[Flask] Flask secret key for mobile app client

Corey Boyle coreybrett at gmail.com
Mon May 30 09:37:21 EDT 2016 

You can make it non-trivial for someone to access the back end directly,
but I don't think you can ever make it impossible. Any type of secret that
you embed in the application, could always be extracted.
On May 30, 2016 7:43 AM, "saikat_sarkar" <saikat_sarkar at hotmail.com> wrote:

> Stop this spam
>
>
> Saikat
> Sent from Samsung Mobile
>
>
> -------- Original message --------
> From: aiman parvaiz
> Date:30/05/2016 1:16 PM (GMT+05:30)
> To: Unai Rodriguez
> Cc: flask at python.org
> Subject: Re: [Flask] Flask secret key for mobile app client
>
> The case under consideration is that right now any one can jump on a tool
> as simple as Postman(on Chrome browser), construct the API call and get
> data from the backend. I need a way to allow only mobile devices with the
> installed app to see the returned data and how can I ensure that a API call
> from any client other than mobile devices don't get a response from my
> server.
>
> I would appreciate any help I can get here.
>
> Thanks
>
> On Mon, May 30, 2016 at 12:07 AM, Aiman Parvaiz <aimanparvaiz at gmail.com>
> wrote:
>
> Thanks for the response Unai. This app would be open to the general public
> indeed. Can you please throw more light on SSL+ authentication?
> I would be using SSL for this but what do you mean by authentication from
> mobile phone?
>
>
> Sent from my iPhone
>
> On May 29, 2016, at 9:09 PM, Unai Rodriguez <unai at sysbible.org> wrote:
>
> If the people using the app can be anyone (I.e. it's open to general
> public) you cannot. Typically SSL I.e. HTTPS) plus authentication is used
> for this.
>
> If the people that are supposed to access have something in common (I.e.
> they come from a specific office, etc) then you might be able to add rules
> on a firewalll. But that can be a problem (rules not correct or people
> accessing through a VPN etc). I guess the only way is if the app is served
> only to the people that are supposed to access the through some sort of a
> corporate /private network .
>
>
>
> -- unai
>
>
> On Mon, May 30, 2016, at 09:56 AM, aiman parvaiz wrote:
>
> Hi all
> I am new to flask and am writing a REST API backend for a mobile app. My
> question is how can I ensure that call to my endpoints is only being done
> by my mobile app and not by some one who has guessed the endpoint.
> What would be the best way to avoid this kind of behavior.
> Thanks
> *_______________________________________________*
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
>
>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20160530/9cfb1bd0/attachment.html>

More information about the Flask mailing list