I am developing an iOS application where users display content related to their environment. I have username and password authentication. Thus, the user sends his gps data along with his registration information to my PHP / MySQL backend, which then returns the data.
However, I am afraid that someone might decompile my application, register and then “scan” my entire database by simply sending requests with different gps data that are not actually coming from the iOS device. Is there any way to prevent this? I already searched googled and found this threat:
How to make sure that API requests come from our mobile application (ios / android)?
But I think the problem there is a little different and does not solve my problem.
I looked at the API keys, but did not find a way to stop a malicious user from accessing the API through registration / decompilation, and then use my login information along with the key from the code.
Any help is appreciated. Yang
source
share