I currently have an iOS app that allows people to submit content to our server (twitter like). We don’t have a login system, instead we rely on the UDID of the device to uniquely identify users (yes, aware that this isn’t perfect but worth the tradeoff for users not having to create an account).
Requests from the iOS app are sent as POST requests to our server and are NOT authenticated in any way.
We are currently experiencing a lot of spam (obviously) and am looking for an easy method to verify that any request hitting our server in fact came from our app – and not some script that a spammer wrote.
We have tried using the user agent string which contains the app name but that is easily spoofed. Is there any way to verify that requests hitting our server is coming from our app?
One idea might be to include a random number as a parameter, and then encrypt that number with some private key. Have the server verify that the the encrypted version is = to the plain text version. (the private key would have to be on our server as well as embedded in the app).
I’m not looking for the perfect solution – a 90% solution thats easy to implement is def preferred.
Thanks!
I’d solve this by taking the message, salting it with a secret key known only to your app, and probably adding the username and UUID, then hashing them with a SHA-1. If the hash is presented along with the data, then it will act as a digital signature, and you can be reasonably sure that the message is authentic.
The shared secret key will have to be distributed with your app, so an extremely determined attacker will be able to reverse engineer it out of your app- but a casual spammer will be far more likely to just seek greener pastures.
Another approach would be to generate a pgp private / public key pair at registration- but this is a lot of work for this problem.