Many companies and individuals build mobile applications for devices such as tablets and smart phones. This software is often distributed by Google Play Store or Apple Store, but it can also be downloaded from other sources. Many of these applications can and must access back-end services, sensitive information, etc. Legitimate applications with legitimate users (e.g., logged-in, including by use of multi-factor authentication) accessing back-end services and sensitive information is not an issue. Issues arise, however, because these applications can also be “spoofed”, meaning that a nefarious actor can build software that appears to be the legitimate software. The nefarious software may then be able to access these back-end services, sensitive data, etc. The back-end service will usually have no way to determine whether the software making a call to access services or data is a legitimate application or a nefarious actor. A form of this problem occurs when a legitimate user believes she is using a legitimate application, but the application is spoofing the original provider client application. As such, when the user logs into the nefarious or spoofing application, the provider will provide the nefarious application all of the access the user would be provided if she were using the legitimate application.
One security measure to combat these nefarious actors is an application key. The issue with application keys is that the original software can be decompiled, and the nefarious actor can then get access to or mimic the application key. The nefarious or spoofing software can then access that which should be restricted to the legitimate software (back-end services, sensitive information, etc.). Thus, the application key does not provide the protections needed.
The techniques described herein address those issues.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.