App Store Authorisation: No Backend

TL;DR

You want to let users install apps from a public store (like Google Play or the Apple App Store) without your app needing to talk to your own servers. This guide explains how to do that securely, focusing on verifying the user’s choice and preventing tampering.

Solution Guide

1. Understand the Limitations

• Without a backend, you can’t directly control which apps users install. You rely on the store’s security.
• Your main goal is to verify that the app the user *intended* to install is actually the one running. This protects against malicious replacements or modifications.

App Signing and Package Verification

• Android: Use the app’s signing key to verify its authenticity. The store signs apps with a unique key. You can check this signature.

  adb shell pm list packages -f

  This command shows you the package name and path of installed apps. You’ll need the correct signing certificate for your app to compare against what’s on the device.

• iOS: iOS uses code signing certificates. You can use tools like codesign (on macOS) to verify the signature of an app bundle.

  codesign -dvvv /path/to/your/app.ipa

  This will display detailed information about the app’s signature and entitlements.

Deep Linking with App Store URLs

• Use deep links that point directly to your app’s listing in the store.

  android-app://com.example.your_app

  https://apps.apple.com/gb/app/your-app-name/id1234567890

• When a user clicks a link, the store handles opening your app (if installed) or prompting them to install it.

Intent Filters (Android Only)

• Declare intent filters in your AndroidManifest.xml to handle incoming URLs.

  <intent-filter>
    <action android_name="android.intent.action.VIEW" />
    <category android_name="android.intent.category.DEFAULT" />
    <category android_name="android.intent.category.BROWSABLE" />
    <data android_scheme="http" android_host="yourdomain.com" />
    </intent-filter>

URL Scheme Handling (iOS Only)

• Register a custom URL scheme in your app’s Info.plist file.

  This allows iOS to open your app when a link with that scheme is clicked.

User Confirmation and Transparency

• Always clearly inform the user what will happen when they click a link (e.g., “Open in Google Play Store”).
• Don’t automatically install apps without explicit user consent.

Regularly Update Signing Keys

• If your signing key is compromised, revoke it and issue a new one. This protects against malicious actors distributing fake versions of your app.

Consider App Attestation (Advanced)

• Services like SafetyNet (Android) or DeviceCheck (iOS) can provide information about the device and whether it’s been tampered with. This adds an extra layer of security, but requires more complex integration.