Defense against reuse of hijacked session tokens with mobile device binding relies on signing important server API requests with the device key.
Whenever the app sends a REST request to the backend, it signs the request payload with the device private key. The signing process produces a signature - a cryptographic representation of the payload that ensures the integrity and origin of the payload. Then, the app sends the payload together with the signature to the server. When the server receives the message, it uses the public key to validate the payload with the signature.
The diagram below shows a simplified communication between an app and a server after the handshake.
This technique mitigates the session token hijacking attack because the server trusts only session tokens that are signed with the private key that corresponds to the key that was used to sign the request payload.
When the attacker gains access to the session token, they would need the private key from the victim's device that corresponds to that token. TEE guarantees that the private key is not extractable from the device. In this case, the only viable way for an attacker to still sign the payload is to compromise the system environment, e.g., root the device.
Table of contents
