Mobile Native Application Authentication
Let's say I have an Android app that needs to make some kind of API call. I want to authenticate my deployed applications that my API cannot be used by unauthorized clients.
I can put anything inside the application - the HTTP headers that sign the requests, complete with nonces. However, if someone decompiles the application, they will be able to replicate the authentication method, such as the signature and shared secret generation algorithm. With Java and Android, this is not impracticable.
Can you avoid it? Probably not, but I wanted to make sure crypto doesn't have a solution for me.
source to share
There is no solution to this problem. The server cannot know that it is talking to your client. The only thing you can justify is not the user, but the application. It is also possible to intelligently authenticate certain secure hardware devices, but this is very expensive and still does not guarantee that your client is in use; it only demonstrates that the user has access to one of your secure hardware devices.
This has been discussed many times across SO. These posts discuss this issue and link to many of those discussions:
While the above posts are generated from an iOS perspective, the problem is universal.
source to share