How to verify it's just our phonegap app accessing our server-side api?

We're using jQuery Mobile and Phonegap to produce an iOS & Android app which will be shown in the two stores. The apps will pull in data from a remote server using Javascript and your typical ajax/JSONP calls.

We're hoping to somehow authenticate the application with our backend. Usually you could limit access to a remote api from a specific domain, we can't do this because the files will be stored locally and use the file:// protocol, that's why we're using JSONP to avoid the same origin policy i开发者_运维知识库ssue.

We were going to produce an authentication string using a passphrase+timestamp+deviceID, encrypt it and then do the same thing server side. We soon realised that people will be able to access our javascript files easily enough and javascript obfuscation isn't 100% secure from what I've read so far.

Any ideas on how to limit API access just to the app or is it just a case of doing all we can and leaving our API fairly open?

Thank you.

Phonegap is distributed as a dedicated app project. This lets you modify it adding a new api function that will be compiled and kinda safe.

The new function in api would compute a hash from a given seed and return it. Then you need the same code on the server side.

A hash of the seed and a salt embedded carefully in the native app code would be enough.

A binary can be obfuscated enough to prevent people from discovering the salt and there are further complications you could use - eg. choose the salt as a part a lengthy string determined by the seed.

JavaScript obfuscation is 0% secure; it's a deterrent and not a real solution. You can run any minified/obsfucated JavaScript through a reverser and get full code. Also, with little effort anyone could fake the PhoneGap API responses to device information, so the only sure way to avoid this would be to use certs in the app container to communicate an initial handshake from within the app. Both the iPhone and Android approach vary on the details, but this is the only real solution to the problem. You could use other approaches such as looking at the source IPs and making sure they are from mobile providers, but that is a moving target.

I think that's sort of the catch22 of hybrid apps. Probably your best bet is to use a token that's generated by the native code. There are tutorials that show you how to create custom functionality in native code that gets passed back to the JS. I'd check there first.