
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am building a suite of mobile apps and an accompanying web service for them. In order to secure the connection (to a reasonable level) from the app to the web service I'm using a 2-legged OAuth approach, with each app using a unique consumer key/secret.
My problem is how to I verify the response the mobile app receives actually came from my server. For example if I have an endpoint which confirms whether or not a user can access certain features by passing in a set of booleans, as far as I know, there is nothing to stop someone modifying their hosts file and sending back an spoofed response indicating they have access to everything. Is this correct?
My proposed solution is for the app to store a response secret which the server also knows. When the server sends it's response, it generates a hash of the data combined with the secret. The app then regenerates the hash and checks it matches. This way, the user can only hijack the request if they know the secret stored in the app.
Are there any best practices for solving this problem?
Would simply hosting the web service under HTTPS solve the problem or would someone still be able to replicate the web service and send back a spoofed response?
Many thanks
Solution
HTTPS was designed to solve this exact problem, and does it well (assuming of course that the client can't be tricked into trusting a certificate that shouldn't be trusted - this shouldn't be an issue for most real-life mobile app scenarios). I would stick to HTTPS instead of trying to invent a solution of your own. Specifically, in your proposed solution, all it takes is for the attacker to get their hands on one copy of your app - they can reverse-engineer it, extract the secret, and then attack all other copies.
OTHER TIPS
You can use HMAC to compute the at both end and compare the result if it is same then it means that it came from your server. One downside is that is attacker is so determined and able to reverse engineer your app and extracted the key used in the HMAC then this will be over. There are ways to avoid this as well but it all based on the worth of your app or the data. The best solution is to use digital signatures and public key encryption. I will not recommend https as it can be bypass easily even the certificate pinning is not very effective if the attacker is highly determined but again it all based on the worth of your app.
