Good application security solutions are non-trivial. You cannot use any simple, plain-text object like HTTP_USER_AGENT. One common approach is an "API Key" - where a key that is obtained from a registration page is supplied along with the request, but unless you combine this with some other "secret" it can be trivially copied and supplied by the "false" app.
One reasonably strong solution would be some form of challenge/response using a shared secret. A determined attacker could, theoretically, extract your secret from your app and use it, but that requires a reasonable deal of effort - first they need to decrypt your app bundle and then extract the secret. The flow is something like -
- App sends request to web service for authentication, supplying API key.
- Web service looks up API key to determine "shared secret"
- Web service sends challenge string back to app
- App hashes challenge string using shared secret and sends it back to the web service
- Web service applies same hash and compares answer
- If hashes compare, web service returns session key to app
- App sends session key with all subsequent requests
- At some point you need to invalidate the session key - either app logout, timeout, number of requests
To protect this approach from man-in-the-middle attacks you need to run it over SSL and ensure that your app validates the server certificate.
You also should implement some form of protection against brute-force attempts, such as locking an API key after 'x' failed challenges
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
