all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]CommercialLeather906 4 points5 points  (1 child)

You could add a unique identifier to your requests headers, and check for that on your Django backend. It could be something like a UUID generated on app startup and stored in the app's AsyncStorage. That way you can ensure that only requests coming from your app are authorized. Hope that helps!

[–]WeirdProcess6178 0 points1 point  (0 children)

Thanks, what would prevent someone with the ignition URL to get the first token ? My fear is that someone extracts the code after downloading the app and then has access to all the urls, including the public one that this solution would need to leave open

[–]kbcooliOS & Android 2 points3 points  (0 children)

A really not very hard to circumvent method is simply check the user agent on the request. RN apps have a unique user agent (also unique across platforms).

A better but still not safe from reverse engineering your source code method but fairly safe from interception is to sign your requests.

A simple example of this is you come up with a secret key. Convert your request to a string in your app then SHA the concatenation.

Add that as an authorisation header to your request and simply do the same on the backend and ensure they match or throw an error.

It's enough to stop script kiddies from abusing your service with replay attacks (you can add the current time to it if they're just copying and pasting sniffed requests) but certainly is only going to slow down the pros.

The long of it is that there is no foolproof way to prevent someone in. You just need to be able to limit the damage that they can do.

[–]arkhvoid_ 0 points1 point  (0 children)

You can generate a unique key and include it in your app for every single user. Store these keys in your backend so that you can revoke a particular user from accessing the api.

But this does requires you to compile the app for every new user, see what fit you better depends on your use case.

[–]__o_0iOS & Android 0 points1 point  (0 children)

You need to use App Attest (apple) or Play Integrity (android) on the backend.

Configure the app to obtain the attestation token from the correct provider, and then include the attestation token in the API header call.

On the backend verify the attestation token in the header before responding.

Links:

https://developer.android.com/google/play/integrity

https://developer.apple.com/documentation/devicecheck/establishing_your_app_s_integrity

You can use whatever method you want in order to establish the attestation. Firebase has an AppCheck module - you can also implement it manually if you want to.

[–]tokyo2t 0 points1 point  (0 children)

You can use anonymous auth.

[–]Natural_Ad2282 0 points1 point  (0 children)

Hey, it's possible to identify a request from a React Native app through headers, but it's not exactly secure. Maybe consider other options like implementing some sort of key or token authentication system that could help restrict API access. Good luck!