[Flask] Flask secret key for mobile app client

aiman parvaiz aimanparvaiz at gmail.com
Tue May 31 18:30:16 EDT 2016 

Thanks a lot Luca and others for all the advice. I would be using HTTPS for
sure, for authentication I want to use something like Flask Login so that I
can check if its a logged in user making a request or not. Does Flask Login
work with Android app's? I read the documentation and understand that does
user session management but being new in this domain am not sure if a
mobile app is a legit client for Flask login.



On Tue, May 31, 2016 at 1:16 AM, Luca Lesinigo <luca at lesinigo.it> wrote:

> Il giorno 30 mag 2016, alle ore 09:46, aiman parvaiz <
> aimanparvaiz at gmail.com> ha scritto:
> > The case under consideration is that right now any one can jump on a
> tool as simple as Postman(on Chrome browser), construct the API call and
> get data from the backend. I need a way to allow only mobile devices with
> the installed app to see the returned data and how can I ensure that a API
> call from any client other than mobile devices don't get a response from my
> server.
> > I would appreciate any help I can get here.
> First of all you have to put your API on an HTTPS endpoint.
>
> You can then put a first layer of security by embedding the server public
> certificate in the mobile app (client).
> This will gain you nothing for what you are asking (it is really easy for
> anyone to extract whatever they want from any public app) but your app can
> use certificate pinning to be sure it’s talking to the real server and not
> to someone else.
> The trust to this certificate is enforced by the mobile operating system
> (i.e. iOS or Android) that under normal circumstances will refuse to run
> application not coming from the official app store and/or applications that
> have been tampered with.
> Of course you can do nothing for people with rooted or otherwise modified
> mobile operating system, thay can always get a modified version of your app
> with a different certificate if they want or if someone maliciously do that.
>
> Then you have to implement some sort of authentication for the users of
> your app: for example have the user fill a form including their email
> address and send a verification email to that address, or stuff like that.
>
> Bottom line is:
> - your server has no way to be sure if it’s talking to your genuine client
> app or to a modified version of it or to something entirely different. You
> must think of it just like any public-facing service (api, website,
> whatever) that doesn’t know who’s knocking at the door
> - your client app can only be sure it’s talking to your genuine server if
> it is running on a genuine, unmodified and uncompromised mobile operating
> system that got the app from a trusted source like the official app store
>
> --
> Luca Lesinigo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20160531/94121b72/attachment.html>

More information about the Flask mailing list