I am developing an application and I need some help. I am trying to send a string (which is actually a Base64 encoded photo) to the backend and based on this photo the backend checks a face recognition service and if it recognizes a user, it returns information about that user. I have solved the problem of spoofing (checking if the user is “alive” and not just a printed image of his face or a photo on a telephone screen) in the app. However, I am still accessing the backend endpoint with just a regular photo - anybody with knowledge of the endpoint can send a base64 encrypted photo of that particular user and she will get back information about that user.
My thought is to encrypt the string containing the picture as I send it to the backend, and then the backend can decrypt it. Obviously, if you’re a “hacker” trying to send the same picture unecrypted, then it will fail at decryption, getting gibberish.
I have three questions:
Is my approach sensible? Is this simply a matter of encrypting the string describing the user’s face or do you see any other issues, here?
In your experience, how should I approach this? Simply use a Caesar chiper on the characters of the string, and then back to the original in the backend? Some elaborate key system?
Let’s say I have the string as “abc”, and I encrypt it to “xyz”. I send that information to the backend. What’s stopping a hacker from intercepting that, see that I sent “xyz”, and then he can simply send the same “xyz” to the backend again and get the information? In other words, how does encryption protect me if it’s always the same? And if it doesn’t, how would I go about making the encryption dynamical, somehow?
PS. I will take my time tomorrow to research this, but I would like to know your opinion on the questions above.