Very interesting! In addition to authenticating the user, I'm interested to learn how apps authenticate the client software. E.g. for an Android app that talks to a server, how does the server know the client is the legitimate app and not some other client software that tries to use their API ?
If you're talking about authenticating the user on the mobile app, and getting data for the user, then one of the common ways is the use of JSON web tokens. When a user logs in, the server generates a JWT that contains a payload of data (like user ID, permissions, etc.) and sends it back to the client app. the client app stores this token (in local storage) and this token is sent with every request made to the server. The server verifies the token and identifies the user, and based on that sends the required data back. This way, JWTs ensure that requests to the server are coming from authenticated users on the client software.
Apart from this, there are other but related ways client apps can be authenticated by the servers. For example, for API calls, the app includes a secret key when making API requests. This key is unique to the app and is verified by the server. In another method, the server can verify the app's package name and signature to ensure it's the correct app it's communicating with. Authentication can be as broad or as granular, depending on the needs. For example, a banking app can have device level authentication where the server can recognize devices based on unique IDs and combine this with other authentication methods..
I meant specifically authenticating apps, thanks for the additional context! How can the server know that the secret key wasn't stolen / spoofed? How can it know that the package name is accurate? I'd love to read more about this, I haven't seen this topic covered in good detail yet :)
Very interesting! In addition to authenticating the user, I'm interested to learn how apps authenticate the client software. E.g. for an Android app that talks to a server, how does the server know the client is the legitimate app and not some other client software that tries to use their API ?
If you're talking about authenticating the user on the mobile app, and getting data for the user, then one of the common ways is the use of JSON web tokens. When a user logs in, the server generates a JWT that contains a payload of data (like user ID, permissions, etc.) and sends it back to the client app. the client app stores this token (in local storage) and this token is sent with every request made to the server. The server verifies the token and identifies the user, and based on that sends the required data back. This way, JWTs ensure that requests to the server are coming from authenticated users on the client software.
Apart from this, there are other but related ways client apps can be authenticated by the servers. For example, for API calls, the app includes a secret key when making API requests. This key is unique to the app and is verified by the server. In another method, the server can verify the app's package name and signature to ensure it's the correct app it's communicating with. Authentication can be as broad or as granular, depending on the needs. For example, a banking app can have device level authentication where the server can recognize devices based on unique IDs and combine this with other authentication methods..
I hope this helps.
I meant specifically authenticating apps, thanks for the additional context! How can the server know that the secret key wasn't stolen / spoofed? How can it know that the package name is accurate? I'd love to read more about this, I haven't seen this topic covered in good detail yet :)