androidauthentication

Allow login to Android app only on approved devices


A potential customer is requesting the ability to disallow their users from logging in to our app from all devices except for specific company owned and managed devices. I'm researching methods to perform this kind of authentication limitation, but have yet to find a solution.

I'm aware that Android offers device management solutions that allow for whitelisting and blacklisting apps on managed devices. But I'm not aware of an ability to blacklist an app's authentication on devices other than company managed devices. Our app is currently on the Play Store and current customers are able to login from any compatible Android device with access to the Play Store. So this would have to be a restriction applied only to specific user accounts.


Solution

  • The correct way to implement this would be to use SSL mutual authentication.

    https://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

    In this scheme the device would be provisioned on-site with a client certificate, then all[1] server endpoints that your apps use would verify this cert. This of course requires client code to prepare network connections to present this certificate and server config to verify it. This is secure as is your on-site private key, which is probably protected with an HSM of some sort. If a device is compromised, it is just that: only that one device and of course you can blacklist that device from the server based on the certificate it presents (see: CRLs).

    If you do anything else, you are probably re-inventing the wheel in a way that has security holes because you haven't spent 20 years developing it.

    [1] You might leave certain endpoints open that allow limited functionality.

    This is probably a massive engineering effort for you and more than your clients wants to spend. If they are willing to accept obfuscation in place of real security you could have the clients send a secret (say a hash of the device serial + a passcode, or something) in a header. There'd be a provisioning step where you'd register that secret on your server and verify it per request. Remember though that nothing stops a malicious agent from formulating a valid request in the same way as your app.