Regardless of the programming language
I have a client server application.
mobile client – http server
The app will be available on several mobiles not only android.
I want to make sure the request is coming from client’s mobile only.
How can I solve this security problem?
I propose :
Have a secret key hard-coded on the mobile app:
Each request is encrypted using this key and decrypted on the server side.
Is it safe to hardcode the key if this way makes sense at all? (decompilers can get the key? the app will be available not only for android!)
Extra info:
Each user will have a userid/username…
Do not put encryption keys (or anything else that you need to keep secret) into mobile apps and then rely on them. This is a critical flaw.
The key can be reverse engineered, and in fact several big name companies have made this mistake. Google “twitter oauth key compromised”.