I have an android app that communicates with a server. The app when run for the first time will send a post request to /user/register_device
and then the server will create a new user with random id and random key and returns the response
{
"status": "success",
"data": {
"uid": "sfasdfas2487329rhsdifasor092u403p8412jelfjsakl;dfajs09204u12341",
"ukey": "fs04932u401923u4jweofksa;ldfajs9-24-341243fasdfasdffdsafasfasfsafrweqrqgq4234fdsfasdfa34123"
}
}
But now if an attacker makes a script that just send post requests to /user/register_device
in a loop, he can create many users in the server. This will soon fill up the table with invalid users. So how to stop this?
Should I restrict the number of requests coming from an IP? Or should i add a secret_key into the android app and make app send this key too when registering_device? Are there any other methods to stop this?
Restricting by IP address may affect the functionality since many organisations use NAT scheme to hide internal IP addresses.
my suggestions 1. Use Captcha 2. Double opt-in. When someone signs up through a subscribe form an email is immediately sent to the address they provided. 3. create a unique key per user based on MAC address if the key appears again you should ignore it. 4. Put a checkbox "I'm human" http://uxmovement.com/forms/captchas-vs-spambots-why-the-slider-captcha-wins/ 5. Use SMS for verication
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.