Protect REST API for mobile app without accounts

Question

I currently develop a end-user iOS app which does not have any sort of account (and I don&rsquo;t want to introduce them).The app uses a REST API (provided by Cloudflare Workers) quite frequently. I&rsquo;m currently thinking about ways to protect this API or my workers from malicious requests (especially Denial of Wallet attacks). I thought about mTLS so publish the app with the bundled password protected .p12 file and obfuscate the password. Then block all requests that are not coming from the app via a mTLS rule.However, I&rsquo;m not really confident that this is really secure. So I would love to hear your thoughts on this idea and if there are better solutions given the constraints explained above.

Klonoar · Accepted Answer

Embedding those into your app will not work - it makes it marginally more difficult for a dedicated attacker but it's not rocket science to extract.
iOS does have something built-in that you can use to identify whether the requests coming to your API are legitimate, though - which you may find useful here:
https://developer.apple.com/documentation/devicecheck
https://developer.apple.com/documentation/devicecheck/establ...
This, of course, will not help with Android or another ecosystem.

akerl_ · Answer

What you&rsquo;re describing will prevent requests from roving scans of the internet, but anybody who specifically wants to hit your API will not be stopped. Extracting certs and credentials from an application package is straightforward and something even a novice could do based on googling.Without accounts, you&rsquo;re basically stuck. If the devices don&rsquo;t have any way to prove identity, you can&rsquo;t identify good requests from bad ones.