I have a webservice, and an iOS client(application) for one of my projects.
My webservice exposes several REST endpoints. I am looking for a way to make sure that webservice processes requests that come from iOS application only.
I understand that it is impossible to be 100% sure that the requests are coming iOS application.
But are there any best practices that I can use to make sure that requests are coming from iOS only.
Here are few things that I was trying to do .
- Bundle API secret with iOS application (known only to iOS and server)
- Sign all the requests with secret and timestamps
- Recycle API secret with every (or alternate) application release cycles.
I am new to most of this, so any help/advice/constructive-criticism would be super helpful
Best option: Bundle API secret with iOS application (known only to iOS and server).
You can send it in a custom HTTP header and it's best if you send it encrypted as well.