Mobile app currently uses a single mobile app key (a hash) for all installations/users of the mobile app. The mobile app sends the current user's user id in all the API calls. This is a security issue because a bad actor can send in the user id of other users and query the private information of other patients.
Proposed solution:
Have the server generate a unique hash for the mobile user after the user successfully completes OTP validation. This hash will be stored in the database.
Server will send this hash as a response after successful OTP validation.
Mobile app will store this hash in its local encrypted storage, and then submit it with all subsequent API calls.
Server will validate this hash for the corresponding phone number before responding to requests.
Mobile app currently uses a single mobile app key (a hash) for all installations/users of the mobile app. The mobile app sends the current user's user id in all the API calls. This is a security issue because a bad actor can send in the user id of other users and query the private information of other patients.
Proposed solution:
Have the server generate a unique hash for the mobile user after the user successfully completes OTP validation. This hash will be stored in the database.
Server will send this hash as a response after successful OTP validation.
Mobile app will store this hash in its local encrypted storage, and then submit it with all subsequent API calls.
Server will validate this hash for the corresponding phone number before responding to requests.