access control for restricting mobile device use only

[tenmalin]

For messaging service scripts, we could use an additional authentication mechanism for the server to identify legitimate mobile devices which have been installed apps. The authentication should be lightweight and compatible with old version of app users.

A easy way to implement this authentication mechanism is installing pre-shared secret key S for distributed apps. Device will generate a random nonce N (16 bytes or 32 bytes), and sign N with S to produce access token T, sending along with request for verification. The server can easily verify this message with minimal computation, only 1 MAC operation.