[c4h8o3del]

> Force people to signup through app

> Can easily put the same amount of effort to ensure that phone isn't tampered with

You put a proprietary app on your phone. You presumably did this for other "secure" companies too. You no longer have a way to know who did or didn't tamper with it.

[adrr]

Skype managed to do it for a communication app. Games do it all the time to prevents bots. How many AIMbots are there for on secured platform like PS4 or Xbox? There's none because its next to possible to do.

The fact that your running on phone makes it harder for hackers since there is way more sensor data you have fake and you have to take the carrier stuff because carriers allow you poll devices for things like E911 location. You easily detect if you're running on a simulator and most modern financial apps have this protection. How are you going to hook up a debugger on IOS device? There isn't a jailbreak for the current OS. Setup cert pinning on the app and you won't be able to even install your own trusted cert to look at the TLS traffic.

[dekimir]

Is there a good writeup somewhere on how the phone apps you mentioned prevent tampering? I'd be super-interested in reading it.

Alternatively, are you available for consulting on the topic? I couldn't find any contact info in your profile. :(

[adrr]

Caveat: I am not a security expert by any means.

Starbucks app security is a good starter and easy to implement their strategies in an existing app. If you add in IOS version checking, you can help mitigate the risk of getting attacked by a jailbroken device on an older version of IOS.

https://blog.tendigi.com/starbucks-should-really-make-their-...

Skype is probably best in terms of securing the app from prying eyes and modification. Here's a good read on how they protected the app and the reverse engineering effort needed to crack it. http://www.oklabs.net/skype-reverse-engineering-genesis/

I threw in my linkedin profile into my hackernews profile. Feel free to add me. I just listed stuff protecting the app, there's additional strategies to secure the API including low-level pack inspection to detect proxies by looking at attributes like TCP timestamp or window size scale. Proxy-based attacks are the most common when it comes to financial fraud as the hackers aren't US-based but need a residential US IP to avoid detection and IP ACLs.

[baybal2]

>The fact that your running on phone makes it harder for hackers since there is way more sensor data you have fake and you have to take the carrier stuff because carriers allow you poll devices for things like E911 location.

You know, mobile ads companies resort to borderline exploits to fight botting, but even they loose out.

Lockdown is a useless measure, from my experience. Both IOS and Android ad nets croak under 60-70% bot traffic.