I have two applications both Android and iOS communicating to one back-end Node.js server. Is there a way to only allow requests from these applications? Like some sort of API key method? I tried to think about ways of filtering requests from only these applications but I guess I'm stuck.

We do have a login for authentication token system but what's stopping users from taking that same token and abusing requests with an external application?

I'm thinking about encrypting all requests from mobile app and decrypting in the same manner on the back-end but fear about a lot of computation required. And what's to stop users from taking that same encrypted request and abusing it as well?

I guess what I'm looking for is some good security practices that can prevent such abuse without too much hindrance on the efficiency of the backend.

Question author Lucky | Source



Basically, you can't. But you can try to limit it.

Your application will be located on a device that you don't control. Anyone can extract information from it like API Token. They can do some reverse engineering and use your API with a another tool.

The best to do is to limit the information given by your API.

Answer author Kevinrob