0

How can an application authenticate itself to a server? Lets say I release an android application that can connect to my web server.

Is there any way I can assure clients use the application i made, and not a third-party one? I assume it is possible to reverse-engineer to get the source code of my app (it seems proguard is not perfectly safe) and thereby a third party could easily make an app impersonating mine.

Does TLS/SSL solve this issue, and if so, how? I could require the client to send my server a certificate from a trusted authority, thereby laying the responsibility of authentication on the trusted authority. But how does this work in practice? Lets say i produce self-signed certificates, which I add to the servers truststore. How do I safely distribute these to app users?

Maybe i'm missing something basic here, but anything to point me in the right direction would help!

Cartaya
  • 93
  • 1
  • 5

1 Answers1

0

In general, you cannot. The app code is public - nothing prevents baddies from reverse engineering it and emulating the protocol to a tee. More discussion here.

Code obfuscation is your best bet. Specifically on Android, check out ProGuard. No rock solid guarantee, but maybe the baddie will lose patience. :)

Community
  • 1
  • 1
Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281
  • How about, during user authentication, also including perhaps a hash of the entire application and then comparing it to a hash stored on the server? But then of course comes the question - how would i generate a hash of the entire application, from within the application? :) – Cartaya Jun 15 '12 at 14:25
  • Also, what would keeps baddies from hashing *your* app and placing the value into their protocol authentication? They're emulating the wire-level protocol, but not your implementation. – Seva Alekseyev Jun 15 '12 at 14:28