How to identify http request from a iOS or Android application

ghz 8months ago ⋅ 137 views

Is there a way to identify a mobile app which is enforced by the OS (iOS or Android).

I want to have a mechanism like the "Origin" request header which is enforced by the browser.

The use case is to be able to monitor which app is using our SDK and being able to block them if it's used from an app which is not authorized.

I read about the User-Agent, X-App-Version and X-Source headers, are they enforced or is there others which are enforced ?

Answers

In the context of mobile apps, there isn't a standardized mechanism like the "Origin" request header in web browsers that can reliably identify the source of the app. However, there are some headers and methods you can use to gather information about the app making the request:

  1. User-Agent Header: The User-Agent header typically contains information about the client application making the request, including the app name and version, as well as the device type and operating system. While this header can provide some information about the app, it can be easily spoofed or manipulated.

  2. Custom Headers: You can define custom headers in your SDK that apps need to include in their requests when using your SDK. For example, you mentioned using headers like X-App-Version and X-Source. These custom headers can help you identify requests originating from apps using your SDK.

  3. API Key or Token: Require apps to include an API key or token in their requests when using your SDK. This key or token can be tied to a specific app or developer account, allowing you to track and authorize requests based on the source.

  4. OAuth or JWT Tokens: If your SDK integrates with a backend service, you can use OAuth tokens or JSON Web Tokens (JWT) to authenticate requests. These tokens can contain information about the app making the request, such as its identifier or permissions.

  5. App Signature or Bundle Identifier: On Android, you can obtain the package name (bundle identifier) of the calling app using PackageManager.getCallingPackage(). This can help you identify the source of the request on Android devices.

  6. App Store Receipt Verification: If your SDK is distributed through app stores, you can validate the app store receipt or purchase token to verify that the app is authorized to use your SDK.

It's important to note that none of these methods are foolproof, as malicious developers can attempt to circumvent them. However, using a combination of these techniques can help you gather information about the requesting app and enforce authorization rules in your SDK. Additionally, you may consider implementing server-side validation and authorization checks to further secure your SDK usage.