I'm developing a mobile application where one of the core functionalities involves the client sending travel distance and travel start and end times to the server. Due to the nature of my business requirements, the server has no way to independently verify these values.
The security and integrity of this data are paramount. I need to ensure that the request originates from a legitimate instance of my mobile app (i.e., not from a rogue client like a manipulated version of the app or a curl command from a console), and that the data sent by the client hasn't been tampered with.
While I'm currently using HTTPS and JWT authentication with refresh tokens, this doesn't prevent a malicious user from using their JWT token to send false data from an illegitimate client.
I've considered using client-side certificates but the distribution to each instance of the mobile app seems overly complex and potentially unscalable. I'm also aware of techniques like Diffie-Hellman and HMAC, but they seem to have similar issues.
How can I ensure the integrity of the client-generated data and confirm that it's coming from a legitimate instance of my mobile app? Are there established best practices or patterns for handling this kind of situation?
There are some good practices you can use along the way, but all they can do is discourage attackers and they do not offer 100% security. The best thing you can do is to look into how banking apps are protected, as the requirements for these are similar to yours. So let's try to enumerate what you need to take care of: