I am building Rest APIs for an iPhone app using the PHP framework CodeIgniter. Please let me know how I can ensure that the API is accessible via the app only. This means that if anyone wants to access the APIs from outside the app, it should not be accessible.
3
(You should really post this on the Cryptography group as well – https://crypto.stackexchange.com/)
It is technically possible with the right OS vendor support:
- The OS has a TPM (probably already true), which is hardware-signed by the Vendor (ie. Apple) (This may also already be true)
- Your app gets a Device-Application certificate from the TPM (May be possible)
- When your app connects to your RESTful server, it uses mTLS and only trusts client certificates that are signed by CA that asserts its model and specs and is signed by vendor Cert (ie. Apple) (Feasible).
- You might be able to use mainstream Web Server (ie. NGinx), or you might need to customize an opensource Web Server. (That can Reverse Proxy to the PHP application)
The TPM assures (in theory and most practice) that no one can extract the CA certificate, nor the Device-Application certificate. Basically, the mTLS client-side certificate signing occurs in the TPM co-processor and the private key never leaves the enclave.
Desktop PCs have got most (if not all) of what is needed. Modern iOS phones and some models of Android may also have what is needed.
The point of HTTP and REST APIs is to ease interoperability with clients. This is a feature you don’t want.
You may want to decrease ease of hacking your app by using a less clear protocol for which there is less client tools available. But this will just be security through obscurity. Nothing will stop a motivated hacker from decompiling the client app.
I don’t get why would you do that. But it can be done (almost).
It will require some effort and probably will not be so useful. And this could be hacked.
Why could be hacked? Because you cannot limit devices, they are “client side”. So they could be faked.
You can send from your server a unique user tracking code to the APP. Only to logged users. This way you can bind the Device + App + User to this CODE via cookie or local storage.
Then you should use a filter in your server API routes to require this unique ID. You can store this user_tracking_code in your user table for validation.
4