Question
A given server API should be publicly accessible to all unauthorized users, but requests should only be allowed to originate from one specific app.
This should, in theory, be accomplished by having the app HMAC-sign all API requests, and by having the server correctly issue and store nonces (to avoid replay attacks).
Question::
Are there any known methods for a mobile app to slice, dice, chop and XOR a secret, in a way that makes it extremely hard, if not impossible, for hackers and crackers to retrieve the key?
Solution
Create a free in-app purchase with iTunes connect and have users "buy" it (even though they won't be charged anything)... then verify the receipt with your servers... Apple will provide a transaction receipt which will verify that it originated from your app.
https://developer.apple.com/library/ios/#releasenotes/StoreKit/IAP_ReceiptValidation/
https://stackoverflow.com/questions/15005111
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian