I am trying to verify that HTTP requests from an iOS application were indeed sent from a mobile application. Currently, the server code simply checks the HTTP header of the "User-Agent" and, of course, is not a very reliable solution.
This is how I see that the current iOS SDK can be used to verify that the client is an actual iPhone user.
Push notifications
- IOS application applications push a token from the operating system and send it to the server
- The server sends a push notification to the application with a hidden identifier
- IOS app sends accepted id to server
- The server responds with a cookie.
Here, in the first stages of communication, we can verify that the user is a mobile user, because, as she received the identifier from the push notification to a specific application.
dis. Not entirely reliable, even if we can repeat the push notification. Misuse of push notifications.
In-app purchase
Here you can reuse check verification.
dis. Obvious abuse. Mixing.
So the question is, are there any suitable ways to confirm that the request was sent from an iOS application, from an iOS device?
source share