Prevent access to web app outside of wrapper apps

Question

I am creating a web app that I will wrap in a web view for Android and iOS devices. The web view will be very simple code basically pointing at my web app. For example: www.myapp.com

I want the users to only be able to access the web app (use it) after they bought the apps in appstore. How can I prevent users from decompiling the source and go to the URL directly?

Answer 1

There is no way from preventing the user from obtaining the URL and accessing it directly, if he really want's to, and then positing it in a online forum.

There is a way to prevent this particular scenario, but it still does not protect the application completely. The idea is to ship the application with a secret key in it's binary that get's used to sign every request sent from your site, see here for some details.

This way you can ensure that the request came from someone who had the API key, most likely your app. This would prevent the scenario where the URL gets posted on a forum and the app gets accessed directly via web browser.

This mechanism is normally used to protect JSON APIs, but can also be used to protect access to web pages from a web view app.

But this does not prevent someone from inspecting the binary to get to the API key, and produce another app or program that signs requests with it, creating a clone of your app.

For example apps like twitter had their keys exposed in blog posts.

So it's a tradeoff of security versus convenience: if you want to cover the URL being access from browsers, use an API key and periodically scan the android store for clone applications and report them to be shut down. This should be infrequent and easily spotted, and also users will report it to you.

If you want more security then put the app up for free, and manage login/payments yourself: it's much more complicated, and will discourage users meaning less sales. Using an API key seems to be the best security/convenience tradeoff.