I'm building SPA and I'm using JWT as authorization mechanism. Everything works nice but what if I want to build mobile app and I want to make it exclusive for that app? To be more precise, I want to build Android app and I want to limit my API so it can only be used by my Android application.
In "classic" web pages I have CSRF tokens that are generated on backend and they are appended to POST request. How can I handle that on Android apps, what is the best practice?
As @sdecandelario says, you can put a secret key on your app and check for it on the server. To protect the key from being sniffed talk to your API via HTTPS only. That way each call will be safely encrypted. Using HTTPS is a best practice and you should use it always. With the combination of a secret key and HTTPS you will only allow your app to use your API
Ivan Bernatović
Full stack web developer
Sergio
Web Developer & curious mind
Well, I think one point is to have a secret token inside your APP, that only you and your endpoint API knows, for other side you can check a header that is sending the operating system of the user and check if is an android device.
For other side why you only want the API only used by the android app?