[Flask] Flask secret key for mobile app client

Luca Lesinigo luca at lesinigo.it
Tue May 31 04:16:23 EDT 2016 

Il giorno 30 mag 2016, alle ore 09:46, aiman parvaiz <aimanparvaiz at gmail.com> ha scritto:
> The case under consideration is that right now any one can jump on a tool as simple as Postman(on Chrome browser), construct the API call and get data from the backend. I need a way to allow only mobile devices with the installed app to see the returned data and how can I ensure that a API call from any client other than mobile devices don't get a response from my server.
> I would appreciate any help I can get here.
First of all you have to put your API on an HTTPS endpoint.

You can then put a first layer of security by embedding the server public certificate in the mobile app (client).
This will gain you nothing for what you are asking (it is really easy for anyone to extract whatever they want from any public app) but your app can use certificate pinning to be sure it’s talking to the real server and not to someone else.
The trust to this certificate is enforced by the mobile operating system (i.e. iOS or Android) that under normal circumstances will refuse to run application not coming from the official app store and/or applications that have been tampered with.
Of course you can do nothing for people with rooted or otherwise modified mobile operating system, thay can always get a modified version of your app with a different certificate if they want or if someone maliciously do that.

Then you have to implement some sort of authentication for the users of your app: for example have the user fill a form including their email address and send a verification email to that address, or stuff like that.

Bottom line is:
- your server has no way to be sure if it’s talking to your genuine client app or to a modified version of it or to something entirely different. You must think of it just like any public-facing service (api, website, whatever) that doesn’t know who’s knocking at the door
- your client app can only be sure it’s talking to your genuine server if it is running on a genuine, unmodified and uncompromised mobile operating system that got the app from a trusted source like the official app store

--
Luca Lesinigo

More information about the Flask mailing list