I'm currently developing a mobile app that connects to a backend API, and I want to ensure that unauthorized users can't access my API from outside the app. Besides relying on standard methods like email/password authentication and JWT tokens, I'm curious about what additional security measures I can implement. While I'm considering using an API key embedded in the app, I'm aware that this could be easily extracted if someone decompiles it. Are there any effective techniques to protect my backend API? Or am I just overthinking this? Thanks for any help!
1 Answer
Both iOS and Google have some useful tools here! iOS offers an 'App Attestation' API and Google has the 'Play Integrity' API. These are designed to help prevent unauthorized use of your backend. While they're not foolproof, they provide solid methods for tackling these issues. As for paranoia? It really hinges on your app's functionality and the risks of someone accessing your API outside the app.
Right now, it’s just a simple game where users create accounts to play. However, I plan to develop more complex apps, and I really want to secure the backends for those. Thanks for the info on App Attestation and Play Integrity!