![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 19%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
3,409 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Shafeen Charania,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Regarding your question on how you can prevent our KEY to communicate between Azure AI and our APP from being compromised if the mobile app user intercepts the packet. Based on the problem statement you described, it appears that the mobile app is currently using a static API key for backend authentication.
If that is right, follow the below guides for best practices security:
Firstly, understand that static keys in mobile apps are easily extracted. You will need to use public/private key pairs or certificate pinning:
- You can generate a unique client certificate for each app instance during installation for Android - use the link for details and for iOS
- Also, use certificate thumbprints to authenticate the app to the backend - https://datatracker.ietf.org/doc/html/rfc8705
https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
Secondly, single identity for all users is not a good choice, use Azure AD B2C or OAuth 2.0 Device Flow to authenticate end users. Use this link for more details. - https://learn.microsoft.com/en-us/azure/ai-services/authentication#authenticate-with-azure-active-directory
Thirdly, in the case of token replay attacks. Bind tokens to device fingerprints using x5t#S256 (certificate thumbprint) or cnf (proof-of-possession) claims - https://datatracker.ietf.org/doc/html/rfc8705
- Backend includes device fingerprint in token requests to Azure AD.
- Azure AI validates the token’s binding claim against the mobile app’s runtime environment.
- Read more: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
Fourthly, to reduce Token Lifespan to 5-10 Minutes. You can configure a custom token lifetime policy in Azure AD - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes:
- Set
AccessTokenLifetime = 300(5 minutes) in the policy. - NOTE: This requires Azure AD Premium P1/P2.
Finally, you can monitor & Rate-Limit Token Requests and Token abuse detection by using Azure AD Conditional Access to block abnormal token requests - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access and you can implement rate-limiting on the backend’s token endpoint e.g., 1 token/5 minutes per user.
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 17%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)