How to know if a message is sent from an iPhone to the server?

I have written an iPhone application com开发者_运维知识库municating with a server. The app sends a message to the server and prints the result.

Now I have a question: Is there a way to know if the message sent to the server came from an iPhone?

I am asking this because I want to prevent attackers from sending messages from somewhere else and flooding the server.

If you use in-app purchases, then there is a full authentication chain that validates device X purchased the app. You're server can track this and then only give full responses to previously authenticated devices.

This approach also keeps pirated apps pretty much out of the picture.

This approach wouldn't stop a concerted DDOS attack, but your server can at least ignore non-valid clients and thus reduce its workload significantly. Since your server is ignoring invalid requests here, it also makes it less appealing to potential non-device users and the illicit user would probably only attack you if they disliked you, as opposed to them just bogging down your server for its free web services.

If you don't use in app purchases, you could set up your own authentication process and give a token to the device and have your server remember said tokens, and then later only serve valid responses for requests that had the said token (appropriately hashed and salted). This approach would not stop pirated apps from using your service, but would effectively stop non-devices from using your web service (again, except for concerted hacking efforts).

An even simpler approach is to have an obfuscated request format that would take a concerted effort to reverse engineer.

In all of these approaches, you might have to monitor your server for unusual activity and then taking appropriate steps.

I would encourage you to match your efforts to the expected risk. You can spend days, months, even years, properly securing an app, make sure the cost is worth the reward.

You could do some form of authentication, encryption or fingerprinting, eg. using SHA, MD5, etc. That way you could make it difficult (but not impossible) for an attacker to abuse your server.

You can't tell it's from an iPhone until you have received and examined the connection on the server. If you do that, you have already opened the possibility of a DOS (Denial of service) attack due to connection exhaustion.