Search code examples
javaandroidhttpreverse-engineeringsignature

How to verify the identity of the app sending an POST request

I am making an server API which will return some confidential keys to my app.

Then the app will use these key to perform a particular action. I would be sending the Keys over SSL so that any Man In the Middle attack could not read them.

To start first I will be first everything the Package name and then I also want to verify the something which assures me that my app has not been decompiled and recompiled and the package is not fake.

Basically I want to avoid these issues:

1) Someone is not creating a fake package name and then sending the request 2) Someone has not recompiled my app and then sending the request 3) Someone if not tracking the response of the server via MIM

Till now I have thought the best way would be to use a HASH key and then compare it within my server to see if the POST key is the same as stored in my server.

But I have not been able to find a key which is attached to the signing key of the app and which cannot be accessed by anyone having the APK of my app.

Any help would be grateful.

Solution

  • You can add extra layer of protection if you create keys in your app using C++ code available on android's NDK libraries. Here's an amazing tutorial for that. Basically, this protects your app from de-compiling tools which commonly de-compiles java files. Also, I recommend adding AES encryption on your keys before sending it through the post request of your SSL server.

    On your onCreate() method, get the key from native C++ implementation:

    String nativeKey = invokeNativeFunction()

    then encrypt it:

    byte[] keyStart = nativeKey.getBytes();
KeyGenerator kgen = KeyGenerator.getInstance("AES");
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
sr.setSeed(keyStart);
kgen.init(128, sr); // 192 and 256 bits may not be available
SecretKey skey = kgen.generateKey();
byte[] key = skey.getEncoded();    

// encrypt
byte[] encryptedData = encrypt(key,b);

    Encrypt method:

    private static byte[] encrypt(byte[] raw, byte[] clear) throws Exception {
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
    Cipher cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
    byte[] encrypted = cipher.doFinal(clear);
    return encrypted;
}

    Edit for CSRF:

    There's an interesting answer from here: Authenticity_token in Rails + Android, also on Wikipedia, there are quite suggestions as to how to counter cross site request forgery. which includes:

    Synchronizer token pattern
Cookie-to-header token

    to name a few.

    Here's a layer of extra security to identify the authenticity of the app request as well.