How do popular apps authenticate user requests from their mobile app to their server? –

Development issue/problem:

Suppose I have an Android application that connects to the .Net API to receive/install data. The confusion I have is how to register/login the user for the first time and authenticate him or her every time he or she submits a request to the API.

Which other models are available and which are the most efficient and safe, I only need one workflow.
Can anyone tell me which method popular Android applications such as Facebook, FourSquare or Twitter use to authenticate every application that comes to their server from their mobile application?

I’m sorry in advance if this isn’t public information.

How can this problem be solved?

Decision No 1:

I believe they use a token-based security system, so the password isn’t actually stored anywhere, but is only used for the first time for authentication purposes. So the application first publishes the username/password (via ssl) and the server returns the token stored in the application. In case of later synchronization attempts, the token is sent first, the server checks its validity and then allows the placement of additional data.

The token must have an expiration date so that the server can request a new authentication attempt.

When you connect to a sync adapter of the Android framework, you can sync and authenticate everything under the hood.

If you check the accounts in the Settings section of your device, you will understand what I mean.

Decision No 2:

Usually they use the (1)/frame (2) OAuth protocol. Although it should be a standard, each has its own implementation of this protocol/framework. That’s why we have to be very careful with integration.

For example: Dropbox still uses OAuth 1 and has recently introduced support for OAuth 2.

Back to the answer: As Peterpan said, his marker-based authentication method is unique and goes beyond the equation. These tokens have expired or in some cases the promoter is threatened with violence.

Interestingly, the degree of access to resources can be defined instead of the client application storing dangerous usernames and passwords.

This is a basic illustration of how it works.

I will update the answer as soon as I have more information about it, because I am working in this field nowadays.

Decision No 3:

If I only use authentication based on a username or password, are they not secure enough?

No, because you only identify the WHO has access to the API server, but not the WHO has access to it.

The difference between WHO and WHAT is the access to the APIserver.

To illustrate the differences between WHO and WHAT has access to the API server, we will use this image:

An intended communication channel is a mobile application that is intended to be used by a legitimate user without malicious intent, using an unpolluted version of the mobile application and communicating directly with the API server without being in the middle of an attack.

The real channel can represent different scenarios, for example a legal malicious user using a repackaged version of a mobile application, a hacker using the real version of a mobile application while someone attacks it to understand how the communication between the mobile application and the API server works to automate attacks against your API. There may be many more scenarios, but we won’t list them all here.

I hope you already understand why WHO and WHAT are not the same, but if not, it will be clear immediately.

WHO is a user of a mobile application that we can authenticate, authorize and identify in various ways, for example via OpenID Connect or OAUTH2 streams.

Normally OAuth provides clients with secure delegated access to server resources on behalf of the resource owner. It defines the process by which resource owners can give third parties access to their server resources without having to share their credentials. Specifically designed to work with the Hypertext Data Transmission Protocol (HTTP), OAuth allows, with the consent of the source owner, to assign access points to foreign customers via an authorization server. A third party then uses an access token to access the protected resources hosted on the resource server.
OpenID Connect
OpenID Connect 1.0 is a simple identification layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end user on the basis of the authentication performed by the authorisation server and to obtain basic information about the end user’s profile in a form compatible with and comparable to REST.

Although the user authentication can let the API server know that the API is being used by whom, it cannot guarantee that the requests come from what you expect, namely the original version of the mobile application.

Now we need a way to determine what the API server invokes, and things are getting more complicated than most developers think. What is this thing that makes a request to the API server. Is it really a real copy of a mobile application, or is it a bot, an automated script, or an intruder who searches the API server manually with a tool like Postman?

To your surprise, it may be that it is one of the legal users using a repackaged version of the mobile application or an automated script that tries to play and use the service provided by the application.

Well, to determine what, developers tend to use the API key that they usually hard-code in their mobile application code. Some developers go further and calculate the key during the execution of a mobile application so that, unlike the previous approach, it becomes an execution secret when a static secret is embedded in the code.

The article above is from my article WHY YOUR MOBILE API KEY? and is the first article in a series about API keys that you can read in full here.

Storage of confidential data in the client device

And I can’t save this username/password in my device for security reasons?
Do I need to issue a GUID for each user at registration, store it on my device and receive it each time I request an API?

Everything you store on your device, even if it’s encrypted, can be restored during runtime with tools like Frida or Xposed.


Enter your own scripts in the black box processes. Capturing a function, spying on cryptographic APIs or tracking the private code of an application are not mandatory resources. Edit, click Save and you will immediately see the results. All this without having to compile steps or restart the program.

go by

Xposed is a framework for modules that can change system and application behaviour without touching an MOT. This is very good, because it means that the modules work for different versions and even ROMs without any modification (as long as the source code

In a device managed by an attacker, he can also use a proxy to execute a Man in the Middle attack command to any secret that can identify WHAT or WHO, as I showed in Steel that API key with a Man in the Attack :

While we can use advanced technologies such as JNI/NDK to hide the API key in the code of a mobile application, this will not prevent someone from launching a MitM attack to steal the API key. In fact, a MitM attack is so simple that it can be carried out by non-developers.

