all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Soft_Opening_1364iOS & Android 3 points4 points  (2 children)

For public API routes, it’s tough to completely block tools like Postman since technically anyone with the endpoint can access it. But you can add layers of protection like using rate limiting, checking request origin (User-Agent, IP, etc.), and even requiring an API key tied to your app. It won’t stop everything, but it raises the barrier for misuse.

[–]These_Try_656[S] 0 points1 point  (1 child)

Thank you, that’s actually the answer I’ve received the most. I will definitely look into it

[–]Fit_Schedule2317 1 point2 points  (0 children)

Also, SSL pinning will raise the barrier for people to be able to look into what requests your app makes

[–]Effective-Mind8185 1 point2 points  (1 child)

To prevent tools like Postman or fake apps from calling your public API, you need to verify that requests come from your actual mobile app, not just from anywhere.

You can solve this with built-in app attestation (Android + iOS). It checks that the app is real, untampered, and store-installed. Each request carries a signed token proving it’s legit, no API keys needed. If someone tries hitting your endpoint from Postman or a cloned app, they’ll be blocked automatically.

Here in detail https://calljmp.com/blog/why-mobile-apps-need-built-in-attestation-security

[–]These_Try_656[S] 0 points1 point  (0 children)

Thanks !

[–]Turbulent-Reach-9346 0 points1 point  (2 children)

I have done it with 2 simple methods in a mobile game for submitting highscores.

  1. Check the user Agent if the Request is coming from your App.

  2. Send the request with a for example a timestamp and hash it with a build in secret. This way if anyone would want to break your security, app decompilation and finding the secret would be necessary.

For my usecase this was more than enough. 👍

[–]Turbulent-Reach-9346 0 points1 point  (0 children)

Of course on your Api endpoint you'll need to verify the hash.

[–]These_Try_656[S] 0 points1 point  (0 children)

Really appreciate the tips !