And now… I have been ordered not to protect my API server from abuse ?????. There’s no silence, so… There’s still hope!!!!

Possible solutions

Can anyone tell me which method popular Android applications such as Facebook, FourSquare or Twitter use to authenticate every application that comes to their server from their mobile application?

I’m sorry, but I don’t know enough about these applications to teach you, but I can show you other approaches.

Which other models are available and which are the most efficient and safe, I only need one workflow.

As a result, anything that works on the customer side and requires a degree of confidentiality to access the API can be used in different ways. In this series you can learn more about Mobile API security technologies. In this article we will show how API keys, user access keys, HMAC pinout and TLS can be used to protect the API and how they can be bypassed.

To solve the problem of what your mobile application can achieve, you need to use one or all of the solutions listed in the Mobile API Security Technology series, which I have mentioned above and which I have acknowledged can only make it more difficult, but not impossible, to bypass unauthorized access to your API server.

The best solution can be used with the Mobile App Attestation solution, which allows the API server to know that it is only receiving requests from a real mobile application.

Certification of mobile applications

By using the Mobile App Attestation solution, the API server can know what the requests are, so it can only respond to requests from a real mobile application, while all other requests from unsecured sources are rejected.

The role of the mobile application validation solution is to ensure, during use, that your mobile application is not hacked, not running on a root device, not orchestrated by a framework such as xPosed or Frida, not exposed to MitM attacks, by running the SDK in the background. A cloud-based service will challenge the application and use the answers to verify the integrity of the application and the mobile device, so the SDK will never be responsible for a solution.

Once mobile application integrity checks are successfully completed, a JWT token is issued and signed with a secret known only to the API server and the validation service for mobile applications in the cloud. In the event of an error in the certification of mobile applications, the JWT token is signed with a secret that is not known to the API server.

The application must now send the JWT token in the request headers with each API call. This allows the API server to only serve requests if it can check the signature and expiration time in the JWT token, and reject them if it cannot authenticate.

If the secret used by the Mobile App Testing service is unknown to the mobile application, it is impossible to reprogram the application at runtime, even if the application has been tampered with, running in the root device, or communicating about a connection that is man-targeted during the middle attack.

The certification service for mobile applications already exists as a SAAS solution at Approov (I work here), which provides SDKs for various platforms such as iOS, Android, React Native and others. The integration also requires a small API check in the server code to verify the JWT token issued by the cloud computing service. This check is necessary so that the API server can decide which requests to serve and which not.


Finally, the solution for protecting your API server must be chosen based on the value of what you are trying to protect and the legal requirements for this type of data, such as the GDPR rules in Europe.


OWASP Mobile Safety Project – Top 10 Risks

The OWASP Mobile Security Project is a centralized tool designed to provide developers and security teams with the resources they need to create and maintain secure mobile applications. As part of this project, we want to classify the risks related to the safety of mobile phones and propose a development check to reduce the impact or likelihood of their use.

Decision No 4:

I was looking for the same thing and found my way to Google, a bit like Peterpan, but through the Google API. Try this link and Google, I’m starting too! I’ll post new information while I’m at it!

Decision No 5:

I am a beginner, but I will try to find a logical solution to this problem.

There will be two options,
[1] For each URI, there will be http authentication where the user’s credentials are validated and the user has access to resources.

2] Another approach is user authentication, and each authentication generates a unique token. With the generated token the user has access to the resources.

Although I’m not sure which approach is most suitable for a mobile application.

Decision No 6:

An example of authentication is a good starting point. Android stores the accounts in the account manager, you can view the accounts in the Android settings. For example, you can save the tokens automatically, ask the user if they have expired or not, update the tokens and so on. I think the http part of this example is insufficient or old. The Android AccountAuthenticatorActivity extension is an excellent tool for analyzing serialized data in the layout and sending it back to the Internet.

Decision No 7:

Usernames and passwords can be protected when placed in Shared Preferences.
Using https when connecting to a server should also suffice.

Good luck!

Related Tags:

mobile app authentication rest api,mobile app server login,android authentication token tutorial,m4 – insecure authentication,auth0 universal login mobile app,mobile app attestation,auth0 mobile login,manage multiple android devices,kerberos authentication for mobile banking,auth0 mobile app authentication,login using your app,secure mobile application architecture,how are apps secure,web application authentication,native mobile app oauth2,okta native mobile,mobile app login best practices,login app download,auth0 ios native login,native deodorant login, login,auth0 mobile sdks,auth0 native application,auth0 mobile and api,auth0 api secure,protect apis,secure rest api for mobile app,mobile api security techniques,store jwt token in android,api security using okta,authenticate app to api,store token android app,where jwt tokens are stored,okta native app redirect uri,okta native app sdk,native app refresh token,oauth 2.0 for native apps,authorization code grant flow mobile app,okta application types,oauth2 public client,oauth2 without browser,client secret in native app,mobile banking authentication methods,jwt mobile app authentication,mobile app token based authentication,mobile app session management,app authentication methods,mobile app basic authentication,mobile app authentication architecture